CNIT 129S Proj 7: Using Tripwire for Intrusion Detection (15 pts.)

What You Need

An Ubuntu Linux VM, as you prepared in the previous project. Other versions of Linux could be used, but the steps might be different.

Use Ubuntu 16.04!

We tried Ubuntu 18.04 and it segfaults, as of 3-5-19. Ubuntu 16.04 works.

Warning About Kali

Getting to zero violations is difficult on Kali. It's easier on Ubuntu. This page might help:

https://kali.training/topic/exercise-7-3-securing-the-kali-file-system/

Setting Time Zone

This is very convenient when interpreting the logs and reports after an incident.

In a Terminal window, execute this command:

sudo dpkg-reconfigure tzdata

Enter your password when you are prompted to.

Use the arrow keys on the keyboard to highlight America. Then press Tab to highlight OK. Press Enter.

On the next screen, select Los_Angeles, as shown below. Then press Tab to highlight OK. Press Enter.

Installing and Configuring Tripwire

Tripwire is the standard tool to detect alterations in system files, such as malware and rootkits.

sudo apt-get update sudo apt-get install tripwire -y

Answer the questions:

OK
No configuration for email alerts
A "Tripwire Configuration" tells you how keys will be handled. Select OK.
It sks "Do you wish to create/use your site key...". Select Yes.
A "Tripwire Configuration" tells you how keys will be handled. Select OK.
It sks "Do you wish to create/use your local key...". Select Yes.
A "Tripwire Configuration" tells you how Tripwire handles its database. Select Yes.
A "Tripwire Configuration" tells you how Tripwire handles its policies. Select Yes.
Enter a Site Passphrase and Local passphrase (for this project, I recommend entering P@ssw0rd all four times. For a real server use something longer and more secure)
A box says "Tripwire has been installed". Select OK

Making the Tripwire Policy File

Execute this command to initialize the tripwire database.

sudo tripwire --init

Enter your password and your local passphrase when you are prompted to.

Execute these commands to get a list of files it shouldn't be monitoring:

sudo tripwire --check | grep Filename > test_results cat test_results

There are a lot of messages saying "Warning: File system error", about /proc files. That's what should happen--we are identifying files Tripwire expects that aren't present on this version of Linux.

A list of files appears, as shown below.

Execute this command to adjust Tripwire's policy.

sudo nano /etc/tripwire/twpol.txt

Search for each file found in the previous step, except the "/proc/" ones, and put a # at the start to comment out those lines.

For example, the screen image below shows the file after commenting out /etc/rc.boot.

All the other lines I needed to comment out were in the "Root config files" section, as shown below.

In the "Devices & Kernel information" section, replace this:

# # Critical devices # ( rulename = "Devices & Kernel information", severity = $(SIG_HI), ) { /dev -> $(Device) ; /proc -> $(Device) ; }

with this:

# # Critical devices # ( rulename = "Devices & Kernel information", severity = $(SIG_HI), ) { /dev -> $(Device) ; /dev/pts -> $(Device) ; #/proc -> $(Device) ; /proc/devices -> $(Device) ; /proc/net -> $(Device) ; /proc/tty -> $(Device) ; /proc/sys -> $(Device) ; /proc/cpuinfo -> $(Device) ; /proc/modules -> $(Device) ; /proc/mounts -> $(Device) ; /proc/dma -> $(Device) ; /proc/filesystems -> $(Device) ; /proc/interrupts -> $(Device) ; /proc/ioports -> $(Device) ; /proc/scsi -> $(Device) ; /proc/kcore -> $(Device) ; /proc/self -> $(Device) ; /proc/kmsg -> $(Device) ; /proc/stat -> $(Device) ; /proc/loadavg -> $(Device) ; /proc/uptime -> $(Device) ; /proc/locks -> $(Device) ; /proc/meminfo -> $(Device) ; /proc/misc -> $(Device) ; }

In the "System boot changes" section, comment out the three entries starting with /var/ as shown below:

# # These files change every time the system boots # ( rulename = "System boot changes", severity = $(SIG_HI) ) { # /var/lock -> $(SEC_CONFIG) ; # /var/run -> $(SEC_CONFIG) ; # daemon PIDs # /var/log -> $(SEC_CONFIG) ; }

Press Ctrl+X, Y, Enter to save the file.

Initializing Tripwire

Execute this command to implement the changes.

sudo twadmin -m P /etc/tripwire/twpol.txt

Enter your password if you are prompted to. Enter your site passphrase when you are prompted to.

Execute this command to initialize the Tripwire database:

sudo tripwire --init

Enter your site passphrase when you are prompted to.

Execute this command to run a tripwire check:

sudo tripwire --check

Tripwire should show a message saying "Total violations found: 0", as shown below.

Saving the Screen Image

Make sure the message saying "Total violations found: 0", is visible, as shown above.

Click the host computer's desktop. Press Shift+PrntScrn key to capture the entire desktop. If you are using a Mac, press Shift+Cmd+3

YOU MUST SUBMIT A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Save this image as a PNG file, named "Proj 7 from YOUR NAME"

Turning in Your Project

Email the image to cnit.129S@gmail.com with a subject of "Proj 7 from YOUR NAME".

Posted 9-19-16
Warning about Kali added 2-21-18
Warning about Ubuntu 18.04 adde 3-4-18

Sam Bowne