CNIT 129S Proj 7: Using Tripwire for Intrusion Detection (15 pts.)

What You Need

An Ubuntu Linux VM, as you prepared in the previous project. Other versions of Linux could be used, but the steps might be different.

Warning About Kali

Getting to zero violations is difficult on Kali. It's easier on Ubuntu. This page might help:

https://kali.training/topic/exercise-7-3-securing-the-kali-file-system/

Setting Time Zone

This is very convenient when interpreting the logs and reports after an incident.

In a Terminal window, execute this command:

sudo dpkg-reconfigure tzdata
Enter your password when you are prompted to.

Use the arrow keys on the keyboard to highlight America. Then press Tab to highlight OK. Press Enter.

On the next screen, select Los_Angeles, as shown below. Then press Tab to highlight OK. Press Enter.

Installing and Configuring Tripwire

Tripwire is the standard tool to detect alterations in system files, such as malware and rootkits.
sudo apt-get update
sudo apt-get install tripwire -y
Answer the questions:

Making the Tripwire Policy File

Execute this command to initialize the tripwire database.
sudo tripwire --init
Enter your password and your local passphrase when you are prompted to.

Execute these commands to get a list of files it shouldn't be monitoring:

sudo tripwire --check | grep Filename > test_results
cat test_results
There are a lot of messages saying "Warning: File system error", about /proc files. That's what should happen--we are identifying files Tripwire expects that aren't present on this version of Linux.

A list of files appears, as shown below.

Execute this command to adjust Tripwire's policy.

sudo nano /etc/tripwire/twpol.txt
Search for each file found in the previous step, except the "/proc/" ones, and put a # at the start to comment out those lines.

For example, the screen image below shows the file after commenting out /etc/rc.boot.

All the other lines I needed to comment out were in the "Root config files" section, as shown below.

In the "Devices & Kernel information" section, replace this:

#
# Critical devices
#
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
)
{
        /dev            -> $(Device) ;
        /proc           -> $(Device) ;
}
with this:
#
# Critical devices
#
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
)
{
       /dev                    -> $(Device) ;
       /dev/pts                -> $(Device) ;
        #/proc                  -> $(Device) ;
        /proc/devices           -> $(Device) ;
        /proc/net               -> $(Device) ;
        /proc/tty               -> $(Device) ;
        /proc/sys               -> $(Device) ;
        /proc/cpuinfo           -> $(Device) ;
        /proc/modules           -> $(Device) ;
        /proc/mounts            -> $(Device) ;
        /proc/dma               -> $(Device) ;
        /proc/filesystems       -> $(Device) ;
        /proc/interrupts        -> $(Device) ;
        /proc/ioports           -> $(Device) ;
        /proc/scsi              -> $(Device) ;
        /proc/kcore             -> $(Device) ;
        /proc/self              -> $(Device) ;
        /proc/kmsg              -> $(Device) ;
        /proc/stat              -> $(Device) ;
        /proc/loadavg           -> $(Device) ;
        /proc/uptime            -> $(Device) ;
        /proc/locks             -> $(Device) ;
        /proc/meminfo           -> $(Device) ;
        /proc/misc              -> $(Device) ;
}
In the "System boot changes" section, comment out the three entries starting with /var/ as shown below:
# 
# These files change every time the system boots
#
(
  rulename = "System boot changes",
  severity = $(SIG_HI)
)
{
        # /var/lock             -> $(SEC_CONFIG) ;
        # /var/run              -> $(SEC_CONFIG) ; # daemon PIDs
        # /var/log              -> $(SEC_CONFIG) ;
}

Press Ctrl+X, Y, Enter to save the file.

Initializing Tripwire

Execute this command to implement the changes.
sudo twadmin -m P /etc/tripwire/twpol.txt
Enter your password if you are prompted to. Enter your site passphrase when you are prompted to.

Execute this command to initialize the Tripwire database:

sudo tripwire --init
Enter your site passphrase when you are prompted to.

Execute this command to run a tripwire check:

sudo tripwire --check
Tripwire should show a message saying "Total violations found: 0", as shown below.

Saving the Screen Image

Make sure the message saying "Total violations found: 0", is visible, as shown above.

Click the host computer's desktop. Press Shift+PrntScrn key to capture the entire desktop. If you are using a Mac, press Shift+Cmd+3

YOU MUST SUBMIT A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Save this image as a PNG file, named "Proj 7 from YOUR NAME"

Turning in Your Project

Email the image to cnit.129S@gmail.com with a subject of "Proj 7 from YOUR NAME".

Posted 9-19-16
Warning about Kali added 2-21-18
Sam Bowne