Trip-wire-debian
[root@irods-rhel81-test home]# cat /etc/tripwire/twpol.txt
# Global Variable Definitions
@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=irods-rhel81-test;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}
# watch most
(
rulename = "Home watch",
severity = $(SIG_HI)
)
{
/home -> $(SEC_CRIT);
/etc -> $(SEC_CRIT);
/ -> $(SEC_CRIT);
/dev -> $(SEC_CRIT);
/mnt -> $(SEC_CRIT);
/media -> $(SEC_CRIT);
/var/lib -> $(SEC_CRIT);
!/proc;
!/run;
!/sys;
}
# Temporary directories.
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
}
# These files change the behaviour of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
/root/.Xresources -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
/root/.bash_profile -> $(SEC_CONFIG) ;
/root/.bash_logout -> $(SEC_CONFIG) ;
/root/.cshrc -> $(SEC_CONFIG) ;
/root/.tcshrc -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
#/root/mail -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.elm -> $(SEC_CONFIG) ;
/root/.esd_auth -> $(SEC_CONFIG) ;
#/root/.gnome_private -> $(SEC_CONFIG) ;
#/root/.gnome-desktop -> $(SEC_CONFIG) ;
/root/.gnome -> $(SEC_CONFIG) ;
/root/.ICEauthority -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.xsession-errors -> $(SEC_CONFIG) ;
}
# Rest of critical system binaries
(
rulename = "OS executables and libraries",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/lib -> $(SEC_BIN) ;
}
- change a few things
- run a check and generate a report
tripwire --check [> currentreport.txt]
- display the report
twprint -m r -t 4 -r /var/lib/tripwire/report/irods-rhel81-test-*
- results after changing a few files and then
Output from a report
<pre>
-------------------------------------------------------------------------------
Rule Name: Home watch (/)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 2
----------------------------------------
Modified object name: /var/log/audit/audit.log
Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 64768 64768
File Device Number 0 0
Inode Number 1573314 1573314
Mode -rw------- -rw-------
Num Links 1 1
UID root (0) root (0)
GID root (0) root (0)
* Size 399182 399731
* Modify Time Thu 13 Aug 2020 01:17:59 AEST
Thu 13 Aug 2020 01:36:09 AEST
* Change Time Thu 13 Aug 2020 01:17:59 AEST
Thu 13 Aug 2020 01:36:09 AEST
Blocks 784 784
* CRC32 CbG7di DHn7Me
* MD5 D/ZRjdpXmjWrAZA3Uc8ybD DR6vxosQtJlm1V1LWwp5VA
Modified object name: /var/log/messages
Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 64768 64768
File Device Number 0 0
Inode Number 2234635 2234635
Mode -rw------- -rw-------
Num Links 1 1
UID root (0) root (0)
GID root (0) root (0)
* Size 875098 875855
* Modify Time Thu 13 Aug 2020 01:18:25 AEST
Thu 13 Aug 2020 01:35:59 AEST
* Change Time Thu 13 Aug 2020 01:18:25 AEST
Thu 13 Aug 2020 01:35:59 AEST
Blocks 1712 1712
* CRC32 BvuscR BPoybp
* MD5 CWP4r5oRCq99S3QoxLLoGY AHFIRBmZAmIoIYnrPHa62R
-------------------------------------------------------------------------------
Rule Name: Home watch (/var/lib)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 7
----------------------------------------
Modified object name: /var/lib/NetworkManager
Property: Expected Observed
------------- ----------- -----------
Object Type Directory Directory
Device Number 64768 64768
File Device Number 0 0
Inode Number 34004650 34004650
Mode drwx------ drwx------
Num Links 2 2
UID root (0) root (0)
GID root (0) root (0)
Size 159 159
* Modify Time Thu 13 Aug 2020 01:25:49 AEST
Thu 13 Aug 2020 01:35:59 AEST
* Change Time Thu 13 Aug 2020 01:25:49 AEST
Thu 13 Aug 2020 01:35:59 AEST
Blocks 0 0
Modified object name: /var/lib/NetworkManager/internal-e7f33838-23a4-4374-ba37-baa3c58d9631-ens3.lease
Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 64768 64768
File Device Number 0 0
* Inode Number 34004654 34004655
Mode -rw-r--r-- -rw-r--r--
Num Links 1 1
UID root (0) root (0)
GID root (0) root (0)
Size 284 284
* Modify Time Thu 13 Aug 2020 01:08:49 AEST
Thu 13 Aug 2020 01:35:59 AEST
* Change Time Thu 13 Aug 2020 01:08:49 AEST
Thu 13 Aug 2020 01:35:59 AEST
Blocks 8 8
* CRC32 A48One BrF5t5
* MD5 D6wiEYcZOkwCA/fRLUS3wa BQ+UK9BtTYPSmQYz3TmDwZ
Modified object name: /var/lib/NetworkManager/timestamps
Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 64768 64768
File Device Number 0 0
Inode Number 34004617 34004617
Mode -rw-r--r-- -rw-r--r--
Num Links 1 1
UID root (0) root (0)
GID root (0) root (0)
Size 109 109
* Modify Time Thu 13 Aug 2020 01:25:49 AEST
Thu 13 Aug 2020 01:35:49 AEST
* Change Time Thu 13 Aug 2020 01:25:49 AEST
Thu 13 Aug 2020 01:35:49 AEST
Blocks 8 8
* CRC32 AOarOL D95liB
* MD5 DUVNiYKI2UOvX9fsWSWoqA AlKpPvZP4RMmyZP9fFukmc
Modified object name: /var/lib/rsyslog
Property: Expected Observed
------------- ----------- -----------
Object Type Directory Directory
Device Number 64768 64768
File Device Number 0 0
Inode Number 51847916 51847916
Mode drwx------ drwx------
Num Links 2 2
UID root (0) root (0)
GID root (0) root (0)
Size 29 29
* Modify Time Thu 13 Aug 2020 01:18:03 AEST
Thu 13 Aug 2020 01:35:59 AEST
* Change Time Thu 13 Aug 2020 01:18:03 AEST
Thu 13 Aug 2020 01:35:59 AEST
Blocks 0 0
Modified object name: /var/lib/rsyslog/imjournal.state
Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 64768 64768
File Device Number 0 0
* Inode Number 51847910 51847911
Mode -rw------- -rw-------
Num Links 1 1
UID root (0) root (0)
GID root (0) root (0)
* Size 123 122
* Modify Time Thu 13 Aug 2020 01:18:03 AEST
Thu 13 Aug 2020 01:35:59 AEST
* Change Time Thu 13 Aug 2020 01:18:03 AEST
Thu 13 Aug 2020 01:35:59 AEST
Blocks 8 8
* CRC32 DG1AR1 AqpCjW
* MD5 CuA+WlVghp/bym91ib2ckS DFZwPfahN3e1YzBb2sxz5j
Modified object name: /var/lib/sss/mc/group
Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 64768 64768
File Device Number 0 0
Inode Number 17901469 17901469
Mode -rw-rw-r-- -rw-rw-r--
Num Links 1 1
UID sssd (981) sssd (981)
GID sssd (979) sssd (979)
Size 6406312 6406312
Modify Time Thu 13 Aug 2020 01:30:29 AEST
Thu 13 Aug 2020 01:30:29 AEST
Change Time Thu 13 Aug 2020 01:30:29 AEST
Thu 13 Aug 2020 01:30:29 AEST
Blocks 12520 12520
* CRC32 Cp/x6n AVTAwP
* MD5 C06soA34puopu1DYhh5Tey D5hwdY7l3d26q6V3wivxzs
Modified object name: /var/lib/sss/mc/passwd
Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 64768 64768
File Device Number 0 0
Inode Number 17901468 17901468
Mode -rw-rw-r-- -rw-rw-r--
Num Links 1 1
UID sssd (981) sssd (981)
GID sssd (979) sssd (979)
Size 8406312 8406312
Modify Time Thu 13 Aug 2020 01:30:29 AEST
Thu 13 Aug 2020 01:30:29 AEST
Change Time Thu 13 Aug 2020 01:30:29 AEST
Thu 13 Aug 2020 01:30:29 AEST
Blocks 16424 16424
* CRC32 DPqRkn AcNPmH
* MD5 BWssmS9Wh2E7wgQ6spGdQV A2kO9AGBtXKmTiTZgVxOY1
-------------------------------------------------------------------------------
Rule Name: Home watch (/home)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Removed Objects: 4
----------------------------------------
Removed object name: /home/elsewhere
Property: Expected Observed
------------- ----------- -----------
* Object Type Directory ---
* Device Number 64768 ---
* File Device Number 0 ---
* Inode Number 33640822 ---
* Mode drwxr-xr-x ---
* Num Links 2 ---
* UID root (0) ---
* GID root (0) ---
* Size 57 ---
* Modify Time Thu 13 Aug 2020 01:25:10 AEST
---
* Change Time Thu 13 Aug 2020 01:25:10 AEST
---
* Blocks 0 ---
Removed object name: /home/elsewhere/grep
Property: Expected Observed
------------- ----------- -----------
* Object Type Regular File ---
* Device Number 64768 ---
* File Device Number 0 ---
* Inode Number 33641148 ---
* Mode -rw-r--r-- ---
* Num Links 1 ---
* UID root (0) ---
* GID root (0) ---
* Size 0 ---
* Modify Time Thu 13 Aug 2020 00:03:23 AEST
---
* Change Time Thu 13 Aug 2020 00:03:23 AEST
---
* Blocks 0 ---
* CRC32 D///// ---
* MD5 DUHYzZjwCyBOmACZjs+EJ+ ---
Removed object name: /home/elsewhere/no-directory.txt
Property: Expected Observed
------------- ----------- -----------
* Object Type Regular File ---
* Device Number 64768 ---
* File Device Number 0 ---
* Inode Number 33641157 ---
* Mode -rw-r--r-- ---
* Num Links 1 ---
* UID root (0) ---
* GID root (0) ---
* Size 6230 ---
* Modify Time Thu 13 Aug 2020 00:11:27 AEST
---
* Change Time Thu 13 Aug 2020 00:11:27 AEST
---
* Blocks 16 ---
* CRC32 AROBI6 ---
* MD5 Ah1ykdNmBCnkzIdMKh0+M/ ---
Removed object name: /home/elsewhere/whatsup
Property: Expected Observed
------------- ----------- -----------
* Object Type Regular File ---
* Device Number 64768 ---
* File Device Number 0 ---
* Inode Number 33641150 ---
* Mode -rw-r--r-- ---
* Num Links 1 ---
* UID root (0) ---
* GID root (0) ---
* Size 13 ---
* Modify Time Wed 12 Aug 2020 23:44:37 AEST
---
* Change Time Wed 12 Aug 2020 23:44:37 AEST
---
* Blocks 8 ---
* CRC32 B9OgJ5 ---
* MD5 Ahksut6TDvX1kFiK93U0kw ---
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /home
Property: Expected Observed
------------- ----------- -----------
Object Type Directory Directory
Device Number 64768 64768
File Device Number 0 0
Inode Number 16834295 16834295
Mode drwxr-xr-x drwxr-xr-x
* Num Links 4 3
UID root (0) root (0)
GID root (0) root (0)
* Size 36 19
* Modify Time Thu 13 Aug 2020 01:30:08 AEST
Thu 13 Aug 2020 01:38:47 AEST
* Change Time Thu 13 Aug 2020 01:30:08 AEST
Thu 13 Aug 2020 01:38:47 AEST
Blocks 0 0
-------------------------------------------------------------------------------
Rule Name: Home watch (/dev)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /dev/ptmx
Property: Expected Observed
------------- ----------- -----------
Object Type Character Device Character Device
Device Number 6 6
File Device Number 1282 1282
Inode Number 1126 1126
Mode crw-rw-rw- crw-rw-rw-
Num Links 1 1
UID root (0) root (0)
GID tty (5) tty (5)
Size 0 0
* Modify Time Thu 13 Aug 2020 01:30:00 AEST
Thu 13 Aug 2020 01:38:41 AEST
Change Time Wed 12 Aug 2020 22:45:46 AEST
Wed 12 Aug 2020 22:45:46 AEST
Blocks 0 0