Linux – Tripwire policy suggestions

linuxSecuritytripwire

I've setup tripwire on a debian server, and default policy had some strange settings.

#
# Critical devices
#
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
)
{
    /dev            -> $(Device) ;
#   /proc           -> $(Device) ;
}

/proc is very volatile, so I've commented it out, but I guess I should put some of it content explicitly in here. I have some ideas, but I'll ask for an advice on that matter.

Other thing is /var/log :

#
# These files change every time the system boots
#
(
  rulename = "System boot changes",
  severity = $(SIG_HI)
)
{
    /var/lock               -> $(SEC_CONFIG) ;
    /var/run                -> $(SEC_CONFIG) ; # daemon PIDs
#   /var/log                -> $(SEC_CONFIG) ;
}

Again too volatile and too many false positives. Should I explicitly monitor some specified parts of it and what. Rest of /var is $(SIG_MED) and $(SEC_INVARIANT), which sounds reasonable for /var/log too.

Best Answer

I think your assumptions are okay.

There is nothing interesting in proc to watch for, and they change every time. /dev is also a good question. I used to have that line, but now with udev I am not so sure.

You still have this line, do you?

/var -> $(SEC_INVARIANT) (recurse = 0) ;

My real problem with tripwire is, that it requires regular attention to keep it up-to-date. When I had the time it worked great, but not anymore.

Maybe it is worth to take a look at Samhain. It only reports once then learns the changes. It has other great features (maybe I will extend this later).

Related Solutions

Security – Recommend alternative to tripwire

We use OSSEC as HIDS and Splunk to analyze the results. OSSEC provides:

File integrity
Log monitoring
Rootkit detection
Configuration analysis

There is a free Splunk App, called Splunk for OSSEC which works great to manage OSSEC alerts (there are dashboards, queries, etc.). We use free Splunk.

You can also use the OSSEC WebUI, but it is much more limited.

To give you an idea of how it is, have a look at this screenshot.

Tripwire: tripwire –update -Z low says Error: File could not be opened

tripwire --update requires a particular (usually the most recent) tripwire output file to operate on. When you last ran tripwire --check it will have created a report file; if you want to update from that, find the name of that report file (usually the most recent creation in /var/lib/tripwire/report) and do

tripwire --update -Z low -r /var/lib/tripwire/report/THATFILE

If you're using the most recent tripwire output file, -Z low is often not required, and I think it's generally a good idea to omit it: if there have been any further changes since the report was generated, you want to know about them, and resolve them manually.

If you must have a fast workaround, you could put something like this in your .bashrc file (assuming you're using bash):

alias triplast="tripwire --update -r `ls -1rt /var/lib/tripwire/report|tail -1`"

which will run tripwire in update mode on the most recent entry in the reports directory.

Best Answer

Related Solutions

Security – Recommend alternative to tripwire

Tripwire: tripwire –update -Z low says Error: File could not be opened

Related Topic