Policy rules of tripwire
I have a fresh installation of tripwire on Centos 5.3
Default tw.pol (last version is from 2007) contains some out-to-date settings: 1. File system error. Filename: /usr/local/sysinfo No such file or directory 2. File system error. Filename: /usr/X11R6/lib No such file or directory 3. File system error. Filename: /etc/mail/statistics No such file or directory 4. File system error. Filename: /var/lost+found No such file or directory 5. File system error. Filename: /var/cache/man/whatis No such file or directory 6. File system error. Filename: /cdrom No such file or directory 7. File system error. Filename: /floppy No such file or directory 8. File system error. Filename: /initrd No such file or directory 9. File system error. Filename: /home/lost+found No such file or directory And Parsing policy file: /usr/local/etc/tw.pol Generating the database... *** Processing Unix File System *** The object: "/sys" is on a different file system...ignoring. 1) It is easy to remove all of them from twpol.txt but, are there similar (or not) needing adds/substitutions you suggest? 2) Have a suggesting daily procedure to implement with tripwire (check, cron, twpol.txt updates, rebuild database? Thanks in advance |
Quote:
Filename: /usr/X11R6/lib # Only if you run X11/Xorg (which is kinda odd on a headless server). Filename: /etc/mail/statistics # Only if you let Sendmail collect statistics AFAIK. Filename: /var/lost+found # Only if /var is a separate partition. Filename: /var/cache/man/whatis # Only if default cronjob /etc/cron.daily/makewhatis has run initially. Filename: /cdrom # Isn't that supposed to be in either /dev/ or /media? Filename: /floppy # Isn't that supposed to be in either /dev/ or /media? Filename: /initrd # Only if kernel was installed manually AFAIK. Quote:
|
I'm not sure if I understand the last what you mean.
In my old server (I am in moving process) I have something more simple. An app called fcheck. It check for changes in /home /etc /tmp and some other with exceptions like Maildir dirs I'm not sure if I am doing well. To not to have reports growing and growing I first check updates (I receive a report by email) and then I rebuild database (cron). So I look trough the changes of the last day. I never had to fix anything but if I should, I would make the necessary changes and then rebuild the database. In the new server I've created a database after programs installation from repositories only. This remains untouched, I haven't finished its implementation. My knowledge is poor on this issues so maybe Samhain or Aide would be fit better for me If you have any advices, they are welcome. Thanks unSpawn |
Quote:
Quote:
Quote:
|
fcheck was a hurry solution because I had decided to move the server.
And yes, I am updating datab from cron. On the new server I intend to perform a more detailed installation. I didn't started very well (see my other threat about kowlr intrusion. I will remove tripwire and install one of yours. I didn't find tripwire very kindly to set up. And I have here good people if I need help. Thank you |
I am reading the manual before installing samhain.
My server is a simple one: hosts a few virtual servers for apache services. My knowledge on this issue is poor. ./configure --enable-network=client or server or both? --with-kcheck=path to sys map Which one of these? /boot/System.map-2.6.18-128.1.14.el5 /boot/System.map-2.6.18-128.el5 |
Quote:
Quote:
Quote:
A kernel version-specific map should be linked to /boot/System.map so you may use that name. If you use the kernel module you must rebuild and reinstall Samhain each time you install and run a new kernel. Certain kernel-related features like hiding Samhain might not work with RHEL/Centos kernels. In the worst case scenario this may result in a hard lockup of the machine. Please also see related notes in other thread. |
I forgot to say that I have rkhunter already installed and running in the old and this server.
I don't know if this is good, I have a cron job to receive a daily report. ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only --pkgmgr rpm sed -n -e '/Warning/p' /var/log/rkhunter.log > /root/rkhunterLOG ) | mail -s "rkhunter Warnings" -c root < /root/rkhunterLOG Samhain manual is not friendly. The only thing I can do in pdf version is to zoom and scroll. No search tool, no text-copy paste. The html version only has the capability to copy-paste. Search, only on the present page. This is annoying. I am trying to find where it says about -kcheck, if I need to add it in ./configure, if not, does it take the running one..... What do you mean with In the worst case scenario this may result in a hard lockup of the machine. ? Do I need a lot of configure settings to compile? ./configure --enable-network=client --with-logserver=server.example.com from http://www.la-samhna.de/samhain/HOWT...nt+server.html --enable-login-watch ? --enable-userfiles ? --with-trusted=0,501,513 ? --enable-xml-log ? --with-database=mysql ? It seems like Beltane would be useful too. Tiger? Thank you |
Quote:
Quote:
Quote:
Quote:
Quote:
--enable-network=client # Makes this the client-side version (not Yule). --with-logserver=server.example.com # If you log to a server (Yule). --enable-login-watch # Check who's logging in. --enable-userfiles # Check files in users /home. --with-trusted=0,501,513 # Say what? --enable-xml-log # Enable if your audit log reading app accepts XML (like Prelude). --with-database=mysql # Enables logging to a database. Quote:
|
Some Tiger's results
--WARN-- [pass017w] Login ID admin has uid == 0. // I don't know why, I changed to 16, I don't know if it is good thing to do. These are here from OS installation. Is there something I should change? [COLOR="DarkSlateGray"]--WARN-- [pass016w] User avahi has / as home directory --WARN-- [pass016w] User dbus has / as home directory --WARN-- [pass016w] User distcache has / as home directory --WARN-- [pass016w] User haldaemon has / as home directory --WARN-- [pass015w] Login ID halt does not have a valid shell (/sbin/halt). --WARN-- [pass014w] Login (mysql) is disabled, but has a valid shell. --WARN-- [pass015w] Login ID news has an empty shell. --WARN-- [pass016w] User nobody has / as home directory --WARN-- [pass016w] User nscd has / as home directory --WARN-- [pass014w] Login (postgres) is disabled, but has a valid shell. --WARN-- [pass016w] User rpc has / as home directory --WARN-- [pass015w] Login ID shutdown does not have a valid shell (/sbin/shutdown). --WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync). --WARN-- [pass002w] UID 0 exists multiple times (2) in /etc/passwd. --WARN-- [pass012w] Home directory / exists multiple times (7) in /etc/passwd. --WARN-- [pass012w] Home directory /sbin exists multiple times (2) in /etc/passwd. --WARN-- [pass012w] Home directory /var/lib/nfs exists multiple times (2) in /etc/passwd. --WARN-- [pass012w] Home directory /var/spool/mqueue exists multiple times (2) in /etc/passwd. --WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r). Do I have to worry about that? This is from /etc/passw rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin # Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab... --WARN-- [root003w] Root user has message capability turned on. There are other warns like --WARN-- [acc006w] Login ID peter's home directory (/home/.../peter) has group `admin04' write access. This is good for me. --WARN-- [cron001w] cron entry for root does not use full pathname (): --WARN-- [inet003w] The port for service fsp is also assigned to service ftp. --WARN-- [inet003w] The port for service whois is also assigned to service nicname. --WARN-- [inet003w] The port for service www is also assigned to service http. and more # Checking network configuration --WARN-- [lin012w] The system accepts ICMP redirection messages --FAIL-- [lin014f] The system permits the transmission of IP packets with invalid addresses --WARN-- [lin015w] The system has IP forwarding enabled --WARN-- [lin017w] The system is not configured to log suspicious (martian) packets # Checking device permissions... --FAIL-- [dev002f] /dev/log has world permissions --FAIL-- [dev002f] /dev/ptmx has world permissions --FAIL-- [dev002f] /dev/rtc has world permissions # Checking for existence of log files... --FAIL-- [logf005f] Log file /var/log/btmp permission should be 660 // It is 600 --FAIL-- [logf005f] Log file /var/log/messages permission should be 640 // It is 600 # Checking for correct umask settings... --WARN-- [misc021w] There are no umask entries in /etc/profile --WARN-- [misc021w] There are no umask entries in /etc/csh.login # Checking sshd_config configuration files... --WARN-- [ssh004w] The PasswordAuthentication directive in /etc/ssh/sshd_config is set to the unapproved value: yes. # Performing common access checks for root... --FAIL-- [netw018f] Administrative user mistert allowed access in /etc/ftpusers lot of similar ones # Looking for unusual device files... --ALERT-- [fsys006a] Unexpected device files found: crw-rw---- 1 root named 1, 3 Jun 25 15:58 /var/named/chroot/dev/null crw-rw---- 1 root named 1, 8 Jun 25 15:58 /var/named/chroot/dev/random crw-rw---- 1 root named 1, 5 Jun 25 15:58 /var/named/chroot/dev/zero # Checking accounts from /etc/passwd. --WARN-- [acc021w] Login ID mistert appears to be a dormant account. Lot of these. They are users I have created to have ftp access to their dirs. They are only able to download. There's something extra I should do? Quote:
Thank you PS From rkhunter report [04:03:51] Checking if SSH root access is allowed [ Warning ] [04:03:51] Warning: The SSH configuration option 'PermitRootLogin' has not been set. I don't understand it, I do ssh login as root. What do you think about http://www.howtoforge.com/bastille_firewall_centos ? |
Security does not have much mindshare with a lot of people. It's not helped or made any easier by the fact that it requires you to read lots (most of which you can't master in a day), HOWTO's and security documents that are out of date or apply to just one particular distribution version or contain misconceptions (due to tools that were hard to use in earlier incarnations like SE Linux), the fact that you have to put in a lot of effort (most of which only pays off if you find yourself in the hairy furball of a security-related incident) or the fact that enhancing security is a trade-off with usability (not log in as root to but SSH into an unprivileged account and use Sudo). Most of all it requires a shift in thinking. Since pain and money are two universal concepts people understand this is best illustrated by reasons for choosing to run GNU/Linux. While you may have chosen it for licensing or related financial motivations, in essence running GNU/Linux is all about performance, protecting assets and providing services in a continuous, stable and secure way. These assets not only include being able to host paying users but also the time and effort you invest in getting the machine to run right (and the good reputation of your company). Who in their right mind would choose not to protect such assets?..
Quote:
post-installation tasks (integrity checking, enabling logging and auditing, cleaning up unwanted packages, setting up backups, best practices), configuration (host, services), hardening (services, auditing, restrictions, reactive measures, resillience and failover). Also I think it would be best if you create a new thread in the Linux Security forum about hardening your host. In your initial post you should list, in detail, at least: The services you provide to users: - to access the system for administrative purposes (panel, SSH, FTP, telnet, other), - for hosting purposes (break down applications by components and include non-standard modules or addons if any), The current state of the system itself with respect to: - system configuration, - logging and auditing, - hardening measures, - user access restrictions (PAM, shared groups, ACL, chroots, other), - network access restrictions (firewall, IDS, service-specific, other). Since you have already migrated existing user accounts and data I would like to know what you migrated, how you migrated it and what you have checked to ensure integrity. That said, let's get on with replying two of your other questions. I'll point you to the hardening section of the LQ Security References again, and Securing and Hardening Red Hat Linux Production Systems to read as it addresses some of the Tiger results. I'll address the Tiger part in a later reply so you have some time to let this sink in. (Also please remember that the goal is to enhance security. So you don't want to know about "worries" (personal interpretation) but if something is this a security risk or not, OK?) Quote:
Quote:
|
All times are GMT -5. The time now is 03:36 PM. |