I have a fresh installation of tripwire on Centos 5.3
Default tw.pol (last version is from 2007) contains some out-to-date settings:
1. File system error.
Filename: /usr/local/sysinfo
No such file or directory
2. File system error.
Filename: /usr/X11R6/lib
No such file or directory
3. File system error.
Filename: /etc/mail/statistics
No such file or directory
4. File system error.
Filename: /var/lost+found
No such file or directory
5. File system error.
Filename: /var/cache/man/whatis
No such file or directory
6. File system error.
Filename: /cdrom
No such file or directory
7. File system error.
Filename: /floppy
No such file or directory
8. File system error.
Filename: /initrd
No such file or directory
9. File system error.
Filename: /home/lost+found
No such file or directory
And

Parsing policy file: /usr/local/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/sys" is on a different file system...ignoring.

1) It is easy to remove all of them from twpol.txt but, are there similar (or not) needing adds/substitutions you suggest?

2) Have a suggesting daily procedure to implement with tripwire (check, cron, twpol.txt updates, rebuild database?

Thanks in advance

Filename: /usr/local/sysinfo # Don't know this one. Might not be a std issue Centos package.
Filename: /usr/X11R6/lib # Only if you run X11/Xorg (which is kinda odd on a headless server).
Filename: /etc/mail/statistics # Only if you let Sendmail collect statistics AFAIK.
Filename: /var/lost+found # Only if /var is a separate partition.
Filename: /var/cache/man/whatis # Only if default cronjob /etc/cron.daily/makewhatis has run initially.
Filename: /cdrom # Isn't that supposed to be in either /dev/ or /media?
Filename: /floppy # Isn't that supposed to be in either /dev/ or /media?
Filename: /initrd # Only if kernel was installed manually AFAIK.



I don't run tripwire but Samhain or Aide instead. Samhain runs as daemon and Aide I usually set up with different configs running cronjob checks at different intervals. Rebuilding databases should IMHO never be automated because warnings should be checked. IMHO if you don't do the verify-modify routine thing you might as well validate everything all the time, which would basically be as good as not running any...

I'm not sure if I understand the last what you mean.
In my old server (I am in moving process) I have something more simple. An app called fcheck.
It check for changes in /home /etc /tmp and some other with exceptions like Maildir dirs
I'm not sure if I am doing well. To not to have reports growing and growing I first check updates (I receive a report by email) and then I rebuild database (cron). So I look trough the changes of the last day. I never had to fix anything but if I should, I would make the necessary changes and then rebuild the database.
In the new server I've created a database after programs installation from repositories only.
This remains untouched, I haven't finished its implementation.
My knowledge is poor on this issues so maybe Samhain or Aide would be fit better for me
If you have any advices, they are welcome.
Thanks unSpawn

The difference between Fcheck and Samhain, Aide and tripwire is that Fcheck is interpreted (Perl) meaning it is (relatively) slower. Also, from reading the archives timestamps, it seems Fcheck development stopped in 2001. That does not automagically mean it is incomplete or worthless. The difference between Aide, tripwire and Samhain is that Samhain runs continuously in the background and takes care of checking intervals through it's own configuration. Next to that it can be compiled with a kernel module to hide its presence and it can check crucial kernel internals like IDT and such. There's more but you'll have to read http://www.la-samhna.de/samhain/. I think Aide and Samhain are the most up to date wrt development. Aide is more "tripwire-like" (but without the Licensing confusion and with developers actively working on it) and may be considered easy to configure.


Do you use a cronjob to rebuild the database? Or what do you mean?


If you run Red Hat, any derivative, or any distribution with a package management database based on RPM, you already have a database with which you can verify installed files. Storing a copy off-site and taking care of changes outside of the scope of RPM (tarball installs, configuration changes) might get you going fast and efficient.

fcheck was a hurry solution because I had decided to move the server.
And yes, I am updating datab from cron.
On the new server I intend to perform a more detailed installation.
I didn't started very well (see my other threat about kowlr intrusion.
I will remove tripwire and install one of yours.
I didn't find tripwire very kindly to set up.
And I have here good people if I need help.
Thank you

I am reading the manual before installing samhain.
My server is a simple one: hosts a few virtual servers for apache services.
My knowledge on this issue is poor.
./configure --enable-network=client or server or both?

--with-kcheck=path to sys map
Which one of these?
/boot/System.map-2.6.18-128.1.14.el5
/boot/System.map-2.6.18-128.el5

Good!


Client unless you have one host designated as "master" running Yule.


The kernel you run, hopefully the most recent one.
A kernel version-specific map should be linked to /boot/System.map so you may use that name.
If you use the kernel module you must rebuild and reinstall Samhain each time you install and run a new kernel.
Certain kernel-related features like hiding Samhain might not work with RHEL/Centos kernels.
In the worst case scenario this may result in a hard lockup of the machine.
Please also see related notes in other thread.

I forgot to say that I have rkhunter already installed and running in the old and this server.
I don't know if this is good, I have a cron job to receive a daily report.
( /usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only --pkgmgr rpm
sed -n -e '/Warning/p' /var/log/rkhunter.log > /root/rkhunterLOG
) | mail -s "rkhunter Warnings" -c root < /root/rkhunterLOG

Samhain manual is not friendly.
The only thing I can do in pdf version is to zoom and scroll.
No search tool, no text-copy paste.
The html version only has the capability to copy-paste.
Search, only on the present page. This is annoying.
I am trying to find where it says about -kcheck, if I need to add it in ./configure, if not, does it take the running one.....
What do you mean with In the worst case scenario this may result in a hard lockup of the machine. ?

Do I need a lot of configure settings to compile?
./configure --enable-network=client --with-logserver=server.example.com
from http://www.la-samhna.de/samhain/HOWT...nt+server.html

--enable-login-watch ?
--enable-userfiles ?
--with-trusted=0,501,513 ?
--enable-xml-log ?
--with-database=mysql ?
It seems like Beltane would be useful too.

Tiger?
Thank you

Depends on which version you run and the configuration. For instance running suspscan on a webserver docroot may yield some results (for instance an average PHP shell should peak at a score of around 300, well over the threshold) but will slow down the run.


Sorry, I don't deal with those annoyances, better talk to the developers about that.


See http://www.la-samhna.de/samhain/manu...configure.html ?


Exactly what I wrote. Meaning only a powercycle will bring the machine back up. That's why I suggested in the other thread you have a physical or virtual machine to test things on before moving it to production. The compile-time "--enable-khide" option may or may not work with your kernel.


http://www.la-samhna.de/samhain/manu...tallation.html says just "./configure; make" and their .spec file (in the tarball) runs configure with "'--enable-static' '--enable-login-watch' '--enable-process-check' '--enable-port-check' '--enable-ptrace' '--disable-encrypt' '--disable-srp' '--enable-suidcheck'".
--enable-network=client # Makes this the client-side version (not Yule).
--with-logserver=server.example.com # If you log to a server (Yule).
--enable-login-watch # Check who's logging in.
--enable-userfiles # Check files in users /home.
--with-trusted=0,501,513 # Say what?
--enable-xml-log # Enable if your audit log reading app accepts XML (like Prelude).
--with-database=mysql # Enables logging to a database.


In case you didn't read it yet, in the other thread I wrote about two tasks I think are most important for you now. Beltane doesn't fit that. Running Tiger on a new machine to assess its state makes it easier, more efficient to pinpoint what you should work on first.

Some Tiger's results

--WARN-- [pass017w] Login ID admin has uid == 0. // I don't know why, I changed to 16, I don't know if it is good thing to do.
These are here from OS installation. Is there something I should change?
[COLOR="DarkSlateGray"]--WARN-- [pass016w] User avahi has / as home directory
--WARN-- [pass016w] User dbus has / as home directory
--WARN-- [pass016w] User distcache has / as home directory
--WARN-- [pass016w] User haldaemon has / as home directory
--WARN-- [pass015w] Login ID halt does not have a valid shell (/sbin/halt).
--WARN-- [pass014w] Login (mysql) is disabled, but has a valid shell.
--WARN-- [pass015w] Login ID news has an empty shell.
--WARN-- [pass016w] User nobody has / as home directory
--WARN-- [pass016w] User nscd has / as home directory
--WARN-- [pass014w] Login (postgres) is disabled, but has a valid shell.
--WARN-- [pass016w] User rpc has / as home directory
--WARN-- [pass015w] Login ID shutdown does not have a valid shell
(/sbin/shutdown).
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass002w] UID 0 exists multiple times (2) in /etc/passwd.


--WARN-- [pass012w] Home directory / exists multiple times (7) in /etc/passwd.
--WARN-- [pass012w] Home directory /sbin exists multiple times (2) in
/etc/passwd.
--WARN-- [pass012w] Home directory /var/lib/nfs exists multiple times (2) in
/etc/passwd.
--WARN-- [pass012w] Home directory /var/spool/mqueue exists multiple times (2)
in /etc/passwd.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck
-r).
Do I have to worry about that?
This is from /etc/passw
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin


# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...
--WARN-- [root003w] Root user has message capability turned on.

There are other warns like
--WARN-- [acc006w] Login ID peter's home directory
(/home/.../peter) has group
`admin04' write access.
This is good for me.

--WARN-- [cron001w] cron entry for root does not use full pathname ():

--WARN-- [inet003w] The port for service fsp is also assigned to service ftp.
--WARN-- [inet003w] The port for service whois is also assigned to service
nicname.
--WARN-- [inet003w] The port for service www is also assigned to service http.
and more


# Checking network configuration
--WARN-- [lin012w] The system accepts ICMP redirection messages
--FAIL-- [lin014f] The system permits the transmission of IP packets with
invalid addresses
--WARN-- [lin015w] The system has IP forwarding enabled
--WARN-- [lin017w] The system is not configured to log suspicious (martian)
packets

# Checking device permissions...
--FAIL-- [dev002f] /dev/log has world permissions
--FAIL-- [dev002f] /dev/ptmx has world permissions
--FAIL-- [dev002f] /dev/rtc has world permissions

# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660 // It is 600
--FAIL-- [logf005f] Log file /var/log/messages permission should be 640 // It is 600

# Checking for correct umask settings...
--WARN-- [misc021w] There are no umask entries in /etc/profile
--WARN-- [misc021w] There are no umask entries in /etc/csh.login

# Checking sshd_config configuration files...
--WARN-- [ssh004w] The PasswordAuthentication directive in
/etc/ssh/sshd_config is set to the unapproved value: yes.

# Performing common access checks for root...
--FAIL-- [netw018f] Administrative user mistert allowed access in
/etc/ftpusers

lot of similar ones

# Looking for unusual device files...
--ALERT-- [fsys006a] Unexpected device files found:
crw-rw---- 1 root named 1, 3 Jun 25 15:58 /var/named/chroot/dev/null
crw-rw---- 1 root named 1, 8 Jun 25 15:58 /var/named/chroot/dev/random
crw-rw---- 1 root named 1, 5 Jun 25 15:58 /var/named/chroot/dev/zero

# Checking accounts from /etc/passwd.
--WARN-- [acc021w] Login ID mistert appears to be a dormant account.
Lot of these. They are users I have created to have ftp access to their dirs. They are only able to download. There's something extra I should do?
I don't have any physycal or virtual server for testing purposes. It would be better to not to configure with this option, isn't it?
Thank you
PS
From rkhunter report
[04:03:51] Checking if SSH root access is allowed [ Warning ]
[04:03:51] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
I don't understand it, I do ssh login as root.

What do you think about
http://www.howtoforge.com/bastille_firewall_centos ?

Security does not have much mindshare with a lot of people. It's not helped or made any easier by the fact that it requires you to read lots (most of which you can't master in a day), HOWTO's and security documents that are out of date or apply to just one particular distribution version or contain misconceptions (due to tools that were hard to use in earlier incarnations like SE Linux), the fact that you have to put in a lot of effort (most of which only pays off if you find yourself in the hairy furball of a security-related incident) or the fact that enhancing security is a trade-off with usability (not log in as root to but SSH into an unprivileged account and use Sudo). Most of all it requires a shift in thinking. Since pain and money are two universal concepts people understand this is best illustrated by reasons for choosing to run GNU/Linux. While you may have chosen it for licensing or related financial motivations, in essence running GNU/Linux is all about performance, protecting assets and providing services in a continuous, stable and secure way. These assets not only include being able to host paying users but also the time and effort you invest in getting the machine to run right (and the good reputation of your company). Who in their right mind would choose not to protect such assets?..


Apart from getting familiar with intricacies we should also apply structure to things, else this will become less efficient. Besides you need to get this done Real Soon Now so you will need to divide your attention between the main topics you should know about and assess. In your other thread I wrote "If you have questions about and would like help with hardening please search this forums threads and check out the LQ FAQ: Security references (or the newer cleaned up version at http://rkhunter.wiki.sourceforge.net/SECREF).". What I mean is that I will help you but I expect you to read carefully before doing things. Lets break down what you want to look into into three categories:
post-installation tasks (integrity checking, enabling logging and auditing, cleaning up unwanted packages, setting up backups, best practices),
configuration (host, services),
hardening (services, auditing, restrictions, reactive measures, resillience and failover).

Also I think it would be best if you create a new thread in the Linux Security forum about hardening your host. In your initial post you should list, in detail, at least:
The services you provide to users:
- to access the system for administrative purposes (panel, SSH, FTP, telnet, other),
- for hosting purposes (break down applications by components and include non-standard modules or addons if any),
The current state of the system itself with respect to:
- system configuration,
- logging and auditing,
- hardening measures,
- user access restrictions (PAM, shared groups, ACL, chroots, other),
- network access restrictions (firewall, IDS, service-specific, other).
Since you have already migrated existing user accounts and data I would like to know what you migrated, how you migrated it and what you have checked to ensure integrity.


That said, let's get on with replying two of your other questions.




I'll point you to the hardening section of the LQ Security References again, and Securing and Hardening Red Hat Linux Production Systems to read as it addresses some of the Tiger results. I'll address the Tiger part in a later reply so you have some time to let this sink in. (Also please remember that the goal is to enhance security. So you don't want to know about "worries" (personal interpretation) but if something is this a security risk or not, OK?)


A production machine serves only one purpose. It should not contain development tools, compilers or anything unprotected or vulnerable that local or remote users could abuse. Therefore, if you want to run virtualization you should run it on another machine. If you have a machine at work or at home you use then you can run QEmu, Virtualbox or VMware to mimick your development or staging environment.


What version of Rootkit Hunter? Do you or do you not log in as root? If you do then you must know that is a bad practice.