LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   tripwire: errors on integrity check and email test not working... (http://www.linuxquestions.org/questions/linux-security-4/tripwire-errors-on-integrity-check-and-email-test-not-working-883609/)

BlackHawk 05-30-2011 06:17 PM

tripwire: errors on integrity check and email test not working...
 
Forgive me because this is a long output:

Code:

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                      Severity Level    Added    Removed  Modified
  ---------                      --------------    -----    -------  --------
  Invariant Directories          66                0        0        0       
  Temporary directories          33                0        0        0       
* Tripwire Data Files            100              1        0        0       
  Critical devices                100              0        0        0       
  User binaries                  66                0        0        0       
  Tripwire Binaries              100              0        0        0       
  Critical configuration files    100              0        0        0       
  Libraries                      66                0        0        0       
  Operating System Utilities      100              0        0        0       
  Critical system boot files      100              0        0        0       
  File System and Disk Administraton Programs
                                  100              0        0        0       
  Kernel Administration Programs  100              0        0        0       
  Networking Programs            100              0        0        0       
  System Administration Programs  100              0        0        0       
  Hardware and Device Control Programs
                                  100              0        0        0       
  System Information Programs    100              0        0        0       
  Application Information Programs
                                  100              0        0        0       
  Shell Related Programs          100              0        0        0       
  Critical Utility Sym-Links      100              0        0        0       
  Shell Binaries                  100              0        0        0       
  System boot changes            100              0        0        0       
  OS executables and libraries    100              0        0        0       
  Security Control                100              0        0        0       
  Login Scripts                  100              0        0        0       
  Root config files              100              0        0        0       

Total objects scanned:  33928
Total violations found:  1

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/BlackHawk.home.twd"

===============================================================================
Error Report:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

1.  File system error.
    Filename: /dev/kmem
    No such file or directory
2.  File system error.
    Filename: /proc/ksyms
    No such file or directory
3.  File system error.
    Filename: /proc/pci
    No such file or directory
4.  File system error.
    Filename: /usr/sbin/fixrmtab
    No such file or directory
5.  File system error.
    Filename: /usr/bin/vimtutor
    No such file or directory
6.  File system error.
    Filename: /usr/local/lib64
    No such file or directory
7.  File system error.
    Filename: /sbin/busybox
    No such file or directory
8.  File system error.
    Filename: /sbin/busybox.anaconda
    No such file or directory
9.  File system error.
    Filename: /sbin/convertquota
    No such file or directory
10.  File system error.
    Filename: /sbin/debugreiserfs
    No such file or directory
11.  File system error.
    Filename: /sbin/dump.static
    No such file or directory
12.  File system error.
    Filename: /sbin/ftl_check
    No such file or directory
13.  File system error.
    Filename: /sbin/ftl_format
    No such file or directory
14.  File system error.
    Filename: /sbin/mkbootdisk
    No such file or directory
15.  File system error.
    Filename: /sbin/mkraid
    No such file or directory
16.  File system error.
    Filename: /sbin/mkreiserfs
    No such file or directory
17.  File system error.
    Filename: /sbin/pcinitrd
    No such file or directory
18.  File system error.
    Filename: /sbin/raidstart
    No such file or directory
19.  File system error.
    Filename: /sbin/reiserfsck
    No such file or directory
20.  File system error.
    Filename: /sbin/resize_reiserfs
    No such file or directory
21.  File system error.
    Filename: /sbin/restore.static
    No such file or directory
22.  File system error.
    Filename: /sbin/scsi_info
    No such file or directory
23.  File system error.
    Filename: /sbin/stinit
    No such file or directory
24.  File system error.
    Filename: /sbin/unpack
    No such file or directory
25.  File system error.
    Filename: /sbin/adjtimex
    No such file or directory
26.  File system error.
    Filename: /sbin/insmod_ksymoops_clean
    No such file or directory
27.  File system error.
    Filename: /sbin/klogd
    No such file or directory
28.  File system error.
    Filename: /sbin/minilogd
    No such file or directory
29.  File system error.
    Filename: /sbin/sndconfig
    No such file or directory
30.  File system error.
    Filename: /sbin/ifport
    No such file or directory
31.  File system error.
    Filename: /sbin/ifuser
    No such file or directory
32.  File system error.
    Filename: /sbin/mgetty
    No such file or directory
33.  File system error.
    Filename: /sbin/portmap
    No such file or directory
34.  File system error.
    Filename: /sbin/vgetty
    No such file or directory
35.  File system error.
    Filename: /sbin/ypbind
    No such file or directory
36.  File system error.
    Filename: /sbin/initlog
    No such file or directory
37.  File system error.
    Filename: /sbin/pam_tally
    No such file or directory
38.  File system error.
    Filename: /sbin/pwdb_chkpwd
    No such file or directory
39.  File system error.
    Filename: /sbin/rescuept
    No such file or directory
40.  File system error.
    Filename: /sbin/rpc.lockd
    No such file or directory
41.  File system error.
    Filename: /sbin/rpcdebug
    No such file or directory
42.  File system error.
    Filename: /sbin/syslogd
    No such file or directory
43.  File system error.
    Filename: /sbin/cardctl
    No such file or directory
44.  File system error.
    Filename: /sbin/cardmgr
    No such file or directory
45.  File system error.
    Filename: /sbin/dump_cis
    No such file or directory
46.  File system error.
    Filename: /sbin/elvtune
    No such file or directory
47.  File system error.
    Filename: /sbin/hotplug
    No such file or directory
48.  File system error.
    Filename: /sbin/ide_info
    No such file or directory
49.  File system error.
    Filename: /sbin/lspnp
    No such file or directory
50.  File system error.
    Filename: /sbin/pack_cis
    No such file or directory
51.  File system error.
    Filename: /sbin/probe
    No such file or directory
52.  File system error.
    Filename: /sbin/shapecfg
    No such file or directory
53.  File system error.
    Filename: /sbin/kernelversion
    No such file or directory
54.  File system error.
    Filename: /sbin/genksyms
    No such file or directory
55.  File system error.
    Filename: /sbin/rtmon
    No such file or directory
56.  File system error.
    Filename: /sbin/nash
    No such file or directory
57.  File system error.
    Filename: /sbin/sash
    No such file or directory
58.  File system error.
    Filename: /sbin/fsck.reiserfs
    No such file or directory
59.  File system error.
    Filename: /sbin/kallsyms
    No such file or directory
60.  File system error.
    Filename: /sbin/ksyms
    No such file or directory
61.  File system error.
    Filename: /sbin/mkfs.reiserfs
    No such file or directory
62.  File system error.
    Filename: /sbin/mount.smb
    No such file or directory
63.  File system error.
    Filename: /sbin/mount.smbfs
    No such file or directory
64.  File system error.
    Filename: /sbin/raid0run
    No such file or directory
65.  File system error.
    Filename: /sbin/raidhotadd
    No such file or directory
66.  File system error.
    Filename: /sbin/raidhotremove
    No such file or directory
67.  File system error.
    Filename: /sbin/raidstop
    No such file or directory
68.  File system error.
    Filename: /sbin/rdump.static
    No such file or directory
69.  File system error.
    Filename: /sbin/rrestore.static
    No such file or directory
70.  File system error.
    Filename: /sbin/lilo
    No such file or directory
71.  File system error.
    Filename: /sbin/mkkerneldoth
    No such file or directory
72.  File system error.
    Filename: /var/lock/subsys/portmap
    No such file or directory
73.  File system error.
    Filename: /var/lock/subsys/apmd
    No such file or directory
74.  File system error.
    Filename: /var/lock/subsys/atd
    No such file or directory
75.  File system error.
    Filename: /var/lock/subsys/canna
    No such file or directory
76.  File system error.
    Filename: /var/lock/subsys/crond
    No such file or directory
77.  File system error.
    Filename: /var/lock/subsys/gpm
    No such file or directory
78.  File system error.
    Filename: /var/lock/subsys/kudzu
    No such file or directory
79.  File system error.
    Filename: /var/lock/subsys/network
    No such file or directory
80.  File system error.
    Filename: /var/lock/subsys/nfslock
    No such file or directory
81.  File system error.
    Filename: /var/lock/subsys/ntpd
    No such file or directory
82.  File system error.
    Filename: /var/lock/subsys/random
    No such file or directory
83.  File system error.
    Filename: /var/lock/subsys/syslog
    No such file or directory
84.  File system error.
    Filename: /var/lock/subsys/xfs
    No such file or directory
85.  File system error.
    Filename: /var/lock/subsys/xinetd
    No such file or directory
86.  File system error.
    Filename: /etc/sysconfig/network-scripts/ifdown-cipcb
    No such file or directory
87.  File system error.
    Filename: /etc/sysconfig/network-scripts/ifdown-sl
    No such file or directory
88.  File system error.
    Filename: /etc/sysconfig/network-scripts/ifup-cipcb
    No such file or directory
89.  File system error.
    Filename: /etc/sysconfig/network-scripts/ifup-sl
    No such file or directory
90.  File system error.
    Filename: /etc/modules.conf
    No such file or directory
91.  File system error.
    Filename: /etc/named.conf
    No such file or directory
92.  File system error.
    Filename: /etc/samba/smb.conf
    No such file or directory
93.  File system error.
    Filename: /etc/xinetd.conf
    No such file or directory
94.  File system error.
    Filename: /etc/syslog.conf
    No such file or directory
95.  File system error.
    Filename: /bin/sfxload
    No such file or directory
96.  File system error.
    Filename: /bin/ash
    No such file or directory
97.  File system error.
    Filename: /bin/ash.static
    No such file or directory
98.  File system error.
    Filename: /bin/aumix-minimal
    No such file or directory
99.  File system error.
    Filename: /bin/doexec
    No such file or directory
100. File system error.
    Filename: /bin/igawk
    No such file or directory
101. File system error.
    Filename: /bin/mt
    No such file or directory
102. File system error.
    Filename: /bin/pgawk
    No such file or directory
103. File system error.
    Filename: /bin/zsh
    No such file or directory
104. File system error.
    Filename: /bin/bash2
    No such file or directory
105. File system error.
    Filename: /bin/bsh
    No such file or directory
106. File system error.
    Filename: /bin/csh
    No such file or directory
107. File system error.
    Filename: /bin/ksh
    No such file or directory
108. File system error.
    Filename: /bin/tcsh
    No such file or directory
109. File system error.
    Filename: /dev/cua0
    No such file or directory
110. File system error.
    Filename: /root/.Xresources
    No such file or directory
111. File system error.
    Filename: /root/.esd_auth
    No such file or directory
112. File system error.
    Filename: /root/.gnome
    No such file or directory
113. File system error.
    Filename: /root/.Xauthority
    No such file or directory

-------------------------------------------------------------------------------
*** End of report ***

This is the bottom half of the errors that were generated by running tripwire --check

Is there anything that i should do to correct these errors (make the directories myself?) or are they acceptable?

Oh so you know i am running Fedora 15 with kde

Also when i run "tripwire --test --email blah@gmail.com" i didn't recieve any email is this because of tripwire or gmail or should i have tripwire deliver the mail to my box through the linux "mail" command and if that is a better option (which i wouldn't mind) how do i do that with the command line "--email root@localhost" ?

Also here is the output from /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

i know i may need to change the localhost.localdomain because many servers will not accept mail from localhost so what would be a correct addition to /etc/hosts to allow sendmail to send emails from my box

again if it would be easier just to send to root@localhost i am okay with that too...

If anyone has any input i would sure appreciate any help and again sorry for the long output.

-Thank you for any help or suggestions

Peufelon 05-30-2011 10:40 PM

The first part of the output you posted
Code:

Tripwire Data Files 100 1 0 0
...
Total objects scanned: 33928
Total violations found: 1

is just a summary which says that you added one tripwire data file and nothing else has changed since you took the initial snapshot. Specifically,
Code:

Added:
"/var/lib/tripwire/BlackHawk.home.twd"

The violation severity value of 100 means that is really bad if you didn't do it yourself. But you did do it yourself, so no worries there.

Code:

...
File system error.
Filename: /usr/bin/vimtutor
No such file or directory
...

For some reason tripwire could not find or could not access many files when you ran the check, but could access them when you made the snapshot. Is it possible that you made the snapshot as root but ran the check as ordinary user? You should run it as the root user.

I find it useful to update the database immediately after installing any software using
Code:

tripwire --check --interactive
You can then check anything you want to look into further and then enter your local key to update the database, but keeping the checked item as a unresolved violation which will continue to appear each time you run tripwire --check until you have resolved it and don't check it.

Quote:

i didn't recieve any email is this because of tripwire or gmail
Do you have a mail server installed and configured to only send and recieve mail locally, for example email from tripwire to your root user account? Be careful if so to check that your computer doesn't try to lookup a local address using an external DNS server!

BlackHawk 05-30-2011 11:10 PM

Thank you so much for your reply...

could you elaborate a bit more on the severity value being 100?

also i am looking for a convenient way to display warnings generated by tripwire, i would really appreciate if you could give me some examples either with the emailed alerts or with rsyslog.

oh when i did tripwire --test --email user@localhost it worked perfectly

and what i am wondering if there is anyway to exclude those errors that are on the report?


Again thank you so much for your help and time, really it is so appreciated

-BlackHawk

Peufelon 05-31-2011 12:12 AM

Look at the headings
Code:

Rule Name        Severity Level                Added                Removed        Modified
In the entry
Code:

Tripwire Data Files 100 1 0 0
the severity level is 100, the highest. That means this would be very alarming if you did not make that change yourself. But you did, when you ran a command which created this file
Code:

/var/lib/tripwire/BlackHawk.home.twd
so it's fine.

Quote:

oh when i did tripwire --test --email user@localhost it worked perfectly
You got the email, but did you check that no external DNS requests were made when you ran this test?

Quote:

i would really appreciate if you could give me some examples either with the emailed alerts or with rsyslog.
Not me, sorry.

Code:

tripwire --test --email blah@gmail.com
I hope you are not planning to email your tripwire output to your gmail account! As someone said, it is a very bad idea to store or process sensitive personal information on a computer owned by someone else. Tripwire output is very sensitive indeed.

Quote:

is anyway to exclude those errors that are on the report?
Yes, and this is covered in the tripwire man pages. But there may be little point in running tripwire if you don't plan to study the output.

BlackHawk 05-31-2011 01:12 PM

i just did the tripwire --test --email blah@gmail.com for a test run... I plan to have the alerts mailed to localhost.

thanks so much for the input, really appreciate it.

-BlackHawk

BlackHawk 05-31-2011 05:48 PM

okay here is the thing when i did tripwire --check i got about 100+ file not found or directory not available errors generated by tripwire so i edited /etc/tripwire/twpol.txt and commented out all the errors that were generated.

the next thing i did was create a new policy file with:

twadmin --create-profile -S site.key /etc/tripwire/twpol.txt

then i removed the database file in /var/lib/tripwire/

rm blackhawk.home.twd

then generated a new database file with tripwire --init

with all this a new policy file tw.pol was generated and the errors are now longer being displayed here are my questions...

1) if i want to edit the policy file do i just remove tw.pol and reedit twpol.txt and generate a new policy file the same way is this considered the correct way?

2) how can i lower the severity level from 100 i removed the [x] from files that are modified or generated for example snort log files.. will this lower the severity level?

3) i still can't find much on how to have the alerts generated by tripwire emailed to root@localhost

4) VERY IMPORTANT: can anyone provide a good tutorial on how to run tripwire as a daemon... here is what i am really looking to do. I want tripwire to run at boot time and do 1 integrity check a day and generate any alerts by email to root@localhost if anyone could provide a good link to do that i would be very grateful.

Again, thank you all for your time and suggestions and help.

-BlackHawk

Peufelon 06-01-2011 01:32 AM

Quote:

commented out all the errors that were generated.
I hope this doesn't mean what I think it means.
Quote:

a new policy file tw.pol was generated and the errors are now longer being displayed here
oh no...

Quote:

if i want to edit the policy file do i just remove tw.pol and reedit twpol.txt and generate a new policy file the same way is this considered the correct way?
No, the correct way is explained in the tripwire man pages. Maybe print them out and study them with a highlighter?

Quote:

how can i lower the severity level from 100 i removed the [x] from files that are modified or generated for example snort log files.. will this lower the severity level?
No, the severity level indicates how serious the violation is if you cannot explain it as due to some legitimate cause, like yourself installing new software. They don't change and are not supposed to change.

Quote:

I want tripwire to run at boot time and do 1 integrity check a day and generate any alerts by email to root@localhost
This happens by default unless you've messed up the configuration, which I think you have done.

I think you should read the tripwire man pages and start over with a new snapshot, and I think you should monitor more closely what happens when tripwire sends email. If you are really sending tripwire output to an external server, that is a very bad idea, because it is sent unencrypted and it also very sensitive.


All times are GMT -5. The time now is 05:18 PM.