punkball
August 17th, 2002, 11:47
Hey guys,
I used to use tripwire very often but have been kinda lazy as I've focused on keeping people out rathering than detecting them after they get in. Anyway, I was looking to start using tripwire again and was hoping maybe people would like to link to their tripwire configs so we can share ideas on good configs. I used to basically say anything on the system except for whats in /usr/home should never be modified for any reason.
-James

elmore
August 17th, 2002, 12:19
I checked tripwire out a while ago, it is a pretty good program unfortuanately for me the licensing requires me to purchase it. I looked for other programs.

Check out SamHain. It very similar to tripwire has some additional features. Overall I like it better.

http://samhain.sourceforge.net

In addition, here's a script I wrote to do some basic file integrity checking on your box. It's nothing fancy.


#! /bin/sh
/bin/md5 /bin/md5 > /var/log/chkbin/chkbin.txt
/bin/md5 /usr/bin/cksum >> /var/log/chkbin/chkbin.txt
#/bin/md5 /etc/passwd >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/services >> /var/log/chkbin/chkbin.txt
#/bin/md5 /etc/ipf.rules >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/sysctl.conf >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/syslog.conf >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/newsyslog.conf >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/sshd_config >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/ssh_config >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/ssh_host_key >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/ssh_host_dsa_key >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/ssh_host_dsa_key.pub >> /var/log/chkbin/chkbin.txt
/bin/md5 /etc/inetd.conf >> /var/log/chkbin/chkbin.txt
/bin/md5 /bin/ps >> /var/log/chkbin/chkbin.txt
/bin/md5 /usr/bin/netstat >> /var/log/chkbin/chkbin.txt
/bin/md5 /bin/ls >> /var/log/chkbin/chkbin.txt
/bin/md5 /usr/bin/top >> /var/log/chkbin/chkbin.txt
/bin/md5 /usr/bin/ssh >> /var/log/chkbin/chkbin.txt
/bin/md5 /usr/sbin/sshd >> /var/log/chkbin/chkbin.txt
/usr/bin/diff /var/log/chkbin/chkbin.txt /var/log/chkbin/chkbin.orig >> /var/log/chkbin/chkbin.out


Make sure you keep an original copy of your checksums on a floppy in some undisclosed location.

setup /etc/newsyslog to monitor chkbin.out every few minutes and mail you/page you if there's aproblem. Kinda cheesy really but easily hidden.

punkball
August 17th, 2002, 12:21
Yeah, I used to do something quite similar when I wasn't using tripwire.

I'm curious what the tripwire license said that prevented you from using it? Perhaps you didn't see the opensource tripwire on www.tripwire.org ?

-James

PS. Thanks for the info on samhain, I'll check that out.

elmore
August 17th, 2002, 12:29
Yeah I checked out the opensource version. I was really interested though to check out the commercial version because it has some additional functionality. Since I am incorporated I was unable to use it without paying. That's when I found Sam Hain, I've never really looked back. Good luck.