JP Vossen on 1 Jun 2008 13:11:51 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] "tripewire" clones (fcheck)

I'm building a server that will be exposed on the 'Net, and wanted to 
install a tripwire clone while it's still pristine.

Possibilities in Ubuntu Hardy included:
* aide - Advanced Intrusion Detection Environment - static binary
* aide-dynamic - Advanced Intrusion Detection Environment - dynamic binary
* aide-xen - Advanced Intrusion Detection Environment - static binary 
for XEN
* debsums - Verify installed package files against MD5 checksums.
* fcheck - IDS filesystem baseline integrity checker
* integrit - A file integrity verification program
* osiris - network-wide system integrity monitor control interface
* osirisd - network-wide system integrity monitor scanning agent
* osirismd - network-wide system integrity monitor central management daemon
* samhain - Data integrity and host intrusion alert system
* stealth - A stealthy File Integrity Checker
* tripwire - file and directory integrity checker

I ended up going with fcheck because it's:
* drop-dead simple
* configured and Just Works [1] out-of-the-box on Debian & Ubuntu
* written in Perl
* cross-platform (actually written on and for Windows)

I installed it a couple of days ago and thus far am reasonably happy.  I 
hit a known bug on the Ubuntu side [1] 
( but Debian 
has been flawless (of course).  I haven't actually tried it on Windows 
yet, but it's nice to know I could.

Out-of-the-box it creates the DB then runs from cron every other hour. 
When it sees an issue it sends email via cron then rebuilds the DB by 
itself, so you won't get the same error next time.  That's a potential 
security issue, since if you lose that one email you've missed the only 
alert.  Also, if some files change all the time (like /etc/package.list, 
/etc/printcap, and /etc/samba/smbpasswd) you will get alerted on them 
every run, until you go exclude them.  The config file does support 
local file includes, so your local changes are easy to keep separate. 
Finally, it does not include logcheck files, so if you're using that 
you'll get alerted by logcheck unless you add an ignore like:
^\w{3} [ :0-9]{11} \w+ fcheck: "INFO: Rebuild of the fcheck database 
/var/lib/fcheck/fcheck\.dbf begun for \w+ using config file 

It's not the most secure program in the book, but it *is* drop-dead 
easier than anything else I looked at.  In my book, in general use "easy 
and used" beats "such a pain I never got around to it" any day. :-)  And 
it's not that hard to make it more secure by keeping off-line copies of 
the DB, config and Perl script and adjusting the cronjob to NOT rebuild 
after changes, if you want to.

Integrit was the other "simple" one I looked at, but fcheck was still 
lots easier.  And Stealth sounds pretty cool, but wasn't quite what I 
wanted in this case.  Aide, osiris and samhain are all way overkill, and 
IIRC the F/OSS version of tripwire is very old and kind of sucks.

Anyone else have stories or suggestions to share?


[1] fcheck Just Worked except for the /lib bug, which makes the third 
minor but non-trivial bug I've hit on a trivial Ubuntu Hardy Server LAMP 
install. :-(
[fcheck] md5sum: /lib/udev/devices/core: Operation not permitted
error in auth.log when switch user --
can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --