Security :: Tripwire Initial Configuration - New Policy - P
Jul 29, 2009
I have just installed tripwire. I have created a baseline db using the default policy file. Then I checked the output of the db to see what I did not have on my filesystem that db was searching for (according to the default policy when tripwire was installed), I then changed my default clear text policy file accordingly and used twadmin to generate a new tw.pol file.
Next I come grinding to a halt after this (assuming the next thing is to update the policy in tripwire right? )
Code:
View 2 Replies
ADVERTISEMENT
Jul 1, 2010
I have tripwire 2.4.1.2 running on one of our servers on a daily basis, and I was curious to know if it is good practice to periodically update the policy file. The reason for my asking that is while the daily reports that I get indicate there have been changes to files on a daily basis, there are also files that have not been modified for over a month. My thinking is an update of the policy file will establish an updated baseline, and those files that have not been changed for so long will not be reported on until they get changed again.
View 1 Replies
View Related
May 1, 2011
I am going to try to install Tripwire on my computer. I do not know why or how to configure Tripwire policy and configuration files.
View 1 Replies
View Related
Jul 11, 2010
I have disabled root login in my remote shell and I have a pretty strong password. I am not happy though. I want to increase security. I've been thinking about installing some basic tripwire rig, like say, send myself an email every time I (or anyone) log in. My questions:
- What kind of data would be useful to be sent in that email? Anything else besides "user so-and-so logged in at {date and time}"?
- How would I achieve that? Is it enough to include it in .tcshrc (because my shell is tcsh)? Should I add it to other shells as well (.bashrc, .csh etc.) even though nobody uses the other shells? Is it better placed in some other file, like .login? What is the optimal place?
- Would that be enough? Can I make that whole idea more secure in any way?
View 11 Replies
View Related
May 14, 2009
Recently I decided to utilize an IDS system. So I installed Open Source Tripwire. Not that I am too worried about anyone gaining a successful foothold on my system. But I wanted to learn and experience this IDS system. And no, this is not a new server install but I have never seen anything that resembles illegal activity. My server is an installed CentOS 5.3 with SELinux in targeted mode.
Tripwire has brought to light some interesting things. Installation states to verify rpm packages using rpm -Va. I have found that many of my system binaries are not the same size as if I were to replace them via yum. Most of the binaries are like twice the size compared to a newly installed package, of the same version. I'm not sure what to make of this. These programs are the original installs (CentOS 5.1) and I keep the system up to date regularly via yum.
I wonder if perhaps these system files installed are perhaps different then individual package size installed via yum? I have a hard time believing this as a package is a package. The only other possibility that comes to mind is that nearly my entire system has been hacked with new system files, and in a way that has revealed and suggest nothing. I find that far fetched as I have run this server for some time now and I should think I would know a problem as not a morning goes by that I haven't review my logs, as they are emailed to me. Thoughts about the difference in file sizes? Those installed via CentOS DVD verses those installed via yum?
View 3 Replies
View Related
Mar 22, 2011
Quote:One of the new features in Firefox 4 that we are very excited about is Content Security Policy, which is a mechanism that works behind the scenes to prevent some of the more severe web-based attacks against users and websites.Firefox users don?t have to do anything in order to gain this protection. Simply install Firefox 4 and you will instantly receive all of the benefits that Content Security Policy has to offer. Easy!
View 1 Replies
View Related
Feb 1, 2010
I have in /etc/selinux/config:
Code:
SELINUX=enforcing
SELINUXTYPE=mls
Do I have MLS enabled? I can't use Selinux commands. I thought MLS is sort of package to Selinux. I fallowed this:
Code:
[code].....
View 3 Replies
View Related
Jan 22, 2010
I'm having trouble to configure my debian (2.6.26-2-686) with some routing tuning. In fact, I have a VPN provider. I want my Squid Proxy use this VPN provider and I have to use policy routing because my ISP forbid IP spoofing.
View 2 Replies
View Related
Jan 5, 2010
FC12 with recent updates The bugzilla I reported is fixed in selinux 3.6.32-66 and I have 3.6.32-56. I refreshed the repositories and looked for 66 and it is not listed. Question - how often does the policy changes get posted to the repositories ? And are the repositories the normal place to get the latest and greatest ?
View 2 Replies
View Related
Jul 24, 2011
I need to change SELinux policy to permissive and then back to enforced for an installation. I understand that I should be able to do that through the SELinux Administration window accessed through System -> Administration ->SELinux Management. But I do not have any real sysadmin tools available in my Fedora 15 Gnome Gui interface. Am I missing something, or should I use some sort of similar command line tool to do this?
View 2 Replies
View Related
May 3, 2010
I'm intending to replace my current router (486DX2 w/16MB running FREESCO which has been faithfully working 24/7 for well over a decade) with a debian box with a bit more grunt and newer features. I'm currently setting up my iptables ruleset and am after a bit of advice re the FORWARD policy. A few example rulesets I have found set the default policy to DROP and the have two lines for each port forward, one to allow the traffic and one to direct the incoming packets to the correct machine.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 10.0.100.10:25
iptables -A FORWARD -i eth1 -p tcp --dport 25 -o eth0 -d 10.0.100.10 -m conntrack --ctstate NEW -j ACCEPT
I'm thinking of setting the default policy to ACCEPT to cut down on typing as my default INPUT policy is DROP and unless there is a valid FORWARD rule for a particular port, the packets aren't going anywhere anyway. Or have I misunderstood something. My googling returned heaps of example scripts & not much intelligent commentary. Alternatively, what do you all use to configure & maintain your debian gateways; hand rolled iptables rules, or any toolset recommendations?
View 4 Replies
View Related
Jan 25, 2010
Iceweasel told me "Your Websense policy blocks this page at all times". How can I disable websense in Iceweasel?
View 4 Replies
View Related
Aug 1, 2011
I've got Debian Sid x64 on my machine. Problem is that in my KDE setup several programs don't work, namely System Load Viewer plasmoid, plasmoid with temperature info and update-notifier-kde. System Load Viewer always shows 0% RAM and swap usage, as well as no processors, temperature sensors plasmoid shows no sensors available even after I installed lm-sensors and run sensors-detect, update-notifier-kde doesn't show any notifications even if I run aptitude update manualy. I might be mistaken but it seems to me that these three programs are not working because of some common reason, most likely some policy package either missing or misconfigured, but I can't figure out what is it.
View 4 Replies
View Related
May 25, 2011
Tried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
Code:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Code:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
View 2 Replies
View Related
Nov 20, 2009
I just upgraded from 11 to 12 and then installed the Nvidia proprietary drivers from RPMFusion. Initially glxinfo wouldn't work because SELinux was stopping it from using an executable stack. Since the Nvidia drivers are proprietary and a fix may not be provided, I allowed this access to glxinfo with chcon -t execmem_exec_t '/usr/bin/glxinfo'
However it looks like every program using glx-utils also needs these permissions - so far I allowed Xorg, compiz and the Firefox video plugin to execstack. Can anyone suggest a fix for this - preferably one that avoids execstack for all those apps since its a security risk. If not how do I create an SELinux policy to automatically grant apps execstack while they use glxinfo or other nVidia libraries but not at other times.
View 2 Replies
View Related
Apr 30, 2011
Howto create squeeze self compiled kernel with initial ramdisk?I need some more details, I never done before.
View 14 Replies
View Related
Jun 18, 2009
I am looking for a procedure to recover the initial installed state of my system with out over writing user data areas. The install procedure has the phrase "will remove all linux partitions" which interpret to mean data partitions, not just /bin and /. Additional background - Was attempting to build a 32 bit cross compile of Mozilla/Firefox on a x86_64 configuration and had a conflict with libgl. Online advice was to remove duplicate libgls from the system (that was bad advice). This led to running yum update.
When I restarted the system I know longer had wireless networking, ntfs mounts and possibly other features I had installed. Further, attempts to update, re-install, erase and reinstall have had no effect on the situation. My assumption is that I need to start with a clean install - which will be about 10-20 hours to reset all the additions I made. But I don't see another solution.
View 3 Replies
View Related
Mar 10, 2011
I set up a linux 10.10 desktop to run as a "server" for me. I then loaded Xrdp so that we can remote connect to the machine. My issue now is, i need to add users other than the initial account i created, but when i log into the desktop remotely, it will not let me add a new user. I cant seem to use any of the boxes in the User Settings command box. Does anyone have any suggestions?
View 9 Replies
View Related
Oct 20, 2010
Ive been running ssh to log into server for long time. Recently a x-win app reported that it suspects a man in the middle attack (MiMA), so I want to tighten this up, but it seems to me if there is a MiM, then the initial key exchange is vulnerable to a substitution. This is on solaris, but since its a basic concept I'm ot getting, it shouldnt matter,
Here's the gist of what I read:
- create users key pair,
- enable host authentication (ssh_config file on client and sshd_config file on remote host)
- start an ssh session and accept the remote hosts key (and I assume the remote host will take client users key and store some where)
Questions:
1. What's to stop the MIM from making a substitution of keys during the initial exchange?? Shouldn't the keys be initially transfered in a more secure fashion??
2. Does the server just accept new keys from any existing user who want to create an ssh session? So if some one knows a username and password (such as the owner of an application they know is running) couldn't they just create their own keypair and have the server accept them?
View 5 Replies
View Related
Jan 21, 2011
Is it fair to say that connLimit and hashlimit are very similiar on Linux i.e. while hashlimit caters to limits for groups of ports, they both set the connection rate limit per host? How in IPTables, do I configure a policy that limits connections on a port that encapsulates the total sum of all connections from all hosts? i.e. I do not want to allow more than 6000conn/minute for port range that is the sum of all connecting hosts?
View 3 Replies
View Related
Jul 2, 2010
I'm trying to install Tripwire, but everytime I run the apt-get command, I receive an error.
How do I fix this and get Tripwire installed?
EDIT: I'm getting the same error trying to install updates. I've never seen this error before and am not sure what could be causing this.
View 1 Replies
View Related
May 17, 2010
Can someone please tell me how to copy tripwire from my rh9 install and tranfer it to Fedora Core 5??
View 3 Replies
View Related
Jul 12, 2010
I have tripwire 2.4.1 up and running on one of our servers, and I am now in the process of configuring it to exclude some files and/or directories that are known to change periodically between integrity checks.
I did some reading on the subject, and one file that came up was the tw.config file. However, when I did a search for the file, there was no instance of it on the server. My next thought was to modify the tw.pol file, and I did try to list some files to be excluded. However, when I tried to update the policy, I got an error message which indicated the syntax that I entered within the tw.pol file was incorrect.
If the tw.config file does not exist, can I create it, and modify the tw.pol file to indicate where the file is located on the server?
View 1 Replies
View Related
Jan 21, 2009
I have been asked to investigate some of our servers that run tripwire 2.3.0 on Red Hat Linux Advanced Server release 2.1AS (Pensacola)
We have the reports emailed to us using cron and twprint -m r -r report -t 4, it has been growing steadily and today it was 9mb It seems the database records go back to before 2004 and are being compared against today's files.
I really need to be informed what needs to be done to tripwire to keep it serviced through cron. I have tried to google this but could not find any information that seemed to answer my questions.
Looking at the following guide url step 6 talks about "Updating the Database after an Integrity Check" using
Code:
# tripwire --update --twrfile /var/lib/tripwire/report/<name>.twr Should I be using this command or should I be re-creating the db every month or so and using the #tripwire -init?
Extract from report -
Quote:
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed
Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
code....
I need to understand how to change the expected to the observed so the db will be up to date.
I would also like some of the rules explained:What does removed and added mean? Is it removed as it has not changed and added if it finds a new one that has?
Code:
-------------------------------------------------------------------------------
Rule Name: System boot changes (/lib/modules)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Added Objects: 3075
----------------------------------------
code....
View 1 Replies
View Related
Dec 7, 2010
I have tripwire enterprise (not open source) agent running on one of my rhel4.8 web servers (I have actually tried with two servers with same results). The agent is a simple install rpm bin file and appears to be running as it should and the server for tripwire enterprise is set up accordingly. A windows tripwire enterprise agent is also on a windows machine that works perfectly well. But I cannot seem to get the tripwire server to talk to the agent on the red hat machine.
I can connect to port 9898 on the server, but the agent who also talks over the same port doesn't appear to be responding to the server on this port. There are no iptables set up to block the requests, there is no firewall set up (disabled) . Network team can see the packet requests being sent over the routers fine... So can't see why there would be a problem. So i reverted to the use of net cat.
Nc -l 9898 (on the agent machine)
Telnet <agent> 9898
But I get connection refused. Is there anything I could be missing here? Redhat is not my Linux of preference and it may be something obvious!
View 4 Replies
View Related
Feb 26, 2011
planning a takeover installation of Debian stable (Squeeze) on an old desktop machine. I have the installation CD #1. I want to install Tripwire early in the process as recommended by Tripwire documentation.
The Debian reference is excellent, as is the latest installation guide I have seen, but neither appear to cover the issue of how to ensure that Tripwire is installed, configured, and first snapshot taken early in the installation process.link to up-to-date document discussing this in the context of Debian Squeeze?
View 14 Replies
View Related
Aug 31, 2010
Lately I adapted my /etc/fstab to mount samba shared network drives. I had to put the password in the configuration file in order to log in automatically. Isn't there another way? It feels a little akward to me to put passwords in a plain text-file.
View 2 Replies
View Related
May 10, 2011
I'm using Debian Squeeze.
When I invoke apt-cache policy , for example , apt-cache policy zlib1g.
I get the output like:
Code:
And below the line "Version table:" , there is installed package version. I assume 1:1.2.3.4.dfsg-3 is version("epoch"+"upstream version"+"debian revision"), but what does the next "0" means?
View 2 Replies
View Related
Jan 1, 2010
I just installed Firestarter on Ubuntu 9.10 64 bit. When I go to the "Policy" tab I cannot add a new rule. The buttons on the tool bar are grayed out. Same with the Policy menu items.
Never mind. I just found that by clicking in the empty area below "Allow connections from host" the + button becomes enabled.
View 1 Replies
View Related
Sep 9, 2015
From the securing-debian-howto [URL] ...
"4.2.2 Security update of the kernel
First, make sure your kernel is being managed through the packaging system."
which suggests...
Code: Select all$ dpkg -S ‘readlink -f /vmlinuz‘
When I try to confirm by running the above, I get a lot of characters of output but the last line reads...
Code: Select alldpkg-query: no path found matching pattern /vmlinuz‘
How do I make sure my kernel is being managed through a packaging system?
View 4 Replies
View Related
