Difference between revisions of "Tripwire"

From OnnoWiki
Jump to navigation Jump to search
 
(20 intermediate revisions by the same user not shown)
Line 1: Line 1:
Tripwire on Ubuntu Linux
+
Tripwire adalah termasuk kategori Host [[Intrusion Detection System]] ([[IDS]]). Yang mendeteksi perubahan file di mesin yang mungkin dilakukan oleh penyerang.
  
The idea behind tripwire is to create a baseline database of the state of the the files and directories on your system, then you run tripwire daily and it compares the current state with the baseline state, you will then be warned of any unauthorised deletions, additions, or changes to your filesystem. A policy file decides what files and directories are to be checked, and what attributes to compare, e.g., inode and modification timestamps, owner and group IDs, file size, permission and MD5/SHA hash values etc.
+
Logika bekerja tripwire adalah dengan membuat baseline [[database]] dari file yang ada di system. Jika file tersebut berubah maka tripwire akan mencatat dan / atau memberitahukan administrator mesin.
  
 +
==Instalasi tripwire==
  
Installing Tripwire
+
Instalasi
  
To install tripwire on Ubuntu, simply issue the command -:
+
sudo su
 +
apt update
 +
apt -y install tripwire
  
[root@home /etc/tripwire]# apt-get install tripwire
+
masukan password
  
Apt will then go off and install the required packages on your system and begin the tripwire configuration process. You will be asked for a passphrase for each of the local and site keys; it should be greater than 8 characters and include punctuation symbols as well as alphanumeric characters.
+
Enter site key passphrase
 +
Enter local key passphrase
  
Do not leave the plain-text versions of the configuration and policy files on your hard drive. Move them onto a floppy disk or encrypt them using a utility such as GPG. Also ensure that the permissions of the signed files are set such that they are only readable/writeable by root:
+
Pastikan konfigurasi tripwire aman dan hanya bisa di akses oleh root saja.
  
[root@home /etc/tripwire]# chmod 0600 tw.cfg tw.pol
+
cd /etc/tripwire
 +
chmod 0600 tw.cfg tw.pol
  
Editing the Policy
+
==Edit Policy==
  
You will want to edit the default policy, check out the twpol.txt file in /etc/tripwire and comment out any files or folders you do not want to be checked. Once you have done this run the following command -:
+
edit policy
  
[root@home /etc/tripwire]# twadmin --create-polfile --cfgfile ./tw.cfg --site-keyfile \
+
vi /etc/tripwire/twpol.txt
./site.key ./twpol.txt
 
  
Initialising the database
+
encrypt policy
  
You can initialise the baseline database of your system by running -:
+
cd /etc/tripwire
 +
twadmin --create-polfile --cfgfile ./tw.cfg --site-keyfile ./site.key ./twpol.txt
  
[root@home /etc/tripwire]# tripwire --init --cfgfile /etc/tripwire/tw.cfg \
 
--polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key \
 
--local-keyfile /etc/tripwire/HOSTNAME-local.key
 
  
Tripwire will ask for your local passphrase then start to build the baseline database of your system. This can take a little while so be patient and go make a cup of tea.
+
==Edit Configurasi==
System Checks
 
  
[root@home /etc/tripwire]# tripwire --check
+
edit konfigurasi
  
Each violation (an addition, removal or change) is reported to stdout and written to the report file as indicated. On this occasion I have assumed the default locations of the configuration and policy files. I could have specified these explicitly on the command line as I have been doing with switches such as --cfgfile, etc.
+
vi /etc/tripwire/twcfg.txt
  
Your goal should be to set this up to run on a daily basis. This can be done as a cron or an Anacron job; Anacron is the better choice when the computer is not on 24/7. Using either cron or Anacron, the output should be e-mailed to the root user on each run of Tripwire.
+
encrypt konfigurasi
  
Updating the policy
+
cd /etc/tripwire
 +
twadmin --create-cfgfile --cfgfile ./tw.cfg --site-keyfile ./site.key ./twcfg.txt
  
If you update your policy, for example to exclude directories from the scan, then the tripwire command has a policy update mode which means that a change in policy does not require us to reinitialise the database. The policy update mode simply synchronises the existing database with the new policy file. The new policy file expected is the plain-text version - Tripwire will then ask for the local and site passphrases, synchronise the database and sign both the new policy file and the database.
 
  
[root@home /etc/tripwire]# tripwire --update-policy --cfgfile ./tw.cfg --polfile ./tw.pol \
+
==Inisialisasi Database==
--site-keyfile ./site.key --local-keyfile ./HOSTNAME-local.key ./twpol.txt
 
  
Regular Updates
+
Inisialisasi baseline [[database]]
  
You will also need to do regular updates to keep your database current with your file systemDo the checks and examine the before making updatesPerform updates regularly (determine your schedule) and also after making any major changes to the file architecture.
+
tripwire --init --cfgfile /etc/tripwire/tw.cfg \
 +
  --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key \
 +
  --local-keyfile /etc/tripwire/HOSTNAME-local.key
  
[root@home /etc/tripwire]# tripwire --update -Z low   
+
atau jika HOSTNAME anda adalah ubuntu maka
  
This command will compare your database against your current file system and then launch an editor so that you can choose to make changes to your database.
+
tripwire --init --cfgfile /etc/tripwire/tw.cfg \
 +
--polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key \
 +
--local-keyfile /etc/tripwire/ubuntu-local.key
  
 +
Ini akan membutuhkan waktu beberapa lama karena dia akan mencek seluruh harddisk.
  
If you try this command but get an error message about a missing report file, the reason is most likely that the last check was not run immediately prior to the update.  The report file in the /var/lib/tripwire/report directory is named by hostname, then date (yyyymmdd) then time.  If you have recently run a check and want the update to proceed using your most recent report file, then use the -r option and provide the report filename that you want the update to use.
+
==Check System==
  
[root@home /etc/tripwire]# tripwire --update -Z low --twrfile host-yyyymmdd-tttttt.twr   
+
Untuk mencek apakah terjadi perubahan file kita dapat melakukan
  
 +
tripwire --check
  
 +
Untuk server yang beroperasi 24/7 kita dapat menggunakan cron dan e-mail hasilnya ke administrator.
  
 +
==Update policy==
  
instalasi
+
Jika kita mengupdate policy, misalnya menambahkan / mengurangi folder yang akan di scan dll kita dapat melakukan
 +
edit policy
  
  apt-get install tripwire
+
  vi /etc/tripwire/twpol.txt
  
  Enter site key passphrase
+
kemudian update policy
  Enter local key passphrase
+
 
 +
tripwire --update-policy --cfgfile ./tw.cfg --polfile ./tw.pol \
 +
  --site-keyfile ./site.key --local-keyfile ./HOSTNAME-local.key ./twpol.txt
 +
 
 +
atau jika HOSTNAME yang digunakan ubuntu maka
 +
 
 +
  tripwire --update-policy --cfgfile ./tw.cfg --polfile ./tw.pol \
 +
--site-keyfile ./site.key --local-keyfile ./ubuntu-local.key ./twpol.txt
 +
 
 +
==Update secara regular==
 +
 
 +
Kita perlu mengupdate secara periodik [[database]] tentang file system. Mohon di cek dulu sebelum melakukan update. Proses update dapat menggunakan perintah
  
Konfigurasi
+
tripwire --update -Z low
  
/etc/tripwire
+
perintah di atas akan melakukan perbandingan antara [[database]] yang ada dengan file yang ada di system. Kemudian jalankan editor untuk memilih perubahan di database.
  
 +
Jika kita menjalankan perintah ini dan memperoleh message error karena tidak ada file report, sebab utamanya kemungkinan karena check yang dilakukaan belakangan tidak dilakukan sesudah update. File report berada di folder
  
Update policy
+
/var/lib/tripwire/report
  
  tripwire -m p /etc/tripwire/twpol.txt
+
dan menggunakan hostname sebagai nama, dilanjutkan dengan tanggal (yyyymmdd) dan waktu (tttttt). Jika kita baru saja menjalankan check dan menginginkan update untuk dilakukan menggunakan report file terakhir, maka kita dapat mengunakan opsi -r dan menggunakan report file terakhir
  
 +
tripwire --update -Z low --twrfile host-yyyymmdd-tttttt.twr
  
 
==Local Manual==
 
==Local Manual==
Line 89: Line 111:
 
* http://www.ubuntu-unleashed.com/2007/08/protecting-your-ubuntu-machine.html
 
* http://www.ubuntu-unleashed.com/2007/08/protecting-your-ubuntu-machine.html
 
* http://www.ubuntugeek.com/list-of-security-tools-available-in-ubuntu.html
 
* http://www.ubuntugeek.com/list-of-security-tools-available-in-ubuntu.html
 +
* https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps
  
 
==Pranala Menarik==
 
==Pranala Menarik==
  
 +
* [[Tripwire: Intro]]
 +
* [[Tripwire: Admin]]
 +
* [[Tripwire: Files]]
 
* [[Tripwire: Notifikasi e-mail]]
 
* [[Tripwire: Notifikasi e-mail]]
 +
* [[Tripwire: Policy Reference]]
 
* [[Keamanan Jaringan]]
 
* [[Keamanan Jaringan]]
 
* [[OS Security]]
 
* [[OS Security]]
 +
* [[OSSEC]]
  
 
[[Category: network security]]
 
[[Category: network security]]

Latest revision as of 19:05, 15 January 2021

Tripwire adalah termasuk kategori Host Intrusion Detection System (IDS). Yang mendeteksi perubahan file di mesin yang mungkin dilakukan oleh penyerang.

Logika bekerja tripwire adalah dengan membuat baseline database dari file yang ada di system. Jika file tersebut berubah maka tripwire akan mencatat dan / atau memberitahukan administrator mesin.

Instalasi tripwire

Instalasi

sudo su
apt update
apt -y install tripwire

masukan password

Enter site key passphrase
Enter local key passphrase 

Pastikan konfigurasi tripwire aman dan hanya bisa di akses oleh root saja.

cd /etc/tripwire
chmod 0600 tw.cfg tw.pol

Edit Policy

edit policy

vi /etc/tripwire/twpol.txt

encrypt policy

cd /etc/tripwire
twadmin --create-polfile --cfgfile ./tw.cfg --site-keyfile ./site.key ./twpol.txt


Edit Configurasi

edit konfigurasi

vi /etc/tripwire/twcfg.txt

encrypt konfigurasi

cd /etc/tripwire
twadmin --create-cfgfile --cfgfile ./tw.cfg --site-keyfile ./site.key ./twcfg.txt


Inisialisasi Database

Inisialisasi baseline database

tripwire --init --cfgfile /etc/tripwire/tw.cfg \ 
--polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key \
--local-keyfile /etc/tripwire/HOSTNAME-local.key

atau jika HOSTNAME anda adalah ubuntu maka

tripwire --init --cfgfile /etc/tripwire/tw.cfg \
--polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key \
--local-keyfile /etc/tripwire/ubuntu-local.key

Ini akan membutuhkan waktu beberapa lama karena dia akan mencek seluruh harddisk.

Check System

Untuk mencek apakah terjadi perubahan file kita dapat melakukan

tripwire --check

Untuk server yang beroperasi 24/7 kita dapat menggunakan cron dan e-mail hasilnya ke administrator.

Update policy

Jika kita mengupdate policy, misalnya menambahkan / mengurangi folder yang akan di scan dll kita dapat melakukan edit policy

vi /etc/tripwire/twpol.txt

kemudian update policy

tripwire --update-policy --cfgfile ./tw.cfg --polfile ./tw.pol \
--site-keyfile ./site.key --local-keyfile ./HOSTNAME-local.key ./twpol.txt

atau jika HOSTNAME yang digunakan ubuntu maka

tripwire --update-policy --cfgfile ./tw.cfg --polfile ./tw.pol \
--site-keyfile ./site.key --local-keyfile ./ubuntu-local.key ./twpol.txt

Update secara regular

Kita perlu mengupdate secara periodik database tentang file system. Mohon di cek dulu sebelum melakukan update. Proses update dapat menggunakan perintah

tripwire --update -Z low

perintah di atas akan melakukan perbandingan antara database yang ada dengan file yang ada di system. Kemudian jalankan editor untuk memilih perubahan di database.

Jika kita menjalankan perintah ini dan memperoleh message error karena tidak ada file report, sebab utamanya kemungkinan karena check yang dilakukaan belakangan tidak dilakukan sesudah update. File report berada di folder

/var/lib/tripwire/report

dan menggunakan hostname sebagai nama, dilanjutkan dengan tanggal (yyyymmdd) dan waktu (tttttt). Jika kita baru saja menjalankan check dan menginginkan update untuk dilakukan menggunakan report file terakhir, maka kita dapat mengunakan opsi -r dan menggunakan report file terakhir

tripwire --update -Z low --twrfile host-yyyymmdd-tttttt.twr

Local Manual

/usr/share/doc/tripwire/README.Debian

Referensi

Pranala Menarik