|
|
- \documentclass[11pt]{article}
- %Gummi|065|=)
- \title{\textbf{Setting up Tripwire with SSMTP}}
- \usepackage{graphicx}
- \usepackage{caption }
- \author{Steak Electronics}
- \date{06/4/19}
- \begin{document}
-
- %\maketitle
- \textbf{Setting up Tripwire with SSMTP}
-
- \tableofcontents
-
- \vspace{0.2in}
- This document is best read printed out on paper.
- %\textbf{Todo}
- \section{Overview}
- Tripwire is intrusion detection software for GNU Linux \& BSD. Let's document how to set it up on a server with SSMTP configured for email notifications. Tripwire isn't too hard to setup, but I had to jump through a hoop for email notifications. Here I cover install, and how to get SSMTP working.
- \section{Steps}
- \subsection{Configuring Tripwire}
- First install Tripwire. This will depend on your package manager. The two examples I have will be either Gentoo, or Debian/Devuan.
- \begin{verbatim}
- apt-get install tripwire mailutils ssmtp
- OR
- emerge -av tripwire mailutils ssmtp
- \end{verbatim}
- \subsubsection{Devuan/Debian}
- Devuan will prompt you for a few things in an ncurses gui. Answer all of the defaults (yes for a site key, yes for a user key, etc...). Record your password.
- \footnote{For a full walkthrough of this process see this URL:https://www.howtoforge.com/tutorial/how-to-monitor-and-detect-modified-files-using-tripwire-on-ubuntu-1604/ This process includes most, but not all of what you need to know.}
- I use the same password for both.
-
- \textbf{After install:}The goal when setting this up is to init, as little as possible. Each init is about 2-3 minutes, so time can be avoided, if you know what configs you need. Let's first edit the configs as much as possible.
-
- \begin{verbatim}
- when whitelisting, this is what needs to be commented out in devuan jessie/ascii for /etc/tripwire/twpol.txt
-
- Filename: /etc/rc.boot
- Filename: /root/mail
- Filename: /root/Mail
- Filename: /root/.xsession-errors
- Filename: /root/.xauth
- Filename: /root/.tcshrc
- Filename: /root/.sawfish
- Filename: /root/.pinerc
- Filename: /root/.mc
- Filename: /root/.gnome_private
- Filename: /root/.gnome-desktop
- Filename: /root/.gnome
- Filename: /root/.esd_auth
- Filename: /root/.elm
- Filename: /root/.cshrc
- Filename: /root/.bash_profile
- Filename: /root/.bash_logout
- Filename: /root/.amandahosts
- Filename: /root/.addressbook.lu
- Filename: /root/.addressbook
- Filename: /root/.Xresources
- Filename: /root/.Xauthority
- Filename: /root/.ICEauthority
- Filename: /proc/6136/fd/3
- Filename: /proc/6136/fdinfo/3
- Filename: /proc/6136/task/6136/fd/3
- Filename: /proc/6136/task/6136/fdinfo/3
- \end{verbatim}
- For proc, you simply comment out the whole directory. (you'll see an entry in the file for /proc, put a \# before that). After twpol, we are not done. We also need to edit the email settings.
-
- In /etc/tripwire/twcfg.txt we will change the following:
- \begin{verbatim}
- MAILMETHOD =SENDMAIL
- MAILPROGRAM =/root/script.sh
- \end{verbatim}
- script.sh is just a script: (make sure it is executable with chmod +x\footnote{This script appears to be required in this setup.})
- \begin{verbatim}
- #!/bin/bash
- /usr/sbin/sendmail -s youremail@domain.com
- \end{verbatim}
-
- Finally, the last change we might make, will be for any special directories we want to watch. I put websites in the root at /sites/ so I will append the following to /etc/tripwire/twpol.txt
- \begin{verbatim}
- # Ruleset for Website
- (
- rulename = "Website Ruleset",
- severity= $(SIG_HI)
- )
- {
- /sites/ -> $(SEC_CRIT);
- }
- \end{verbatim}
-
-
-
-
- Now we will init, type
- \begin{verbatim}
- sudo tripwire --init
- sudo twadmin -m P /etc/tripwire/twpol.txt
- sudo tripwire --init
- \end{verbatim}
-
-
- to reconfigure twcfg.txt
- run
- \\
- \textbf{/usr/sbin/twadmin --create-cfgfile -S site.key /etc/tripwire/twcfg.txt}
-
- if you get:
- \begin{verbatim}
- root@site:~# /usr/sbin/twadmin --create-cfgfile -S site.key /etc/tripwire/twcfg.txt
- # Error: File could not be opened.
- # Filename: /root/site.key
- # No such file or directory
- # Exiting...
- \end{verbatim}
- You must cd to /etc/tripwire directory.
-
-
- \subsection{Configuring SSMTP}
-
- SSMTP is a program you configure once, and can reuse the configuration everywhere\footnote{This is a strength of FOSS and let it remain that way.}. For starters, I'd recommend you install SSMTP according to this guide here:
- \begin{verbatim}
- https://wiki.zoneminder.com/How_to_get_ssmtp_working_with_Zoneminder
- \end{verbatim}
- This is a thorough guide that explains debugging. Some steps are superfluous (given that the instructions pertain to different software) but the general directions are sound. And afterwards sending an email is as easy as
- \\
- \\
- \textbf{echo "Hello, World" | mail -s "My email check" user@email.com}
- \\
- \\
- This guide assumes you have configured SSMTP according to this guide correctly, tested it, and are able to mail from the command line. Once you've setup SSMTP once, you can reproduce this setup on other computers, simply by copying over the revaliases and ssmtp.conf of a valid configuration.
-
- So let's do that. Copy over revaliases, and ssmtp.conf. test the configuration from the command line using the above echo and mail. Once that works, test out tripwire.
- \\
- \\
- \textbf{tripwire --test --email user@email.com}
- \\
- \\
- Done.
-
-
- \end{document}
|
