[IDS] Install Tripwire and notify Chatwork of detected file differences (Ubuntu 22.0.4)

Hello.
Trustworthiness from subordinates
This is cute in the zero trust system solution department.

Happy new year
I want to do my best this year as well.

This time, I would like to use the hosted IDS OSS " Tripwire " to automatically notify Chatwork of detected file tampering.
It is difficult to notice changes to files and directories on the server that are not touched often, so it seems to be surprisingly useful. Although it is difficult to put it into full-scale operation, the implementation itself is not that difficult.

What is Tripwire?

Tripwire is an IDS (intrusion detection) or file tampering detection tool that can monitor files under predefined directories and check and notify you of the results.
It is a product of Tripwire Inc. and has a free OSS version and a paid version. This time we will use the OSS version (there is no IPS function).

man page: https://linux.die.net/man/8/tripwire

install

■Verification environment

Ubuntu 24.04 LTS Tripwire 2.4.3.7.0 Python 3.12.3 # Used for notifications

■Installation and initial settings

$ sudo apt update $ sudo apt install tripwire

That's all there is to installing.
You will be presented with several prompts during the installation, select the appropriate settings and proceed.
*This time we are assuming a localhost environment.

▼ Select the purpose. This time I chose Local Only , choose
Internet Site

▼ Domain for email address for notifications. If you don't have anything in particular, example.com is fine. I won't use it this time.

▼ For security, create a key pair for Tripwire. Select
the default Yes (Details can be found in twfiles(5): https://linux.die.net/man/5/twfiles )

▼ For initial configuration, Yes

▼ Enter your passphrase (memo recommended). Enter it twice for confirmation.

▼ Installation complete

Proceed to policy file settings.

Policy settings

" twpol.txt " is the policy file, so edit it.
Just in case, take a backup beforehand.

$sudo cp /etc/tripwire/twpol.txt /etc/tripwire/twpol_org.txt $sudo nano /etc/tripwire/twpol.txt

Since the detection content will be long I would like to target
only "under /var/www/html" *If you want to make it the same as this article, please copy and paste the following content.

# Global Variable Definitions @@section GLOBAL TWBIN = /usr/sbin; TWETC = /etc/tripwire; TWVAR = /var/lib/tripwire; # File System Definitions @@section FS # Tripwire Binaries ( rulename = "Tripwire Binaries", severity = 100 ) { $(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twprint -> $(ReadOnly) ; } # Apache Document Root ( rulename = "Apache Document Root", severity = 100 ) { /var/www/html/ -> $(IgnoreNone)-SHa; } # End of Policy File

After editing the policy, apply and initialize the policy.
Enter the passphrase that you set at the initial setup prompt above.
It is OK if the output is as shown below.

$ sudo twadmin --create-polfile /etc/tripwire/twpol.txt Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol $ sudo tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** Wrote database file: /var/lib/tripwire/hamchan.twd The database was successfully generated.

The basic settings are now complete.
I'll try checking it out.

$ sudo tripwire --check Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... Wrote report file: /var/lib/tripwire/report/hamcha-20241025 -135438.twr Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Fri 25 Oct 2024 01:54:38 PM JST Database last updated on: Never ===================================== =========================================== Report Summary: ================================================== ============================== Host name: hamchan Host IP address: 127.0.1.1 Host ID: None Policy file used: /etc /tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/hamchan.twd Command line used: tripwire --check ================= ================================================== ============ Rule Summary: ================================================ ================================ ------------------ -------------------------------------------------- ----------- Section: Unix File System ---------------------- --------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Tripwire Binaries 100 0 0 0 Apache Document Root 100 0 0 0 (/var/www/html) Total objects scanned: 7 Total violations found: 0 ================================================== ============================= Object Summary: ================================================== ============================= --------------------- -------------------------------------------------- -------- # Section: Unix File System ------------------------------------ ------------------------------------------- No violations. ================================================== ============================= Error Report: ================================================== ============================= No Errors ------------------ -------------------------------------------------- ---------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete.

A report summarizing the number of scanned objects etc. was output.
Next, let's detect file differences.

Difference detection

First, write "test" in the HTML file below and try editing it.

sudo nano /var/www/html/test.html

When I ran the scan again, a summary of the modified directories and files was displayed in the Modified

# Excerpt ================================================ =============================== Rule Summary: ================================================== ============================= --------------------- -------------------------------------------------- -------- Section: Unix File System ------------------------------------- ------------------------------------------ Rule Name Severity Level Added Removed Modified - -------- -------------- ----- ------- -------- Tripwire Binaries 100 0 0 0 * Apache Document Root 100 0 0 2 (/var/www/html) Total objects scanned: 7 Total violations found: 2 ================================================== ============================= Object Summary: ================================================== ============================= --------------------- -------------------------------------------------- -------- # Section: Unix File System ------------------------------------ ---------------------------------------------- ------- -------------------------------------------------- ---------------------- Rule Name: Apache Document Root (/var/www/html) Severity Level: 100 -------------------------------------- ----------------------------------------- Modified: "/var/www/html " "/var/www/html/test.html"

This time, you can see that
changes have been made to test.html under /var/www/html By the way, even if a file's owner or permissions change, it will be detected.

Next, let's create a new file.

sudo touch /var/www/html/ransom.sh

Scan again.

-------------------------------------------------- ----------------------------- Section: Unix File System ---------------- -------------------------------------------------- ------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- -- ----- -------- Tripwire Binaries 100 0 0 0 * Apache Document Root 100 1 0 2 (/var/www/html) Total objects scanned: 8 Total violations found: 3 ================================================== ============================= Object Summary: ================================================== ============================= --------------------- -------------------------------------------------- -------- # Section: Unix File System ------------------------------------ ---------------------------------------------- ------- -------------------------------------------------- ---------------------- Rule Name: Apache Document Root (/var/www/html) Severity Level: 100 -------------------------------------- ----------------------------------------- Added: "/var/www/html /ransom.sh" Modified: "/var/www/html" "/var/www/html/test.html"

You can see that
/var/www/html/ransom.sh " has been created because it says 1 in the " Added If you check the report, it will be obvious that an unintended file has been placed. convenience.

Periodic execution and report notification

Tripwire has an email notification function, but this time I would like to introduce how to notify Chatwork.

First, prepare a cron job.
Normal checks output the report in binary, so save it as a text file in any path.
The execution interval can be adjusted according to the environment and usage.

sudo crontab -e 0 0 * * * /usr/sbin/tripwire --check > /home/hamchan/$(date +\%Y\%m\%d)_report.txt # *Please include the date (yyyymmdd) when outputting Added processing to grant. $ echo $(date) Fri Oct 25 02:47:26 PM JST 2024 $ echo $(date +\%Y\%m\%d) 20241025

Next, create the Python code for Chatwork notifications.

import requests import subprocess import os from glob import glob # Chatwork API settings API_TOKEN = 'xxxxxxxx' # Chatwork API token ROOM_ID = 'xxxxxxxx' # Destination group ID ENDPOINT = f'https://api.chatwork.com/ v2/rooms/{ROOM_ID}/messages' HEADERS = { 'X-ChatworkToken': API_TOKEN, } # Function that returns the path of the latest Tripwire report file def get_latest_tripwire_report(): report_files = glob('/home/hamchan/*_report.txt') if report_files: return max(report_files, key=os.path.getmtime) # Latest Get the file return None # Function to read the file and return it as text def get_report_content(report_path): with open(report_path, 'r', encoding='utf-8') as file: return file.read() # Return file contents as text # Send file name and path to Chatwork def send_chatwork_message(message): payload = {'body' : message} response = requests.post(ENDPOINT, headers=HEADERS, data=payload) if response.status_code == 200: print('Notification sent to Chatwork.') else: print(f'Notification failed: {response.status_code}, {response.text}') if __name__ == '__main__': latest_report_path = get_latest_tripwire_report() if latest_report_path: report_content = get_report_content(latest_report_path) # Report content Get send_chatwork_message( f"[info][title]Tripwire report saved at[/title]\n" f"{latest_report_path}[/info]\n\n" f"\n{report_content}" ) else: send_chatwork_message("No latest Tripwire reports were found. ")

Put it into a cron job.
As a trial, I set the notification to be sent 2 minutes after the Tripwire report is output.

sudo crontab -e 2 0 * * * /usr/bin/python3 /home/hamchan/tripwire_test/chatwork_notification.py

▼ The content of the notification

was as follows.
This way, you will be able to notice if any suspicious files are placed there. I think this will lead to a much better security than not adding anything at all.
Please try it.

complete