CentOS 7 security reinforcement, detection, and audit

CentOS 7 security reinforcement, detection, and audit
RKHunter: detects Rootkit

RKHunter Portal: http://rkhunter.sourceforge.net/
Root Kit details: http://linux.vbird.org/linux_security/0420rkhunter.php

• RKHunter Installation

[root@linuxprobe ~]# yum --enablerepo=epel -y install rkhunter 

• Configure and use RKHunter. For general checks, check that the script is installed in the cron. daily directory and is executed by Cron every day.

[root@linuxprobe ~]# vi /etc/sysconfig/rkhunter# recipient address for reportMAILTO=root@localhost# if specified "yes", scan more detailyDIAG_SCAN=no# update database[root@linuxprobe ~]# rkhunter --update# update system file properties[root@linuxprobe ~]# rkhunter --propupd # execute checking# --sk means sikpping to push Enter key# if specified --rwo , display only warnings[root@linuxprobe ~]#  rkhunter --check --sk

Lynis

Security Audit Tool Lynis Portal: https://cisofy.com/lynis/

• Install Lynis

[root@linuxprobe ~]# yum --enablerepo=epel -y install lynis

• Use Lynis

[root@linuxprobe ~]# lynis audit system

Lynis Tutorial: http://netsecurity.51cto.com/art/201410/455466.htm

AIDE Introduction

• Advanced Intrusion Detection Environment (Advanced Intrusion Detection Environment) is an Intrusion Detection tool used to check the integrity of documents.
• Install and configure host-based IDS (Intrusion Detection System) "AIDE" (Advanced Intrusion Detection Environment)

AIDE https://sourceforge.net/projects/aide/

• Install AIDE

[root@linuxprobe ~]# yum -y install aide

• Configure AIDE and initialize the database. You can use AIDE with default configuration, but if you want to customize the settings, change the configuration file as follows. Set rules in the vicinity of lines 26-84, refer to them.

[root@linuxprobe ~]# vi /etc/aide.conf# for example, change setting of monitoring /var/log/var/log   p+u+g+i+n+acl+selinux+xattrs# initialize database[root@linuxprobe ~]# aide --initAIDE, version 0.15.1### AIDE database at /var/lib/aide/aide.db.new.gz initialized.# copy generated DB to master DB[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 

• Run check

[Root @ linuxprobe ~] # Aide -- checkAIDE, version 0.15.1 ### All files match AIDE database. Looks okay! [Root @ linuxprobe ~] # Chmod 640/root/anaconda-ks.cfg [root @ linuxprobe ~] # Aide -- check # The detected differences are as follows: AIDE 0.15.1 found differences between database and filesystem !! Start timestamp: 2016-10-27 04: 44: 55 Summary: Total number of files: 31983 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: Wrong changed: /root/anaconda-ks.cfg ------------------------------------------------ Detailed information about changes: Unknown File:/root/anaconda-ks.cfg Perm:-rw -------,-rw-r ----- Ctime: 04:52:57 ACL: old = A: ---- user: rw-group: --- other: ------- D: <NONE> new = A: ---- user: rw-group: r -- other:: ------- D: <NONE>

• If there is no ploblem, even if some differences are detected, update the database as follows:

[root@linuxprobe ~]# aide --updateAIDE 0.15.1 found differences between database and filesystem!!Start timestamp: 2016-10-27 04:49:12Summary:  Total number of files:    31983  Added files:          0  Removed files:        0  Changed files:        1---------------------------------------------------Changed files:---------------------------------------------------changed: /root/anaconda-ks.cfg---------------------------------------------------Detailed information about changes:---------------------------------------------------...# update database[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 

• If you check whether regulary is added to Cron. Log File [/var/log/aide. log] is updated every time. If there is no difference, it will be updated with zero bytes. Therefore, if you want to save the log file, it needs to create a shell script or send the result through email or other.

 # for example, add daily check in Crontab and send results via email[root@dlp ~]# vi /etc/cron.d/aide00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root 

About Tripwire

• Tripwire is currently the most famous software tool for file system integrity check in unix. the core technology of this software is to generate a digital signature for each file to be monitored and keep it. When the current digital signature of the file is inconsistent with the retained digital signature, the file must have been modified.

  Tripwire Official Website: http://www.tripwire.com/

• Install Tripwire

# install from EPEL[root@linuxprobe ~]# yum --enablerepo=epel -y install tripwire

• Create keys and databases

# generate keys[root@linuxprobe ~]# tripwire-setup-keyfiles..........Enter the site keyfile passphrase:# set site keyfile passphraseVerify the site keyfile passphrase:# confirm.........Enter the local keyfile passphrase:# set local keyfile passphraseVerify the local keyfile passphrase:# confirm..........Please enter your site passphrase: # answer with site keyfile passphrase..........Please enter your site passphrase: # answer with site keyfile passphrase..........[root@linuxprobe ~]# cd /etc/tripwire[root@linuxprobe tripwire]# vi twcfg.txt# line 12: report level (4 is max)REPORTLEVEL =4# generate config[root@linuxprobe tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txtPlease enter your site passphrase:# answer with site keyfile passphraseWrote configuration file: /etc/tripwire/tw.cfg# optimize policy file with the script below[root@linuxprobe tripwire]# vi twpolmake.pl#!/usr/bin/perl# Tripwire Policy File customize tool# ----------------------------------------------------------------# Copyright (C) 2003 Hiroaki Izumi# This program is free software; you can redistribute it and/or# modify it under the terms of the GNU General Public License# as published by the Free Software Foundation; either version 2# of the License, or (at your option) any later version.# This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the# GNU General Public License for more details.# You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.# ----------------------------------------------------------------# Usage:#     perl twpolmake.pl {Pol file}# ----------------------------------------------------------------#$POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ;my($myhost,$thost) ;my($sharp,$tpath,$cond) ;my($INRULE) = 0 ;while (<POL>) {    chomp;    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {        $myhost = `hostname` ; chomp($myhost) ;        if ($thost ne $myhost) {            $_="HOSTNAME=\"$myhost\";" ;        }    }    elsif ( /^{/ ) {        $INRULE=1 ;    }    elsif ( /^}/ ) {        $INRULE=0 ;    }    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {        $ret = ($sharp =~ s/\#//g) ;        if ($tpath eq '/sbin/e2fsadm' ) {            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;        }        if (! -s $tpath) {            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;        }        else {            $_ = "$sharp$tpath$cond" ;        }    }    print "$_\n" ;}close(POL) ;[root@linuxprobe tripwire]# perl twpolmake.pl twpol.txt > twpol.txt.new[root@linuxprobe tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.newPlease enter your site passphrase:Wrote policy file: /etc/tripwire/tw.pol

• Create a database

[root@linuxprobe tripwire]# tripwire -m i -s -c tw.cfgPlease enter your local passphrase:

• Manually perform the check. (Cron's daily check script is included in the package)