A filesystem check is the operation during which the filesystem integrity is compared to the original baseline. Checks should be scheduled to run as often as possible, and reports should be carefully analyzed for abnormal events.
To manually run a file check with Samhain, just type:
[emoret@simca-1000 ˜]$ sudo samhain -t checkIn production, I recommend Samhain to be run in daemon mode, which is started when the host boots up. The benefit of this mode is that files are only reported once per run. In other words, Samhain's reports will only include changed files once. By default, a check is run every two hours. To run as a daemon, install the startup script matching your distribution. In the case of Fedora Core 5:
[emoret@simca-1000 ˜]$sudo chkconfig --add samhain[emoret@simca-1000 ˜]$sudo service samhain start
To monitor file changes you can look at the /var/log/samhain_log file with the following:
[emoret@simca-1000 ˜]$ sudo tail -f /var/log/samhain_logThis method is good, but does not provide integrity verification. If you want to verify the integrity of log messages, you have to use the built-in command and enter the logkey received by email to verify the hash of each log entry:
[emoret@simca-1000 ˜]$sudo samhain -L /var/log/samhain_logNew audit trail ([2006-07-27T15:39:35-0700]), enter key|keyfile:3B6C8BD6C364F9F74837F7D9BA8A189B67EF1ED71CAD4D8DPASS: line= 2 ALERT : [2006-07-27T15:39:34-0700] msg=<START>, program=<Samhain>, userid=<0>, path=</etc/samhainrc>, key_uid=<DBC967BC\ Eric\ Moret\ <emoret@juniper.net>>, key_id=<47ED22F951D9BA85E235265F8448D230DBC967BC>PASS: line= 4 CRIT : [2006-07- 27T15:39:35-0700] msg=<POLICY [Kernel] PROC modified proc filesystem: proc_root.proc_iops != proc_root_inode_operations>PASS: lin e= 6 ERROR : [2006-07-27T15:43:41-0700] msg=<No good signature>, subroutine=<gpg_check_file_sign>PASS: line= 8 ALERT : [2006-07-27T15:43:41-0700] msg=<PANIC Error initializing the application>, program=<Samhain>PASS: line= 10 ALERT : [2006-07-2 7T15:43:41-0700] msg=<EXIT>, program=<Samhain>, status=<None> New audit trail ([2006-07-27T15:50:05-0700]), enter key|keyfile:2B26CD58BF3A39F423F0B0CE3D81CA51A79033C7F44E82C5PASS: line= 13 ALERT : [2006-07 -27T15:50:05-0700] msg=<START>, program=<Samhain>, userid=<0>, path=</etc/samhainrc>, key_uid=<DBC967BC\ Eric\ Moret\ <emoret@juniper.net>>, key_id=<47ED22F951D9BA85E235265F8448D230DBC967BC>PASS: line= 15 ERROR : [2006-07-27T15:50:06-0700] msg=<No good signature>, subroutine=<gpg_check_file_sign>PASS: line= 17 ALERT : [2006-07-27T15:50:06-0700] msg=<PANIC Error initializing the application>, program=<Samhain>PASS: line= 19 ALERT : [2006-07-2 7T15:50:06-0700] msg=<EXIT>,program=<Samhain>, status=<None>
Every time Samhain starts, it creates a new audit trail. Each of those trails uses a distinct key to compute hashes for every log message. When a new instance of Samhain starts, it sends an email containing the new log key that can then be used to interactively verify the log integrity. As you can see, I had two runs verified by two keys. Each log starts with the PASS statement indicating that they were not altered.
To manually run a filesystem check, just type:
[emoret@simca-1000 ˜]$ sudo tripwire --check
Parsing policy file: /usr/local/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
20060719-182410.twr Wrote report file: /usr/local/lib/tripwire/report/
simca-1000.secteam.juniper.net-20060719-190249.twrTo configure it for daily runs, I recommend copying the script provided in the Tripwire contrib directory to the daily cron directory, using the following:
[emoret@simca-1000 ˜]$sudo cp /usr/local/src/tripwire-2.4.0.1/contrib/tripwire-check/etc/cron.daily[emoret@simca-1000 ˜]$sudo chmod +x /etc/cron.daily/tripwire-check
Before checking that the cron job works properly, verify that your local email delivery system is configured properly and that root mails are received by a real user with the following:
[emoret@simca-1000 ˜]$ grep emoret /etc/aliases
root: emoretTo check that Tripwire emails are received, you can use the embedded email test:
[emoret@simca-1000 ˜]$ tripwire --testThen verify that the cron job works, using the following:
[emoret@simca-1000 ˜]$ sudo anacron -nIf everything is working, you should get a Tripwire check report in your mailbox instantly.