Updates are done to reconcile legitimate file changes and reduce the size of check reports. Database updates have important security implications and should be done with utmost care. It is at the time of reconciliation that a potential harmful file modification can go unchecked and be accepted as part of the new baseline.
Samhain reports file changes using codes to indicate what properties have changed. See Table 20-5 for a list of those flags.
Table 20-5. Samhain change codes
Code | Property | Comments |
|---|---|---|
C | Checksum | Security checksum has changed for that file. |
L | Soft Link | The link path of that symbolic link has changed. (Applies to symbolic links only.) |
D | Device number | Major/minor device numbers have changed for this device. (Applies to devices only.) |
I | Inode | The physical location of the file has changed on the filesystem. |
H | Number of hardlinks | The number of hard links to this file has changed. |
M | Mode | The Unix access rights have changed. |
U | User | The owner has changed. |
G | Group | The group ownership has changed. |
T | Time | The file time has changed. |
S | Size | The file size is different. |
Here is an example log:
CRIT : [2006-07-25T15:38:34-0700] msg=<POLICY [ReadOnly] C--I----TS>, path=</etc/sa
mhainrc>, inode_old=<4650355>, inode_new=<4650354>,
size_old=<16821>,size_new=<16850>,
ctime_old=<[2006-07-23T01:23:00]>,
ctime_new=<[2006-07-25T21:28:23]>, mtime_old=<[2006-
07-23T01:23:00]>, mtime_new=<[2006-07-25T21:28:23]>,
chksum_old=<54CF7E41C9D03D5C9D0AED
A6D11929AF15301F0BEA171D1F>,
chksum_new=<4E0883F9B4D00942F99957C74EF52E3C1DC5CEC1A2DCA496>,
663BF691DAD2EC0B8DA62C0CE9511B82B92A02AECCA83DD5Note the first line, which contains the codes, and the last line, which is the authentication hash for that log entry.
If you run Samhain in daemon mode, you need to make sure that one and only one process accesses the logfile at any given time. Use the -l none option to reconcile the database while not interfering with the daemon:
[emoret@simca-1000 ˜]$ sudo samhain -t update --interactive -l noneThis checks all files and asks you to manually confirm each change. Do not forget to re-sign the updated database with the now familiar:
[emoret@simca-1000 ˜]$ sudo samhainadmin.pl --create-datafileA common problem faced with file integrity checkers is to automatically reconcile the numerous file changes that happen at automated package updates. There is unfortunately no magic bullet to address the issue.
One approach is to run automated integrity database updates after each package update. This can easily be achieved by adding a cronjob that executes after system update and automatically reconciles all changes. The script is called Z-samhain to make sure it runs after all other scripts; enter:
[emoret@simca-1000 ˜]$ sudo cat /etc/cron.daily/Z-samhain-reconciliation
#!/bin/sh
/usr/local/sbin/samhain -t update -l noneThis may leave the system vulnerable to attacks happening in the interval between a package update and an automatic reconciliation. Because you cannot automatically GPG re-sign the updated database, you must get rid of the option. This is a suboptimal security posture.
Another approach is to disable automated updates and instead proceed with manual and planned system updates followed by manual database reconciliation. This is the most secure way and particularly recommended for production servers that impose a maintenance window and can live with bigger batches of updates. To avoid being hacked while doing a patch update, I recommend proceeding with the following six steps:
Manually download all updated packages.
Bring your machine offline.
Proceed through the system update.
Update the Samhain database.
Sign the updated database.
Bring the machine back online.
Updating the database is a simple interactive process that uses a text editor. The editor opens a report that presents checked ballot boxes. Leaving the box checked in front of a given file validates the change, while unchecking it leaves the original checksum untouched.
[emoret@simca-1000 ˜]$sudo tripwire --update --twfile \/usr/local/lib/tripwire/report/simca-1000.secteam.juniper.net-20060721-042736.twr[...] [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/s390/block/Makefile" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/s390/block/Kconfig" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/s390/char" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/s390/char/Makefile" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/s390/cio" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/s390/cio/Makefile" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/macintosh" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/macintosh/Makefile" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/macintosh/Kconfig" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/message" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/message/Makefile" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/message/fusion" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/message/fusion/Makefile" "twtemprL7xHc" 414387L, 27576899C written Please enter your local passphrase:<local passphrase>Wrote database file: /usr/local/lib/tripwire/simca-1000.secteam.juniper.net.twd
Tripwire also has a policy update mode that makes it easier and faster to change a policy. In fact, using this mode avoids having to rerun a database init. Using a text editor, make a change to the clear text version of the policy file, then type:
[emoret@simca-1000 ˜]$sudo tripwire --update-policy twpol.txt.new[...] [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/s390/block/Makefile" [x] "/usr/src/kernels/2.6.17-1.2139_FC5-i686/drivers/s390/block/Kconfig"