Using Tripwire for file integrity checking
Appropriate file and filesystem permissions are essential in order to ensure the integrity of the files that physically
comprise the database and the Oracle software. We must make sure that we do not grant permissions to other users to write or read data belonging to physical database and configuration files, such as listener.ora
or sqlnet.ora
outside of the oracle owner user. When Automatic Storage Management
(ASM) is used as a storage medium, we also need to ensure that we have the appropriate permissions defined at the exposed raw disks level. Even if these files are not normally seen with OS commands, disks can be compromised by using the dd
command. Another problem may be related to the script or program execution, as power users and attackers may have group-level permissions that would allow them to unexpectedly or intentionally endanger the integrity of the database files.
The alteration of files and directories considered critical in terms of content and permissions could be the first sign of attack or system penetration. In this category we can also add suspect files with SUID and GUID enabled (most rootkits have files with SUID and GUID permissions), world writeable, readable and executable files, and unowned files. One option is to use custom scripts for change detection. In my opinion this is error prone and requires serious development effort. A better option is to use specialized intrusion detection tools that have built-in integrity checking algorithms and real-time alerting capabilities (SNMP traps, e-mail, and sms).
Tripwire is an intrusion detection system (IDS), which is able to take time-based snapshots and compare them in order to check different types of modifications performed on monitored files and directories.
In the following recipe we will use the open source variant of the Tripwire intrusion detection system and demonstrate some of its key capabilities.
Getting ready
All steps will be performed as root user on nodeorcl1
.
As a prerequisite, download the latest version source code of the Tripwire extract and copy it to a directory that will be used for compiling and linking the source code.
How to do it...
Enter in the directory where you have extracted the Tripwire source code, configure and build Tripwire binaries and libraries as follows:
[root@nodeorcl1 tripwire-2.4.2.2-src]# ./configure …………………………………………………… [root@nodeorcl1 tripwire-2.4.2.2-src]# ./make install ……………………………………………………… g++ -O -pipe -Wall -Wno-non-virtual-dtor -L../../lib -o tripwire generatedb.o ………………………………………………………… /usr/bin/install -c -m 644 './twconfig.4' '/usr/local/share/man/man4/twconfig.4' /usr/bin/install -c -m 644 './twpolicy.4' '/usr/local/share/man/man4/twpolicy.4'
During make install phase we will be asked to accept the license agreement and a series of passphrases for generating the site and local key:
…………………………………………………………… LICENSE AGREEMENT for Tripwire(R) 2.4 Open Source Please read the following license agreement. You must accept the agreement to continue installing Tripwire. Press ENTER to view the License Agreement. ……………………………………………………………………………………………………………………… Please type "accept" to indicate your acceptance of this license agreement. [do not accept] accept ………………………………………………………………………………………………………………………………… Continue with installation? [y/n] y (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: Verify the site keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. …………………………………………………………………………………………… Enter the local keyfile passphrase: Verify the local keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- ……………………………………………… [root@nodeorcl1 tripwire-2.4.2.2-src]#
After the installation is complete, initialize Tripwire. At this step, the policy and configuration files will be encrypted and applied. Based on policies and configuration, an initial baseline check will be performed and a database containing the characteristics of monitored files will be built:
[root@nodeorcl1 etc]# tripwire --init Please enter your local passphrase: Parsing policy file: /usr/local/etc/tw.pol Generating the database... *** Processing Unix File System *** ………………………………………… Wrote database file: /usr/local/lib/tripwire/nodeorcl1.twd The database was successfully generated. [root@nodeorcl1 etc]#
After Tripwire will finalize the initialization, we will be able to add our own policies. On Red Hat, by default, the initial policy file,
twpol.txt
, and configuration file,twcfg.txt
, will be located in the/local/usr/etc/tripwire/
directory. For security reasons these files must be deleted. To generate a text-based policy file from the existent policy configuration execute the following command:[root@nodeorcl1 etc]#twadmin --print-polfile > //usr/local/etc//twpolicy.txt [root@nodeorcl1 etc]#
Open and edit the /
local/usr/etc/tripwire/twpolicy.txt
file. In the global section afterHOSTNAME=/nodeorcl1
add theORACLE_HOME
variable as follows:HOSTNAME=nodeorcl1; ORACLE_HOME="/u01/app/oracle/product/11.2.0/dbhome_1";
Add two new rules related to the Oracle software binaries and libraries (all files from
$ORACLE_HOME/bin
and$ORACLE_HOME/lib
) and network configuration files (all files from$ORACLE_HOME/network/admin
). The files from these directories are mostly static; all modifications performed here are usually performed by database administrators (patching, enabling, or disabling an option, such as OVA, OLS, and network settings). In this case theReadOnly
mask summary is appropriate. Add a rule for the directory that contains the Oracle Database files (/u02/HACKDB
). These files change frequently, and the$Dynamic
summary mask should be appropriate here. Add the following three sections at the end of thetwpolicy.txt
file:################################ # Oracle Libraries and Binaries # ################################ ( rulename = "Oracle Binaries and Libraries", severity = 99, ) { $(ORACLE_HOME)/bin -> $(ReadOnly); $(ORACLE_HOME)/lib -> $(ReadOnly); } ##################################### # Oracle Network Configuration Files # ##################################### ( rulename = " Oracle Network Configuration files", severity = 90, ) { $(ORACLE_HOME)/network/admin -> $(ReadOnly); } ########################################## # Oracle Datafiles ########################################## ( rulename="Oracle Datafiles", severity=99, ) { /u02/HACKDB -> $(Dynamic); }
Perform some modifications in
listener.ora
andsqlnet.ora
. Also, we have decided to not use external procedures and external job execution in the future. Therefore as a primary security measure we will move (normally in a production environment you should delete them) these files from$ORACLE_HOME/bin directory
to/extprocjob
directory:[oracle@nodeorcl1 bin]# mv /u01/app/oracle/product/11.2.0/dbhome_1/bin/extproc /extprocjob [oracle@nodeorcl1 bin]# mv /u01/app/oracle/product/11.2.0/dbhome_1/bin/extjob /extprocjob
Next, as root update the Tripwire database using the new updated policy file as follows:
[root@nodeorcl1 etc]# tripwire -m p --secure-mode low /usr/local/etc/twpolicy.txt Parsing policy file: /usr/local/etc/twpol.txt Please enter your local passphrase: Please enter your site passphrase: …………………………………………………………………………… Wrote policy file: /usr/local/etc/tw.pol Wrote database file: /usr/local/lib/tripwire/nodeorcl1.twd [root@nodeorcl1 etc]#
Again, to simulate an intrusion, perform some modifications on
listener.ora
andsqlnet.ora
, change permissions on/u02/HACKDB/users01.dbf
to world readeable, and moveextjob
andextproc
back to$ORACLE_HOME/bin
. Create a file namedha_script
in/home/oracle
with the SUID and GUID bit set and a file with world writeable permissions calledha_wwfile
:[root@nodeorcl1 ~]$ chmod o+r /u02/HACKDB/users01.dbf [root@nodeorcl1 oracle]# touch ha_script [root@nodeorcl1 oracle]# chmod u+s,g+s,u+x ha_script [root@nodeorcl1 oracle]# touch ha_wwfile [root@nodeorcl1 oracle]# chmod o+w ha_wwfile
Next as root, perform an interactive type check to find out the modifications performed on monitored directories and files. The expected values are recorded in the
Expected
column. All modifications are recorded in theObserved
column as follows:[root@nodeorcl1 etc]# tripwire –check --interactive Parsing policy file: /usr/local/etc/tw.pol *** Processing Unix File System *** Performing integrity check... …………………………………………………… ### Continuing... …………………………………………………………………………………………………………………………………………… Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/home/oracle/ha_script" [x] "/home/oracle/ha_wwfile" /……………………………………………………………………………………………………………………………………………. Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/u01/app/oracle/product/11.2.0/dbhome_1/bin/extproc" [x] "/u01/app/oracle/product/11.2.0/dbhome_1/bin/extjob" Modified: [x] "/u01/app/oracle/product/11.2.0/dbhome_1/bin" ------------------------------------------------------------------------------- Rule Name: Oracle Network Configuration files (/u01/app/oracle/product/11.2.0/dbhome_1/network/admin) Severity Level: 90 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin" [x] "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.ora" [x] "/u01/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.ora" ------------------------------------------------------------------------------- Rule Name: Oracle Datafiles (/u02/HACKDB) Severity Level: 99 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/u02/HACKDB/users01.dbf" ………………………………………………………………………………………………………………………………… Modified object name: /u02/HACKDB/users01.dbf Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64768 64768 Inode Number 393224 393224 * Mode -rw-r----- -rw-r--r-- Num Links 1 1 UID oracle (501) oracle (501) GID oinstall (502) oinstall (502) …………………………………………………………………………………………………………………………………………………………………………
Also you will find information, visible in the
Observed
column, about the two files added in/home/oracle
:Added Objects: 2 ---------------------------------------- Added object name: /home/oracle/ha_script Property: Expected Observed ------------- ----------- ----------- * Object Type --- Regular File * Device Number --- 64771 * Inode Number --- 262354 * Mode --- -rwsr-lr-- * Num Links --- 1 * UID --- oracle (501) * GID --- oinstall (502) * Size --- 0 * Modify Time --- Sun 23 Sep 2012 10:03:54 PM EEST * Blocks --- 0 * CRC32 --- D///// * MD5 --- DUHYzZjwCyBOmACZjs+EJ+ Added object name: /home/oracle/ha_wwfile Property: Expected Observed ------------- ----------- ----------- * Object Type --- Regular File * Device Number --- 64771 * Inode Number --- 262355 * Mode --- -rw-r--rw- * Num Links --- 1 * UID --- oracle (501) * GID --- oinstall (502) * Size --- 0 * Modify Time --- Sun 23 Sep 2012 10:04:24 PM EEST * Blocks --- 0 * CRC32 --- D///// * MD5 --- DUHYzZjwCyBOmACZjs+EJ+
Note
Downloading the example code
You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.
How it works...
The most appropriate moment to install and perform an initial check for creating a baseline is right after operating system installation. Starting with a clean baseline we will be able to monitor and catch any suspect change performed on files over time. The monitoring performed by Tripwire is based on a policy and compliance model. There are a multitude of parameters or property masks that can be applied on monitored files, based on permission change, checksum, object owner, modification timestamp, and more. A property mask tells Tripwire what change about a file is being monitored. A summary property mask is a collection of property masks. The description of property masks and summary masks can be found in the policy file header.
There's more...
Other administrative options
Print Tripwire configuration file:
[root@nodeorcl1 lib]# twadmin --print-cfgfile ROOT =/usr/local/sbin POLFILE =/usr/local/etc/tw.pol DBFILE =/usr/local/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/usr/local/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/usr/local/etc/site.key LOCALKEYFILE =/usr/local/etc/nodeorcl1-local.key EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t
To create or recreate the local and site keys, execute the following:
/ [root@nodeorcl1 lib]# tripwire-setup-keyfiles
To print information about a database entry related to a file or object:
[root@nodeorcl1 lib]# twprint --print-dbfile $ORACLE_HOME/network/admin/listener.ora
To print a generated report:
twprint --print-report –twrfile usr/local/lib/tripwire/report/report_name.txt
To add an e-mail address within a rule for change alert:
########################################## # Oracle Datafiles ########################################## ( rulename="Oracle Datafiles", severity=99, emailto = <your email address> ) { /u02/HACKDB -> $(Dynamic); }