Overview

News

Download

Project History

Legal Notices

Installation

Contact

Reporting Bugs

Feature Requests

Contributing

Acknowledgements

Installing FICC

Warning about (lack of) code maturity

I have tested this software as much as my time and available equipment allows. As of January 2005, I have received zero reports from users about their experiences with the software. This code should be considered very, very raw. Please keep that in mind when evaluating what environments are appropriate for FICC.

Target Audience

This documentation is being written with the assumption that the user base will be experienced UNIX system administrators.

Prerequisites

• Perl - FICC has been used with versions 5.6.1 and 5.8.0. Others may work as well, they just haven't been tested. If Perl isn't already installed on your system (...what kind of Unix sysadmin ARE you?), you can download it at www.perl.com
• The File::Temp module for Perl - this comes built-in with Perl 5.8.0. You can download the module from CPAN if you have a version of Perl older than 5.8.0.
• Tripwire - Download this from the Tripwire homepage. The only tested version is the Academic Source Release (ASR), version 1.3.1. Since the commercial and open source versions of Tripwire already have much of the functionality that FICC provides, it's unlikely that FICC will ever be modified to work with other versions.

(Strongly) Recommended

• SSH running on all the machines that you're monitoring. FICC is all about helping monitor the integrity of your systems. Letting people sniff your passwords and/or Tripwire sessions really defeats the whole purpose. SSH solves this problem. The author recommends OpenSSH, a free implementation of the SSH protocol.
• A bastion host to run FICC from - in case you're not familiar with the term, a bastion host is an extremely secure machine on the network. It should be running as few services as possible (ideally, it's running SSH and nothing else). The bastion host should not have any "regular" user accounts. The only people who should be able to log into the machine are system/network administrators.

Installation

For these instructions, we will refer to the host that FICC is run from (hopefully the bastion host that is mentioned above) as the FICC host. All the machines that the FICC host connects to and runs Tripwire on will be known as FICC targets.

Configuring the FICC host

1. Download and install the prerequistes on the FICC host. Please do not contact with me with reports of problems getting the prerequisites to install correctly. The authors of the respective programs can help you far more than I ever could.
2. Download the newest FICC release.

3. Rename etc/ficc.conf.sample to etc/ficc.conf. You will need to edit it to reflect the location of the executables in the "global_options" section as well as the target hosts that you will be monitoring. The sample file is commented and should be self-explanatory.

   Note: the parsing done on the config file is very basic. FICC can detect some simple structural and syntactical errors in the format. It could not be called "rigorous" by any stretch of the imagination, however. As long as you don't do anything utterly psychotic you should find things work fine.

4. Update the FICC scripts with the correct location of the Perl interpreter on the FICC host. The first line of the scripts bin/updateDB and bin/ficc need this information. The correct format for this line is:

   #!/full/path/to/perl -w

   A likely example of this line would be:

   #!/usr/bin/perl -w

Configuring a FICC target

1. Create a user account which FICC can log into in order to run Tripwire. For these instructions, we will asssume the name of this account is targetuser.

2. Set the permissions for the Tripwire executable so that targetuser can run it.

   WARNING: this seems like a simple thing, but the possible side effects are drastic. targetuser will need to have (at least) read permissions to every file protected by Tripwire.

   One solution:
   • Add a new UNIX group ficcgroup, and make targetuser a member of the group.
   • Set the owner of the Tripwire executable to "root", and the group to ficcgroup.

   • Set the permissions of the Tripwire executable to 4750. In other words, give root full permissions to Tripwire, and let the group run the exectuable. No one else should be able to run the program. The reason being is that Tripwire has the setuid bit set in its permissions. This will make it so when targetuser runs Tripwire, Tripwire will be running as root which will allow them to read all files on the system.

     Before taking this step, I'd strongly recommend searching doing some research on the effects of running an executable that is setuid root. The setuid permission is arguably of the absolute worst features in UNIX. It's entirely possible that using setuid permissions to enable FICC to run will make your target hosts less secure.

     YOU HAVE BEEN WARNED.

3. Enable the bastion host to log into this target host without needing a password.

   The wrong way to accomplish this: a .rhosts file in the targetuser account and using rsh. If you don't understand why this is a bad idea, you probably shouldn't be contemplating using FICC in the first place.

   The right way: Exporting the SSH public key from the user who runs FICC on the FICC host to this target host. ONLamp has a quick tutorial about how to accomplish this.

Post-install configuration of the FICC host

1. Generate the checksum database. If you are confident that all your target hosts are uncompromised at the current point in time, you should generate a checksum of the critical files (meaning the Tripwire configuration, executable, and database) for each target host. To do this, run the updateDB script located in the bin/ directory. Any problems encountered in parsing the config file will be displayed here. Fix the errors and try again. Once updateDB is able to run without any errors it has successfully obtained signatures for the key files from all your target hosts. These checksums are stored in the db/ directory, with one directory per target host.
2. Run FICC. Any errors with the configuration file will display here, though you SHOULD have fixed all those errors before you progressed past the previous step. FICC will now connect to each target host and verify that the checksums for the key files in its local database match the checksums of the actual files. This can be done in one of two ways:
   • If the "quick_check" feature is set for this target host in the FICC config file, FICC will retrieve the MD5 executable from the target host. If FICC determines that this MD5 executable is unmodified, it will then connect to the target host via SSH and use the target host's MD5 exectuable to verify the key Tripwire files (the executable, config file, and database).
   • If the "quick_check" feature is not set, FICC will retrieve all the Tripwire files and calculate the checksum for these files locally.
   If there are any discrepencies, that information will be mailed to the admin for that target host and then move onto the next target host.

   If the checksum tests are successful, FICC will then reconnect to the target host and run Tripwire. If Tripwire detects any of the files it monitors have been modified, the entire output of the Tripwire run will be mailed to the admin of the target host.

   If no file changes are detected, FICC will check the "mail_if_unchanged" option for the target host. If the option is set, FICC will e-mail the administrator a message that confirms that the FICC run was successful and Tripwire detected no changes. If the "mail_if_unchanged" feature is not set and Tripwire detects no modifications, no e-mails will be sent.

3. If you're happy with your run of FICC, set up a cron job on the FICC host to run it on a regular basis of your choosing. Keep in mind that running FICC can be a very bandwidth-intensive operation, as it may be retrieving the Tripwire database from each target host. To drastically reduce the bandwidth usage, consider enabling the "quick_check" feature for each of your target hosts. In my own experience, this reduced the number of bytes transferred during a FICC run from ~4 MB down to ~100 KB.
4. At this point you should be good to go. If you have any outstanding issues, please don't hesitate to contact me.

Copyright © 2003-2009, Terry D. Ott