From 089d3638f1e990e22ac5f453422d3759aba3c6f7 Mon Sep 17 00:00:00 2001 From: DeadFire Date: Mon, 9 Nov 2015 15:54:41 +0800 Subject: [PATCH] =?UTF-8?q?20151109-2=20=E9=80=89=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...How to Configure Tripwire IDS on Debian.md | 379 ++++++++++++++++++ ...ll GitLab on Ubuntu or Fedora or Debian.md | 177 ++++++++ 2 files changed, 556 insertions(+) create mode 100644 sources/tech/20151109 How to Configure Tripwire IDS on Debian.md create mode 100644 sources/tech/20151109 How to Install GitLab on Ubuntu or Fedora or Debian.md diff --git a/sources/tech/20151109 How to Configure Tripwire IDS on Debian.md b/sources/tech/20151109 How to Configure Tripwire IDS on Debian.md new file mode 100644 index 0000000000..e430c74e41 --- /dev/null +++ b/sources/tech/20151109 How to Configure Tripwire IDS on Debian.md @@ -0,0 +1,379 @@ +How to Configure Tripwire IDS on Debian +================================================================================ +This article is about Tripwire installation and configuration on Debian OS. It is a host based Intrusion detection system (IDS) for Linux environment. Prime function of tripwire IDS is to detect and report any unauthorized change (files and directories ) on linux system. After tripwire installation, baseline database created first, tripwire monitors and detects changes such as new file addition/creation, file modification and user who changed it etc. If the changes are legitimate, you can accept the changes to update tripwire database. + +### Installation and Configuration ### + +Tripwire installation on Debian VM is shown below. + + # apt-get install tripwire + +![installation](http://blog.linoxide.com/wp-content/uploads/2015/11/installation.png) + +During installation, tripwire prompt for following configuration. + +#### Site key Creation #### + +Tripwire required a site passphrase to secure the tw.cfg tripwire configuration file and tw.pol tripwire policy file. Tripewire encrypte both files using given passphrase. Site passphrase is must even for a single instance tripwire. + +![site key1](http://blog.linoxide.com/wp-content/uploads/2015/11/site-key1.png) + +#### Local Key passphrase #### + +Local passphrase is needed for the protection of tripwire database and report files . Local key used by the tripwire to avoid unauthorized modification of tripwire baseline database. + +![local key1](http://blog.linoxide.com/wp-content/uploads/2015/11/local-key1.png) + +#### Tripwire configuration path #### + +Tripwire configuration saved in the /etc/tripwire/twcfg.txt file. It is used to generate encrypted configuration file tw.cfg. + +![configuration file](http://blog.linoxide.com/wp-content/uploads/2015/11/configuration-file.png) + +**Tripwire Policy path** + +Tripwire saves policies in /etc/tripwire/twpol.txt file . It is used for the generation of encrypted policy file tw.pol used by the tripwire. + +![tripwire policy](http://blog.linoxide.com/wp-content/uploads/2015/11/tripwire-policy.png) + +Final installation of tripwire is shown in the following snapshot. + +![installed tripewire1](http://blog.linoxide.com/wp-content/uploads/2015/11/installed-tripewire1.png) + +#### Tripwire Configuration file (twcfg.txt) #### + +Tripwire configuration file (twcfg.txt) details is given below. Paths of encrypted policy file (tw.pol), site key (site.key) and local key (hostname-local.key) etc are given below. + + ROOT =/usr/sbin + + POLFILE =/etc/tripwire/tw.pol + + DBFILE =/var/lib/tripwire/$(HOSTNAME).twd + + REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr + + SITEKEYFILE =/etc/tripwire/site.key + + LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key + + EDITOR =/usr/bin/editor + + LATEPROMPTING =false + + LOOSEDIRECTORYCHECKING =false + + MAILNOVIOLATIONS =true + + EMAILREPORTLEVEL =3 + + REPORTLEVEL =3 + + SYSLOGREPORTING =true + + MAILMETHOD =SMTP + + SMTPHOST =localhost + + SMTPPORT =25 + + TEMPDIRECTORY =/tmp + +#### Tripwire Policy Configuration #### + +Configure tripwire configuration before generation of baseline database. It is necessary to disable few policies such as /dev , /proc ,/root/mail etc. Detailed policy file twpol.txt is given below. + + @@section GLOBAL + TWBIN = /usr/sbin; + TWETC = /etc/tripwire; + TWVAR = /var/lib/tripwire; + + # + # File System Definitions + # + @@section FS + + # + # First, some variables to make configuration easier + # + SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change + + SEC_BIN = $(ReadOnly) ; # Binaries that should not change + + SEC_CONFIG = $(Dynamic) ; # Config files that are changed + # infrequently but accessed + # often + + SEC_LOG = $(Growing) ; # Files that grow, but that + # should never change ownership + + SEC_INVARIANT = +tpug ; # Directories that should never + # change permission or ownership + + SIG_LOW = 33 ; # Non-critical files that are of + # minimal security impact + + SIG_MED = 66 ; # Non-critical files that are of + # significant security impact + + SIG_HI = 100 ; # Critical files that are + # significant points of + # vulnerability + + # + # Tripwire Binaries + # + ( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) + ) + { + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; + } + { + /boot -> $(SEC_CRIT) ; + /lib/modules -> $(SEC_CRIT) ; + } + + ( + rulename = "Boot Scripts", + severity = $(SIG_HI) + ) + { + /etc/init.d -> $(SEC_BIN) ; + #/etc/rc.boot -> $(SEC_BIN) ; + /etc/rcS.d -> $(SEC_BIN) ; + /etc/rc0.d -> $(SEC_BIN) ; + /etc/rc1.d -> $(SEC_BIN) ; + /etc/rc2.d -> $(SEC_BIN) ; + /etc/rc3.d -> $(SEC_BIN) ; + /etc/rc4.d -> $(SEC_BIN) ; + /etc/rc5.d -> $(SEC_BIN) ; + /etc/rc6.d -> $(SEC_BIN) ; + } + + ( + rulename = "Root file-system executables", + severity = $(SIG_HI) + ) + { + /bin -> $(SEC_BIN) ; + /sbin -> $(SEC_BIN) ; + } + + # + # Critical Libraries + # + ( + rulename = "Root file-system libraries", + severity = $(SIG_HI) + ) + { + /lib -> $(SEC_BIN) ; + } + + # + # Login and Privilege Raising Programs + # + ( + rulename = "Security Control", + severity = $(SIG_MED) + ) + { + /etc/passwd -> $(SEC_CONFIG) ; + /etc/shadow -> $(SEC_CONFIG) ; + } + { + #/var/lock -> $(SEC_CONFIG) ; + #/var/run -> $(SEC_CONFIG) ; # daemon PIDs + /var/log -> $(SEC_CONFIG) ; + } + + # These files change the behavior of the root account + ( + rulename = "Root config files", + severity = 100 + ) + { + /root -> $(SEC_CRIT) ; # Catch all additions to /root + #/root/mail -> $(SEC_CONFIG) ; + #/root/Mail -> $(SEC_CONFIG) ; + /root/.xsession-errors -> $(SEC_CONFIG) ; + #/root/.xauth -> $(SEC_CONFIG) ; + #/root/.tcshrc -> $(SEC_CONFIG) ; + #/root/.sawfish -> $(SEC_CONFIG) ; + #/root/.pinerc -> $(SEC_CONFIG) ; + #/root/.mc -> $(SEC_CONFIG) ; + #/root/.gnome_private -> $(SEC_CONFIG) ; + #/root/.gnome-desktop -> $(SEC_CONFIG) ; + #/root/.gnome -> $(SEC_CONFIG) ; + #/root/.esd_auth -> $(SEC_CONFIG) ; + # /root/.elm -> $(SEC_CONFIG) ; + #/root/.cshrc -> $(SEC_CONFIG) ; + #/root/.bashrc -> $(SEC_CONFIG) ; + #/root/.bash_profile -> $(SEC_CONFIG) ; + # /root/.bash_logout -> $(SEC_CONFIG) ; + #/root/.bash_history -> $(SEC_CONFIG) ; + #/root/.amandahosts -> $(SEC_CONFIG) ; + #/root/.addressbook.lu -> $(SEC_CONFIG) ; + #/root/.addressbook -> $(SEC_CONFIG) ; + #/root/.Xresources -> $(SEC_CONFIG) ; + #/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login + /root/.ICEauthority -> $(SEC_CONFIG) ; + } + + # + # Critical devices + # + ( + rulename = "Devices & Kernel information", + severity = $(SIG_HI), + ) + { + #/dev -> $(Device) ; + #/proc -> $(Device) ; + } + +#### Tripwire Report #### + +**tripwire –check** command checks the twpol.txt file and based on this file generates tripwire report which is shown below. If this is any error in the twpol.txt file, tripwire does not generate report. + +![tripwire report](http://blog.linoxide.com/wp-content/uploads/2015/11/tripwire-report.png) + +**Report in text form** + + root@VMdebian:/home/labadmin# tripwire --check + + Parsing policy file: /etc/tripwire/tw.pol + + *** Processing Unix File System *** + + Performing integrity check... + + Wrote report file: /var/lib/tripwire/report/VMdebian-20151024-122322.twr + + Open Source Tripwire(R) 2.4.2.2 Integrity Check Report + + Report generated by: root + + Report created on: Sat Oct 24 12:23:22 2015 + + Database last updated on: Never + + Report Summary: + + ========================================================= + + Host name: VMdebian + + Host IP address: 127.0.1.1 + + Host ID: None + + Policy file used: /etc/tripwire/tw.pol + + Configuration file used: /etc/tripwire/tw.cfg + + Database file used: /var/lib/tripwire/VMdebian.twd + + Command line used: tripwire --check + + ========================================================= + + Rule Summary: + + ========================================================= + + ------------------------------------------------------------------------------- + + Section: Unix File System + + ------------------------------------------------------------------------------- + + Rule Name Severity Level Added Removed Modified + + --------- -------------- ----- ------- -------- + + Other binaries 66 0 0 0 + + Tripwire Binaries 100 0 0 0 + + Other libraries 66 0 0 0 + + Root file-system executables 100 0 0 0 + + Tripwire Data Files 100 0 0 0 + + System boot changes 100 0 0 0 + + (/var/log) + + Root file-system libraries 100 0 0 0 + + (/lib) + + Critical system boot files 100 0 0 0 + + Other configuration files 66 0 0 0 + + (/etc) + + Boot Scripts 100 0 0 0 + + Security Control 66 0 0 0 + + Root config files 100 0 0 0 + + Invariant Directories 66 0 0 0 + + Total objects scanned: 25943 + + Total violations found: 0 + + =========================Object Summary:================================ + + ------------------------------------------------------------------------------- + + # Section: Unix File System + + ------------------------------------------------------------------------------- + + No violations. + + ===========================Error Report:===================================== + + No Errors + + ------------------------------------------------------------------------------- + + *** End of report *** + + Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered + + trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; + + for details use --version. This is free software which may be redistributed + + or modified only under certain conditions; see COPYING for details. + + All rights reserved. + + Integrity check complete. + +### Conclusion ### + +In this article, we learned installation and basic configuration of open source IDS tool Tripwire. First it generates baseline database and detects any change (file/folder) by comparing it with already generated baseline. However, tripwire is not live monitoring IDS. + +-------------------------------------------------------------------------------- + +via: http://linoxide.com/security/configure-tripwire-ids-debian/ + +作者:[nido][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://linoxide.com/author/naveeda/ \ No newline at end of file diff --git a/sources/tech/20151109 How to Install GitLab on Ubuntu or Fedora or Debian.md b/sources/tech/20151109 How to Install GitLab on Ubuntu or Fedora or Debian.md new file mode 100644 index 0000000000..424e201b2c --- /dev/null +++ b/sources/tech/20151109 How to Install GitLab on Ubuntu or Fedora or Debian.md @@ -0,0 +1,177 @@ +How to Install GitLab on Ubuntu / Fedora / Debian +================================================================================ +Distributed version control was never easy before git. Git is a free and open source software that is designed to handle everything from small to very large projects with ease and speed. Git was first developed by Linus Torvalds who was also the founder of well-known Linux Kernel. [GitLab][1] is an awesome development in the field of git and distributed version control system. It is a web based Git repository managing application which includes features like code reviews,wikis, issue tracking and much more. Creating, reviewing and deploying codes is very easy, managed and fast with GitLab. It can be hosted in our own server though it also provides free repository hosting in its official server which is similar to Github. GitLab has two different editions, Community Edition and Enterprise Edition. Community Edition is a complete free and open source software licensed under MIT License whereas Enterprise Edition is under a proprietary license, and contains features that are not present in the CE version. Here are some easy steps on how we can install GitLab Community Edition on our machine running Ubuntu, Fedora and Debian as operating system. + +### 1. Installing Pre-requisties ### + +First of all, we'll install the required dependencies by GitLab Community Edition. We'll install curl in order to download our required files, openssh-server in order to ssh into our machine, ca-certificates to add CA Certifications and postfix as an MTA (Mail Transfer Agent). + +Note: To install GitLab CE, we need to have a linux machine with at least 2 GB RAM and 2 Cores CPU. + +#### On Ubuntu 14 .04/Debian 8.x #### + +As these packages are available on the official repository of box Ubuntu 14.04 and Debian 8.x, we'll simply install it using apt-get package manager. To do so, we'll need to execute the following command in a terminal or console. + + # apt-get install curl openssh-server ca-certificates postfix + +![install dependencies gitlab ubuntu debian](http://blog.linoxide.com/wp-content/uploads/2015/10/install-dependencies-gitlab-ubuntu-debian.png) + +#### On Fedora 22 #### + +In Fedora 22, the default package manager is dnf as yum has been depreciated. So, we'll simply run the following dnf command in order to install those required packages. + + # dnf install curl openssh-server postfix + +![install dependencies gitlab fedora](http://blog.linoxide.com/wp-content/uploads/2015/10/install-dependencies-gitlab-fedora.png) + +### 2. Starting and Enabling Services ### + +Now, we'll start the services of sshd and postfix using our default init system. And we'll also enable them to start automatically in every system boot. + +#### On Ubuntu 14.04 #### + +As SysVinit is installed as init system in Ubuntu 14.04, we'll use services command to start sshd and postfix daemon. + + # service sshd start + # service postfix start + +Now, in order to make them start automatically in every boot, we'll need to run the following update-rc.d command. + + # update-rc.d sshd enable + # update-rc.d postfix enable + +#### On Fedora 22/Debian 8.x #### + +As Fedora 22 and Debian 8.x is shipped with Systemd instead of SysVinit as default init system, we'll simply run the following command to start the sshd and postfix services. + + # systemctl start sshd postfix + +Now, in order to make them start automatically in every boot, we'll need to run the following systemctl command. + + # systemctl enable sshd postfix + + Created symlink from /etc/systemd/system/multi-user.target.wants/sshd.service to /usr/lib/systemd/system/sshd.service. + Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service. + +### 3. Downloading GitLab ### + +We'll now download the binary installation files from the official GitLab CE Repository using curl. First, we'll need to navigate to the repository in order to get the download link of the required file. To do so, we'll need to run the following command in our linux machine running the respective operating system. + +#### On Ubuntu 14.04 #### + +As Ubuntu and Debian uses the same debian format file, we'll gonna search the required version of GitLab under [https://packages.gitlab.com/gitlab/gitlab-ce?filter=debs][2] and click on the link of the required release with ubuntu/trusty tag as we are running Ubuntu 14.04. A new page will appear in which we can see the Download button, we'll gonna right click it, get the link of the file and then download it using curl as shown bellow. + + # curl https://packages.gitlab.com/gitlab/gitlab-ce/packages/ubuntu/trusty/gitlab-ce_8.1.2-ce.0_amd64.deb + +![Downloading Gitlab Ubuntu](http://blog.linoxide.com/wp-content/uploads/2015/10/downloading-gitlab-ubuntu.png) + +#### On Debian 8.x #### + +Like Ubuntu, we'll gonna search the required version of it under [https://packages.gitlab.com/gitlab/gitlab-ce?filter=debs][3] and click on the link of the requried release with debian/jessie tag as we are running Debian 8.x. Then, a new page will appear in which we'll right click on the Download button and get the file's download link. We'll next download it using curl as shown below. + + # curl https://packages.gitlab.com/gitlab/gitlab-ce/packages/debian/jessie/gitlab-ce_8.1.2-ce.0_amd64.deb/download + +![Downloading Gitlab Debian](http://blog.linoxide.com/wp-content/uploads/2015/10/downloading-gitlab-debian.png) + +#### On Fedora 22 #### + +As Fedora uses the rpm file for packages, we'll gonna search the required version of GitLab under [https://packages.gitlab.com/gitlab/gitlab-ce?filter=rpms][4] and click on the link of the required release, here as we are running Fedora 22, we'll select the release with el/7 tag. A new page will appear in which we can see the Download button, we'll gonna right click it, get the link of the file and then download it using curl as shown bellow. + + # curl https://packages.gitlab.com/gitlab/gitlab-ce/packages/el/7/gitlab-ce-8.1.2-ce.0.el7.x86_64.rpm/download + +![Downloading Gitlab Fedora](http://blog.linoxide.com/wp-content/uploads/2015/10/downloading-gitlab-fedora.png) + +### 4. Installing GitLab ### + +After our repository source is added in our linux machine, we'll now go for the installation of GitLab Community Edition using the default package manger of the respective distribution of linux. + +#### On Ubuntu 14.04/Debian 8.x #### + +To install GitLab CE in machine running Ubuntu 14.04 or Debian 8.x linux distribution which has apt-get package manager, we'll simply run the following command. + + # dpkg -i gitlab-ce_8.1.2-ce.0_amd64.deb + +![Installing Gitlab Ubuntu Debian](http://blog.linoxide.com/wp-content/uploads/2015/10/installing-gitlab-ubuntu-debian.png) + +#### On Fedora 22 #### + +We can execute the following dnf command to install it in our Fedora 22 box. + + # dnf install gitlab-ce-8.1.2-ce.0.el7.x86_64.rpm + +![Installing Gitlab Fedora](http://blog.linoxide.com/wp-content/uploads/2015/10/installing-gitlab-fedora.png) + +### 5. Configuring and Starting GitLab ### + +Next, as GitLab CE has been successfully installed in our linux system. We'll now go ahead for configuring and starting it. To do so, we'll need to run the following command which is same in Ubuntu, Debian and Fedora distributions. + + # gitlab-ctl reconfigure + +![Reconfiguring Gitlab](http://blog.linoxide.com/wp-content/uploads/2015/10/reconfiguring-gitlab.png) + +### 6. Allowing Firewall ### + +If we have firewall program enabled for security in our linux box, we'll need to allow port 80 which is the default port of GitLab CE in order to make the web interface accessible across the network. Firewalld and iptables are most widely used firewall programs in linux distributions. In order to do so, we'll need to run the following commands. +On Iptables + +Iptables are installed and used in Ubuntu 14.04 by default. So, we'll need to run the following iptables commands to open port 80 in it. + + # iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT + + # /etc/init.d/iptables save + +#### On Firewalld #### + +As Fedora 22 and Debian 8.x has systemd installed by default, it contains firewalld running as firewall program. In order to open the port 80 (http service) on firewalld, we'll need to execute the below commands. + + # firewall-cmd --permanent --add-service=http + + success + + # firewall-cmd --reload + + success + +### 7. Accessing GitLab Web Interface ### + +Finally, we'll now go for accessing the web interface of GitLab CE. To do so, we'll need to point our web browser to the GitLab server with http://ip-address/ or http://domain.com/ according to our configuration. After we have pointed successfully, we'll see the following screen. + +![Gitlab Login Screen](http://blog.linoxide.com/wp-content/uploads/2015/10/gitlab-login-screen.png) + +Now, in order to login to the panel, we'll need to click on Login button which will ask us an username and a password. We'll now enter the default username and password ie **root** and **5iveL!fe** respectively. After logging into the dashboard, we'll be asked to compulsorily enter the new password for our GitLab root user. + +![Setting New Password Gitlab](http://blog.linoxide.com/wp-content/uploads/2015/10/setting-new-password-gitlab.png) + +### 8. Creating Repository ### + +After we have successfully changed the password and logged in to our dashboard, we'll now create a new repository for our new project. To do so, we'll need to go under Projects and click on **NEW PROJECT** green button. + +![Creating New Projects](http://blog.linoxide.com/wp-content/uploads/2015/10/creating-new-projects.png) + +Then, we'll be asked to enter the required information and settings for our repository as shown below. We can even import our project from many git repository providers and repositories. + +![Creating New Project](http://blog.linoxide.com/wp-content/uploads/2015/10/configuring-git-project.png) + +After thats done, we'll be able to access our Git repository using any Git client including the basic git command line. We can see every activities done in the repository with other functions like creating a milestone, managing issues, merge requests, managing members, labels and Wiki for our projects. + +![Gitlab Menu](http://blog.linoxide.com/wp-content/uploads/2015/10/gitlab-menu.png) + +### Conclusion ### + +GitLab is an awesome open source web application for managing our git repository. It has a beautiful, responsive interface with plenty of cool features. It is packed with many cool features like managing groups, deploying keys, Continuous Integration, viewing logs, broadcast messages, hooks, system OAuth applications, templates and more. It has the ability to integrate tons of tools such as Slack, Hipchat, LDAP, JIRA, Jenkins, many types of hooks and a complete API. It has the minimum requirement of 2 GB RAM and 2 Cores CPU to run smoothly up to 500 users but also can be scaled to multiple active servers. If you have any questions, suggestions, feedback please write them in the comment box below so that we can improve or update our contents. Thank you ! + +-------------------------------------------------------------------------------- + +via: http://linoxide.com/linux-how-to/install-gitlab-on-ubuntu-fedora-debian/ + +作者:[Arun Pyasi][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://linoxide.com/author/arunp/ +[1]:https://about.gitlab.com/ +[2]:https://packages.gitlab.com/gitlab/gitlab-ce?filter=debs +[3]:https://packages.gitlab.com/gitlab/gitlab-ce?filter=debs +[4]:https://packages.gitlab.com/gitlab/gitlab-ce?filter=rpms \ No newline at end of file