Program: CS

Course: Unix Security

Lab 6: System integrity

Name: ___________________________________

Import the VM provided in Debian-Server.ova into Virtual Box. Then, respond to all questions
in your own words, providing screenshots of your work to support it.

NOTE: If you are using a previously imported VM, it is recommendable to create a snapshot before
making any modifications requested in this lab. After finishing, you can restore the snapshot to get
to the original state.

Part A: Hashing algorithms

1. System integrity can be verified by contrasting the hashing of a file with a know hash. Some
hashing algorithms, such as MD5 or SHA1, are obsolete but still in use in some cases. Go to
the Canadian mirror for Debian 10.13 (http://ftp.ca.debian.org/debian/dists/Debian10.13/).
What the MD5 hash is for contrib/Contents-amd64.gz?

2. The only difference between Release and InRelease is that the latter is digitally signed.
What algorithm was used? How many bits long is a hash using this algorithm?

3. Suppose you download the 64 bit installer version of Kali Linux 2022.4 and, after
completed, you calculate the SHA256 hash, resulting in the characters below. Prove that the
download was correct (the file matches the original at Kali’s website).
aeb29db6cf1c049cd593351fd5c289c8e01de7e21771070853597dfc23aada28

4. Working as root, use the Linux command sha256sum to calculate the hash of
/etc/passwd and /etc/shadow, then create a user account after your first name and
check again the hash of both files.

5. System files changing without the administrator's knowledge is an IoC (Indicator of

Compromise). What does it mean?

Part B: First steps with Tripwire

Program: CS
Course: Unix Security
Lab 6: System integrity

Tutorial: https://linuxconfig.org/intrusion-detection-systems-using-tripwire-on-linux
6. Install the package tripwire (no need to capture all screenshots). If you get an error,
remember to update the packages database first. What well-known mail server was also
installed?

7. What important message do you get regarding the confidentiality of Tripwire’s database?
Where is it located?

8. Initially, you will work with the commands twadmin and twprint. Initialize the database.
Provide the command used and the files generated afterwards.

9. The command “twprint -m d” shows the whole database. Use it to filter only lines related
to “home”.

10. Similarly, starting from “twadmin -m p”, show the policy for the object /home.

11. What the SEC_INVARIANT in home’s policy means? Would Tripwire raise an alert if we
manually created a new directory in /home?

Part C: Integrity checks

12. Run an integrity check with “tripwire -m c /home”, redirecting the output to the file
/tmp/home_before.txt. Then, show the last 33 lines of it.

13. Now, add the writing permission for the group in /home and execute the same command
above, redirecting to /tmp/home_after.txt this time. What the differences are? Check it
out using the command-line tool diff.
Program: CS
Course: Unix Security
Lab 6: System integrity

14. Focusing in the object /etc/passwd, create a new account fakeadmin pretending it was
a backdoor of a compromised system. Then, check its integrity (capture only the first screen
when paging the command’s output with more or less).

15. Update Tripwire’s database as per the previous created report with the command “tripwire
-m u --twrfile /path-to-last-report-file”. Then, run a new integrity check for the
passwords file. What happened? What can you observe?

16. How can you automate integrity checks?