Setting up Tripwire - xDamox - 2005-07-11
Well I though I would write this tutorial on tripwire as I use it and think it's and excellent pieace of
software.
The way tripwire works is it takes an MD5 or SHA1 checksum of important files on your machine
and stores them in a ciphered database. It also alert you if their is any new files placed onto the
machine as it generates reports and emails them to root.
The first step to install tripwire is to install it using yum :) so if you issue the command below
tripwire will be installed for you.
Code: yum install tripwire
Once tripwire is installed you have to create a key which will be used to decipher the tripwire database
also it is require when updating the tripwire database. To setup a key issue the following command
below. Tripwire will as for a site key password also it will as for a local key file password, you may enter
the site key and local key differently to increase security.
Code: /usr/sbin/tripwire-setup-keyfiles
When issuing this command you should get a similar output as shown below:
Code: ----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
Once you have done that you will need to go into /etc/tripwire directory, you should see
some files similar to the following.
Code: localhost.localdomain-local.key site.key tw.cfg twcfg.txt tw.pol twpol.txt
You will need to edit the twpol.txt. This file is well commented and you should be able to configure
the file yourself. When editing this file you will see similar lines as shown below.
Code: /sbin/accton -> $(SEC_CRIT);
/sbin/badblocks -> $(SEC_CRIT);
/sbin/busybox -> $(SEC_CRIT);
/sbin/busybox.anaconda -> $(SEC_CRIT);
/sbin/convertquota -> $(SEC_CRIT);
/sbin/dosfsck -> $(SEC_CRIT);
Make sure these files exists or tripwire will complain about them. You could do ls -l /sbin/dosfsck
to check the file exists.
Once you have edited the configuration file you will have to re-sign it with twadmin issue the following
two command below to re-sign the configuration files.
Code: twadmin --create-polfile --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt
twadmin --create-cfgfile --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Once that has been done all you have to do is initialize tripwire this is done by issue the following
command as shown below this may take a little while as it is generating the files of SHA1 checksums
and updating the database. If you ever need to update the tripwire database just issue the initialize and it will create a new database.
This command should produce some output similar to the output below.
Code: Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/localhost.localdomain.twd
The database was successfully generated.
Now that the database is in place you will know about EVERYTHING that happens on
your machine now. To do a check on your machine just issue the command below:
This may take a little bit, you will not need to enter a password when running this command once
the check has finished you should get similar output as shown below.
Code: Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/localhost.localdomain-20050711-183846.twr
Tripwire(R) 2.3.0 Integrity Check Report
Report generated by: root
Report created on: Mon 11 Jul 2005 06:38:46 PM BST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: localhost.localdomain
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/localhost.localdomain.twd
Command line used: tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
* Tripwire Data Files 100 1 0 0
Critical configuration files 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Boot Scripts 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
Total objects scanned: 33267
Total violations found: 1
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/localhost.localdomain.twd"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
Well thats about it for this tutorial :) O one last thing keep the twpol.txt safe and the twcfg.txt I would
suggest ciphering them.
Setting up Tripwire - anyweb - 2005-07-11
yet another fantastic tutorial from you xdamox many thanks
a few questions though
what distro did you test this on ?
if fedora, was selinux enabled/disabled ?
cheers
anyweb
Setting up Tripwire - xDamox - 2005-07-11
Sorry about that, this was tested on Fedora Core 4 and SELinux was enabled. SELinux will not affect this in anyway :)
|