Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Setting up Tripwire
#1

Well I though I would write this tutorial on tripwire as I use it and think it's and excellent pieace of

software.

 

The way tripwire works is it takes an MD5 or SHA1 checksum of important files on your machine

and stores them in a ciphered database. It also alert you if their is any new files placed onto the

machine as it generates reports and emails them to root.

 

The first step to install tripwire is to install it using yum :) so if you issue the command below

tripwire will be installed for you.

 



Code:
yum install tripwire




 

Once tripwire is installed you have to create a key which will be used to decipher the tripwire database

also it is require when updating the tripwire database. To setup a key issue the following command

below. Tripwire will as for a site key password also it will as for a local key file password, you may enter

the site key and local key differently to increase security.

 



Code:
/usr/sbin/tripwire-setup-keyfiles




 

When issuing this command you should get a similar output as shown below:

 



Code:
----------------------------------------------
The Tripwire site and local passphrases are used to sign a  variety  of
files, such as the configuration, policy, and database files.

Passphrases should be at least 8 characters in length and contain  both
letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------
Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------
Signing configuration file...
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection.  It  is  recommended  that  you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.


----------------------------------------------
Signing policy file...
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for  your  inspection.  This  implements  a  minimal
policy, intended only to test  essential  Tripwire  functionality.  You
should edit the policy file to  describe  your  system,  and  then  use
twadmin to generate a new signed copy of the Tripwire policy.

Once you have a satisfactory Tripwire policy file, you should move  the
clear-text version to a secure location  and/or  encrypt  it  in  place
(using a tool such as GPG, for example).

Now run "tripwire --init" to enter Database Initialization  Mode.  This
reads the policy file, generates a database based on its contents,  and
then cryptographically signs the resulting  database.  Options  can  be
entered on the command line to specify which policy, configuration, and

key files are used  to  create  the  database.  The  filename  for  the
database can be specified as well. If no  options  are  specified,  the
default values from the current configuration file are used.




 

Once you have done that you will need to go into /etc/tripwire directory, you should see

some files similar to the following.

 



Code:
localhost.localdomain-local.key  site.key  tw.cfg  twcfg.txt  tw.pol  twpol.txt




 

You will need to edit the twpol.txt. This file is well commented and you should be able to configure

the file yourself. When editing this file you will see similar lines as shown below.

 



Code:
 /sbin/accton                         -> $(SEC_CRIT);
 /sbin/badblocks                      -> $(SEC_CRIT);
 /sbin/busybox                        -> $(SEC_CRIT);
 /sbin/busybox.anaconda               -> $(SEC_CRIT);
 /sbin/convertquota                   -> $(SEC_CRIT);
 /sbin/dosfsck                        -> $(SEC_CRIT);




 

Make sure these files exists or tripwire will complain about them. You could do ls -l /sbin/dosfsck

to check the file exists.

 

Once you have edited the configuration file you will have to re-sign it with twadmin issue the following

two command below to re-sign the configuration files.

 



Code:
twadmin --create-polfile --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt
twadmin --create-cfgfile --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt




 

Once that has been done all you have to do is initialize tripwire this is done by issue the following

command as shown below this may take a little while as it is generating the files of SHA1 checksums

and updating the database. If you ever need to update the tripwire database just issue the initialize and it will create a new database.

 



Code:
tripwire --init




 

This command should produce some output similar to the output below.

 



Code:
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/localhost.localdomain.twd
The database was successfully generated.




 

Now that the database is in place you will know about EVERYTHING that happens on

your machine now. To do a check on your machine just issue the command below:

 



Code:
tripwire --check




 

This may take a little bit, you will not need to enter a password when running this command once

the check has finished you should get similar output as shown below.

 



Code:
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/localhost.localdomain-20050711-183846.twr


Tripwire(R) 2.3.0 Integrity Check Report

Report generated by:          root
Report created on:            Mon 11 Jul 2005 06:38:46 PM BST
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    localhost.localdomain
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/localhost.localdomain.twd
Command line used:            tripwire --check

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
 Section: Unix File System
-------------------------------------------------------------------------------

 Rule Name                       Severity Level    Added    Removed  Modified
 ---------                       --------------    -----    -------  --------
 User binaries                   66                0        0        0
 Tripwire Binaries               100               0        0        0
 Libraries                       66                0        0        0
 Operating System Utilities      100               0        0        0
 Critical system boot files      100               0        0        0
 File System and Disk Administraton Programs
                                 100               0        0        0
 Kernel Administration Programs  100               0        0        0
 Networking Programs             100               0        0        0
 System Administration Programs  100               0        0        0
 Hardware and Device Control Programs
                                 100               0        0        0
 System Information Programs     100               0        0        0
 Application Information Programs
                                 100               0        0        0
 (/sbin/rtmon)
 Shell Related Programs          100               0        0        0
 Critical Utility Sym-Links      100               0        0        0
 Shell Binaries                  100               0        0        0
* Tripwire Data Files             100               1        0        0
 Critical configuration files    100               0        0        0
 System boot changes             100               0        0        0
 OS executables and libraries    100               0        0        0
 Security Control                100               0        0        0
 Boot Scripts                    100               0        0        0
 Login Scripts                   100               0        0        0
 Root config files               100               0        0        0
 Invariant Directories           66                0        0        0
 Temporary directories           33                0        0        0
 Critical devices                100               0        0        0

Total objects scanned:  33267
Total violations found:  1

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/localhost.localdomain.twd"

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.




 

Well thats about it for this tutorial :) O one last thing keep the twpol.txt safe and the twcfg.txt I would

suggest ciphering them.

Reply
#2

yet another fantastic tutorial from you xdamox many thanks

 

a few questions though

 

what distro did you test this on ?

if fedora, was selinux enabled/disabled ?

 

cheers

 

anyweb

Reply
#3
Sorry about that, this was tested on Fedora Core 4 and SELinux was enabled. SELinux will not affect this in anyway :)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)