Finding and Installing

Gentoo

emerge tripwire
  • After installing this package, you should run "/etc/tripwire/twinstall.sh"

  • to generate cryptographic keys, and "tripwire --init" to initialize the

  • database Tripwire uses.

Edit:

  • /etc/tripwire/twcfg.txt

  • /etc/tripwire/twpol.txt

Set up files:

  • twadmin -m F -S ./site.key ./twcfg.txt

  • twadmin -m P -S ./site.key ./twpol.txt

Initialize Tripwire:

  • tripwire --init -p ./tw.pol -c ./tw.cfg

Tune:

  1. twadmin -m P -S ./site.key ./twpol.txt

  2. tripwire --init -p ./tw.pol -c ./tw.cfg

  3. Repeat 1, 2 until no more "File system error." messages.

Red Hat/CentOS

If not using a helpful distro, download from:

Best to get the source version…

  • Think of passphrases!

  • unpack

  • ./configure

  • make

  • make install (This just installs binaries)

  • edit ./contrib/install.cfg

    • TWPOLICY="/etc/tripwire"

    • TWEDITOR="/usr/bin/vim"

    • TWMAILPROGRAM="/usr/sbin/sendmail -oi -t"

  • ln -s /usr/local/sbin/twadmin /usr/sbin/twadmin

  • ln -s /usr/local/sbin/tripwire /usr/sbin/tripwire

  • ln -s /usr/local/sbin/siggen /usr/sbin/siggen

  • ln -s /usr/local/sbin/twprint /usr/sbin/twprint

  • ./contrib/install.sh ./contrib/install.cfg

  • cd /etc/tripwire

Initialize Tripwire Database

This sets up the database which uniquely identifies your files.

`tripwire --init -p ./tw.pol -c /usr/local/etc/tw.cfg`

This can take a while!

When this runs, it will probably produce a lot of messy errors. Using the error output as a guide, go back to the twpol.txt file and edit that. Regenerate a new policy file and try again. Repeat this cycle until it creates a database that fits your actual system.

Create A New Config File

Tripwire uses an encrypted configuration file. The administrator must edit a plain text version and then convert it into a tamperproof version.

Takes a plain text and makes it into a secure version (tw.cfg):

`twadmin -m F -S ./site.key ./twcfg.txt`

Compose A New Policy

This is the plain text version of the policy file (usually twpol.txt). This file needs to be edited to reflect what Tripwire should check on the sysetm. Complete details can be found in man twpolicy.

The basic format of a Tripwire policy file is

`/explicit/path   ->  $(WhatToDoWithThis) ;`
  • (-) Ignore the following properties

  • (+) Record and check the following properties

  • (a) Access timestamp

  • (b) Number of blocks allocated

  • (c) Inode timestamp (create/modify)

  • (d) ID of device on which inode resides

  • (g) File owner’s group ID

  • (i) Inode number

  • (l) File is increasing in size (a "growing file")

  • (m) Modification timestamp

  • (n) Number of links (inode reference count)

  • (p) Permissions and file mode bits

  • (r) ID of device pointed to by inode (valid only for device objects)

  • (s) File size

  • (t) File type

  • (u) File owner’s user ID

  • ( C) CRC-32 hash value

  • (H) Haval hash value

  • (M) MD5 hash value

  • (S) SHA hash value

  • ReadOnly +pinugtsdbmCM-rlacSH

  • Dynamic +pinugtd-srlbamcCMSH

  • Growing +pinugtdl-srbamcCMSH

  • Device +pugsdr-intlbamcCMSH

  • IgnoreAll -pinugtsdrlbamcCMSH

  • IgnoreNone +pinugtsdrbamcCMSH-l

Create A New Policy File

Tripwire uses an encrypted configuration file. The administrator must edit a plain text version and then convert it into a tamperproof version. Takes a plain text and makes it into a secure version (tw.pol):

`twadmin -m P -S ./site.key ./twpol.txt`

Resetting The Database

If the policy file is good, i.e. Tripwire has been told to look at the things you really are interested in looking at, but some legitimate changes have occured, then you can reset the database to reflect the new state of affairs.

`tripwire --update -a -p ./tw.pol -c /usr/local/etc/tw.cfg \
-r /usr/lib/tripwire/report/sysnet.ucsd.edu-20060316-153001.twr`

Here -r specifies the name of the report you want to adjust to. The -a accepts everything shown as a violation in the report as ok.

Hiding Setup

Since it would be bad for an attacker to know what is and isn’t being watched, it’s a good idea to not have the cleartext policy file lying around on the system that’s being checked. I think it’s satisfactory to just use Vim to encrypt it. Open the file in Vim and do:

`:X`

Enter an encryption key. And then you must write it (ZZ doesn’t seem to work):

`:wq`

To unencrypt, open the file and then do the same thing as to encrypt, but with a blank passphrase.

Checking The System

The normal way to check the system for changes is:

`/usr/sbin/tripwire --check`

I don’t think this makes a report by default. Running it in cron should mail the report off site which is a better plan anyway.

Automating The Check

It’s good to have the system check everything at least once a day. Edit your crontab with:

`crontab -e`

And add something like this:

    # 06h11 Every day.
    11 06 * * * /usr/sbin/tripwire --check