tripwire tutorial
TRANSCRIPT
7/31/2019 Tripwire Tutorial
http://slidepdf.com/reader/full/tripwire-tutorial 1/7
http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system/
Tripwire Tutorial: Linux Host Based
Intrusion Detection System by Ramesh Natarajan on December 8, 2008
Tripwire is a host based Intrusion detection system for Linux. Tripwire monitors Linuxsystem to detect and report any unauthorized changes to the files and directories. Once a
baseline is created, tripwire monitors and detects, which file is added, which file is
changed, what is changed, who changed it, and when it was changed. If the changes arelegitimate, you can update the tripwire database to accept these changes.
Also, for monitoring solution, please refer to all our previous articles on Nagios
This step by step instruction guide explains how to install and configure open source
version of tripwire.
1. Download Tripwire
Download the latest tripwire open source version from tripwire sourceforget projectwebsite. Extract the tripwire source code to the /usr/src directory as shown below.
# cd /usr/src# wget
http://internap.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.4.1.2-src.tar.bz2# bzip2 -d tripwire-2.4.1.2-src.tar.bz2# tar xvf tripwire-2.4.1.2-src.tar
2. Install Tripwire
Use the prefix option as shown below to specify the installation directory. In this example,I’ve installed tripwire under /opt/tripwire. During make install, it will prompt you for
various user inputs, that are highlighted in red below.
# cd tripwire-2.4.1.2-src
# ./configure --prefix=/opt/tripwire
# make
# make install
make[3]: Entering directory `/usr/src/tripwire-2.4.1.2-src'prefix="/opt/tripwire" sysconfdir="/opt/tripwire/etc" \
7/31/2019 Tripwire Tutorial
http://slidepdf.com/reader/full/tripwire-tutorial 2/7
path_to_vi="/bin/vi" path_to_sendmail="/usr/sbin/sendmail" \./install/install.sh
Installer program for: Tripwire(R) 2.4 Open SourceLICENSE AGREEMENT for Tripwire(R) 2.4 Open SourcePlease read the following license agreement. You must accept theagreement to continue installing Tripwire.Press ENTER to view the License Agreement.[Note: Press enter key as instructed to view the license]
Please type "accept" to indicate your acceptance of thislicense agreement. [do not accept] accept[Note: Type accept to accept the license]
This program will copy Tripwire files to the following directories:TWBIN: /opt/tripwire/sbinTWMAN: /opt/tripwire/man
TWPOLICY: /opt/tripwire/etcTWREPORT: /opt/tripwire/lib/tripwire/report
TWDB: /opt/tripwire/lib/tripwireTWSITEKEYDIR: /opt/tripwire/etc
TWLOCALKEYDIR: /opt/tripwire/etcCLOBBER is false.Continue with installation? [y/n] y[Note: Press y to continue the installation]
The Tripwire site and local passphrases are used tosign a variety of files, such as the configuration,policy, and database files.(When selecting a passphrase, keep in mind that good passphrasestypicallyhave upper and lower case letters, digits and punctuation marks, and areat least 8 characters in length.)Enter the site keyfile passphrase:Verify the site keyfile passphrase:[Note: Assign a passphrase for site keyfile.]
Generating key (this may take several minutes)...Key generationcomplete.(When selecting a passphrase, keep in mind that good passphrasestypicallyhave upper and lower case letters, digits and punctuation marks, and areat least 8 characters in length.)Enter the local keyfile passphrase:Verify the local keyfile passphrase:[Note: Assign a passphrase for local keyfile.]
Creating signed configuration file...
Please enter your site passphrase:Wrote configuration file: /opt/tripwire/etc/tw.cfg[Note: Enter the site passphrase.]
Creating signed policy file...Please enter your site passphrase:Wrote policy file: /opt/tripwire/etc/tw.pol[Note: Enter the site passphrase]
The installation succeeded.
7/31/2019 Tripwire Tutorial
http://slidepdf.com/reader/full/tripwire-tutorial 3/7
• Site passphrase will secure the tw.cfg tripwire configuration file
and tw.pol tripwire policy file. You have to assign a site passphrase
even for a single instance tripwire.
• Local passphrase will protect tripwire database and report files.
3. Initialize Tripwire Database
For the first time use, you should initialize the tripwire database as shown below.
# cd /opt/tripwire/sbin/
# ./tripwire --init
Please enter your local passphrase:Parsing policy file: /opt/tripwire/etc/tw.polGenerating the database...
*** Processing Unix File System ***The object: "/sys" is on a different file system...ignoring.### Warning: File system error.### Filename: /cdrom### No such file or directory### Continuing...### Warning: File system error.### Filename: /floppy### No such file or directory### Continuing...### Warning: File system error.### Filename: /initrd### No such file or directory
### Continuing...### Warning: File system error.Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twdThe database was successfully generated.
4. Modify Tripwire Policy File
As shown above, during the tripwire database initialization, it may display “No such file or
directory” error message for some of the default files mentioned in the tripwire policy file.
If your system don’t have those files, edit the policy file and comment those entries.
For example, modify the /opt/tripwire/etc/twpol.txt tripwire policy file and comment
out /cdrom and /floppy as shown below.
(rulename = "OS Boot Files and Mount Points",
){/boot -> $(ReadOnly) ;
# /cdrom -> $(Dynamic) ;# /floppy -> $(Dynamic) ;
7/31/2019 Tripwire Tutorial
http://slidepdf.com/reader/full/tripwire-tutorial 4/7
/mnt -> $(Dynamic) ;}
Using the tripwire policy files you can define the directories and files that needs to be
monitored for the changes. You can also be more granular and specify the file attributes
that should be either monitored or ignored.
Following are some of the UNIX system properties that are monitored by tripwire.
• File addition, deletion and modification
• File permissions and properties
• Access timestamp
• Modification timestamp
• File type and file size
• User id of owner and group id of owner
• Hash checking: CRC-32, POSIX 1003.2 compliant 32-bit Cyclic Redundancy
Check; MD5, the RSA Security Message Digest Algorithm; SHA, part of theSHS/SHA algorithm; HAVAL, a strong 128-bit signature algorithm
5. Update Tripwire Policy File
Once you’ve modified the policy file, it needs to be updated as shown below.
# ./tripwire --update-policy --secure-mode low ../etc/twpol.txt
Parsing policy file: /opt/tripwire/etc/twpol.txtPlease enter your local passphrase:Please enter your site passphrase:======== Policy Update: Processing section Unix File System.
======== Step 1: Gathering information for the new policy.The object: "/sys" is on a different file system...ignoring.
======== Step 2: Updating the database with new objects.
======== Step 3: Pruning unneeded objects from the database.Wrote policy file: /opt/tripwire/etc/tw.polWrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd
Note: if any files has been modified from the time you’ve done the tripwire initialization
until the tripwire update policy, they will be listed under the “Step 1: Gatheringinformation for the new policy” output of the above command.
### Warning: Policy Update Changed Object.### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object### /u01/app/oracle/oradata/dbfiles/prod01.dbf### > Modify Time
7/31/2019 Tripwire Tutorial
http://slidepdf.com/reader/full/tripwire-tutorial 5/7
### > CRC32### > MD5
6. Check for any changes to the files and update tripwire database.
Once the tripwire setup is completed, you should regularly perform checks to find out whatfiles where added or modified from the last time the tripwire database was updated. You
can perform this check interactively from command line as shown below.
# ./tripwire --check --interactive
Parsing policy file: /opt/tripwire/etc/tw.pol*** Processing Unix File System ***
Performing integrity check...Wrote report file:/opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336.twr
This will automatically open the following tripwire report file in the vi, where you can
review all the files that has been added or modified to the system. As shown below, the“Added” and “Modified” files will have a check mark in front of them, indicating that you
are accepting these changes to be updated to the tripwire database.
===============================================================================Report Summary:===============================================================================Host name: prod-db-srv
Host IP address: 192.168.1.10Host ID: NonePolicy file used: /opt/tripwire/etc/tw.polConfiguration file used: /opt/tripwire/etc/tw.cfgDatabase file used: /opt/tripwire/lib/tripwire/prod-db-srv.twdCommand line used: ./tripwire --check --interactive
Remove the "x" from the adjacent box to prevent updating the databasewith the new values for this object.
Added:[x]"/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trc"[x]
"/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trm"
Modified:[x]"/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_CONFIG.ams"[x]"/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_INFO.ams"
7/31/2019 Tripwire Tutorial
http://slidepdf.com/reader/full/tripwire-tutorial 6/7
Added object name:/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trc
Property: Expected Observed------------- ----------- -----------
* Object Type --- Regular File* Device Number --- 2049* Inode Number --- 12026017* Mode --- -rw-r-----* Num Links --- 1* UID --- oracle (1082)* GID --- oinstall (1083)* Size --- 837* Modify Time --- Sat 06 Dec 200810:01:51 AM PST* Blocks --- 8* CRC32 --- AYxMeo* MD5 ---AXSkOul8R/np0fQP4q3QLv
Modified object name:/u01/app/oracle/diag/tnslsnr/proddb/listener/trace/listener.log
Property: Expected Observed------------- ----------- -----------Object Type Regular File Regular FileDevice Number 2049 2049Inode Number 2295281 2295281Mode -rw-r----- -rw-r-----Num Links 1 1UID oracle (1082) oracle (1082)GID oinstall (1083) oinstall (1083)
* Size 5851880 5858608* Modify Time Sat 06 Dec 2008 09:58:53 AM PST
Sat 06 Dec 200811:39:56 AM PST* Blocks 11456 11472* CRC32 ANdM8R CK+bWM* MD5 DCW84lCuD2YJOhQd/EuVsnCV8BMvZNJB9KQBXAf5yRDY
Please enter your local passphrase:Incorrect local passphrase.Please enter your local passphrase:Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd
7. How to view the twr report file?
All the tripwire report files with *.twr extension are stored under
/opt/tripwire/lib/tripwire/report directory. tripwire report file *.twr is not a text file, whichyou can view directly. In order to view the report, use twprint and convert the *.twr file to a
readable text format as shown below.
# ./twprint --print-report --twrfile \/opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336.twr > \
7/31/2019 Tripwire Tutorial
http://slidepdf.com/reader/full/tripwire-tutorial 7/7
/tmp/readable-output.txt
8. Monitor Linux System Integrity Regularly
Add tripwire checking as a cron job to monitor and report any changes on an on-going
basis. For example, add the following line to your crontab to execute tripwire check dailyat 4:00 a.m.
# Tripwire Monitor process00 4 * * * /opt/tripwire/sbin/tripwire --check
9. Tripwire Configuration and Policy File Locations
Use twadmin to view the current tripwire policy files. Only partial output is shown below.
#./twadmin --print-polfile@@section GLOBAL
TWDOCS="/opt/tripwire/doc/tripwire";TWBIN="/opt/tripwire/sbin";TWPOL="/opt/tripwire/etc";TWDB="/opt/tripwire/lib/tripwire";TWSKEY="/opt/tripwire/etc";TWLKEY="/opt/tripwire/etc";TWREPORT="/opt/tripwire/lib/tripwire/report";HOSTNAME=prod-db-srv;
Use twadmin to get information about all the tripwire configuration files as shown below.
# ./twadmin --print-cfgfile
ROOT =/opt/tripwire/sbin
POLFILE =/opt/tripwire/etc/tw.polDBFILE =/opt/tripwire/lib/tripwire/$(HOSTNAME).twdREPORTFILE =/opt/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twrSITEKEYFILE =/opt/tripwire/etc/site.keyLOCALKEYFILE =/opt/tripwire/etc/prod-db-srv-local.keyEDITOR =/bin/viLATEPROMPTING =falseLOOSEDIRECTORYCHECKING =falseMAILNOVIOLATIONS =trueEMAILREPORTLEVEL =3REPORTLEVEL =3MAILMETHOD =SENDMAILSYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t