1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
|
tripwire.txt v. 11 Sept 2013
Introduction to Tripwire, with Gentoo-specific installation information
Tripwire software can monitor the integrity of critical system files and
directories by identifying specified changes made to selected system
files and directories. Configure Tripwire software to monitor your
system in the way that is best for you.
Tripwire software works by comparing files and directories against a
defined baseline, stored in a tripwire-created database. Tripwire
generates the baseline by taking a "snapshot" of specified files and
directories. Tripwire software then compares the current system against
the baseline and reports modifications, additions, or deletions. Use
Tripwire software for system security, intrusion detection, damage
assessment, and recovery forensics.
To set-up Tripwire Configuration
The Tripwire tarball installs the basic program files needed to run the
software. However, this installation does not prepare the configuration
files that Tripwire needs to perform correctly. After you install the
tripwire executable files and example configuration, you must:
1. Review and perhaps edit the plain-text tripwire configuration file
(/etc/tripwire/twcfg.txt) with a text editor, if desired.
2. Either run a configuration script (twsetup.sh from Gentoo's mktwpol
package, or tripwire-setup-keyfiles from Red Hat, or deprecated
twinstall.sh, also from Red Hat), or run the program `twadmin` with
the correct command line switches to make key files and encrypt/sign
the tripwire configuration file.
Make site key file
------------------
`twadmin --generate-keys -S /etc/tripwire/site.key`
Make local key file
-------------------
`twadmin --generate-keys -L /etc/tripwire/$HOSTNAME-local.key`
Make mandatory signed tripwire configuration file (tw.cfg)
----------------------------------------------------------
`twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt`
Note: Once encrypted/signed, the configuration file, tw.cfg, must not be
renamed or moved. The plain-text tripwire configuration file (twcfg.txt)
should be deleted. It can be recreated with `twadmin --print-cfgfile`
3. Make a plain-text policy file. The use of the name twpol.txt is
common, but the name of this file is not defined or used by Tripwire,
other than preparation of the encrypted/signed policy file.
To make the plain-text policy file, either run a policy file generator
(for example, mktwpol.sh from Gentoo's mktwpol package), or edit the
plain-text policy file (twpol-GENERIC.txt, or twpol.txt, or similar)
with a text editor. The plain-text policy file should not refer to
any non-existent file or directory.
If you edit twpol-GENERIC.txt to act as your plain-text policy file,
provide your system's HOSTNAME at line 61. If you don't provide
the correct HOSTNAME, a tripwire inspection of the target computer's
filesystem will fail to check the tripwire database file for changes.
TWDB=/var/lib/tripwire/YOUR_HOSTNAME.twd;
4. Convert the plain-text policy file into the encrypted/signed form
that tripwire will refer to as it examines the files on the target
computer's filesystem. The default filename for the encrypted/signed
policy file is defined in the tripwire configuration file (tw.cfg)
and is usually tw.pol. The encryption/signing of plain-text twpol.txt
is done with yet another `twadmin` command line.
Make mandatory encrypted/signed system inspection policy file
--------------------------------------------------------------
`twadmin -m P -c /etc/tripwire/tw.cfg /etc/tripwire/twpol.txt`
Note: If you modify the plain-text policy file after running the
configuration script, you must re-sign the plain-text policy file before
initializing the database file. Tripwire baseline database creation and
inspections refer to the encrypted/signed policy file, not to the
plain-text policy file.
Note: The plain-text tripwire policy file (twpol.txt) should be deleted.
It can be recreated with `twadmin --print-polfile`
5. Initialize the Tripwire database file.
Record current file attributes in the tripwire database
-------------------------------------------------------
`tripwire --init -c /etc/tripwire/tw.cfg`
Note: Tripwire might issue some "Warning: File system error" errors,
and appear to hang. But as long as it follows with "### Continuing...",
it is still working.
6. Run the first integrity check.
`tripwire --check -c /etc/tripwire/tw.cfg`
Note: The use of "-c /etc/tripwire/tw.cfg" is not required if Tripwire
uses the default tripwire configuration directory and file names. If
you defer to tripwire default filenames, then updating a text policy
file into a tripwire database, and running an integrity check, can be
done with these commands:
`twadmin --create-polfile /etc/tripwire/twpol.txt`
`tripwire --init`
`tripwire --check`
Modifying the Policy File
How Tripwire software checks your system is specified in the Tripwire
plain-text policy file (twpol.txt). A default policy file is included in
the Tripwire software installation. This policy file should be tailored
to fit your particular system. Tailoring the policy file is necessary
to take advantage of Tripwire software's ability to monitor changes on
your system.
The plain-text policy file is usually located at /etc/tripwire/twpol.txt.
An example policy file (located at /etc/tripwire/twpol-GENERIC.txt, or
at /usr/share/doc/tripwire-VER#-REL#/policyguide.txt) is included to
help you learn the policy language. Read the sample policy files and
the comments in the sample policy file to learn the policy language.
After you modify the plain-text policy file, don't forget!
encrypt/sign using `twadmin --create-polfile /etc/tripwire/twpol.txt`
Selecting Passphrases
Tripwire files are encrypted/signed using site or local keys. These keys
are protected by passphrases. When selecting passphrases, the following
recommendations apply:
Use at least eight alphanumeric and symbolic characters for each
passphrase. The maximum length of a passphrase is 1023 characters.
Quotes should not be used as passphrase characters.
Assign a unique passphrase for the site key. The site key passphrase
protects the site key, which is used to sign Tripwire software
configuration and policy files. Assign a unique passphrase for the local
key. The local key signs the Tripwire baseline database file. The local
key may sign the Tripwire report files also.
Store the passphrases in a secure location. There is no way to remove
encryption from a signed file if you forget your passphrase and lost the
key files. If you forget the passphrases, the files are unusable. In
that case you must create new key files and the baseline database.
Initializing the Database
In Database Initialization mode, Tripwire software builds a database of
filesystem objects based on the rules in the policy file. This database
serves as the baseline for integrity checks. The syntax for Database
Initialization mode is:
`tripwire --init -c /etc/tripwire/tw.cfg`
Running an Integrity Check
The Integrity Check mode compares the current file system objects with
their properties recorded in the Tripwire database. Violations are
printed to stdout. The report file is saved and can later be accessed by
twprint. An email option enables you to send email. The syntax for
Integrity Check mode is:
`tripwire --check -c /etc/tripwire/tw.cfg`
Printing Reports - twprint Print Report Mode
The twprint --print-report mode prints the contents of a Tripwire
report. If you do not specify a report with the --twrfile or -r
command-line argument, the default report file specified by the
configuration file REPORTFILE variable is used.
Example: On a machine named LIGHTHOUSE, the command could be:
`twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr`
Updating the Database after an Integrity Check
Database Update mode enables you to update the Tripwire database after
an integrity check if you determine that the violations discovered are
valid. This update process saves time by enabling you to update the
database without having to re-initialize it. It also enables selective
updating, which cannot be done through re-initialization. The syntax for
Database Update mode is:
`tripwire --update`
Updating the Policy File
Change the way that Tripwire software scans the system by changing the
rules in the policy file. You can then update the database without a
complete re-initialization. This saves a significant amount of time and
preserves security by keeping the policy file synchronized with the
database it uses. The syntax for Policy Update mode is:
`tripwire --update-policy`
Testing email functions
Test mode tests the software's email notification system, using the
settings currently specified in the configuration file. The syntax for
Email Test Reporting mode is:
`tripwire --test`
Tripwire Components
The policy file begins as a text file containing comments, rules,
directives, and variables. These dictate the way Tripwire software
checks your system. Each rule in the policy file specifies a system
object to be monitored. Rules also describe which changes to the object
to report, and which to ignore.
System objects are the files and directories you wish to monitor. Each
object is identified by an object name. A property refers to a single
characteristic of an object that Tripwire software can monitor.
Directives control conditional processing of sets of rules in a policy
file. During installation, the text policy file is encrypted/signed and
renamed, and becomes the active policy file.
The database file is an important component of Tripwire software. When
first installed, Tripwire software uses the policy file rules to create
the database file. The database file is a baseline "snapshot" of the
system in a known secure state. Tripwire software compares this baseline
against the current system to determine what changes have occurred. This
is an integrity check.
When you perform an integrity check, Tripwire software produces report
files. Report files summarize any changes that violated the policy file
rules during the integrity check. You can view the report file in a
variety of formats, at varying levels of detail.
The Tripwire configuration file stores system-specific information, such
as the location of Tripwire data files. Tripwire software generates some
of the configuration file information during installation. The system
administrator can change parameters in the configuration file at any
time. The configuration file variables POLFILE, DBFILE, REPORTFILE,
SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database
file, report files, and site and local key files reside. These variables
must be defined or the configuration file is invalid. If any of these
variables are undefined, an error occurs on execution of Tripwire
software and the program exits.
Tripwire Help
All Tripwire commands support the help arguments.
Example: To get help with Create Configuration File mode, type:
`twadmin --help --create-cfgfile`
-? Display usage and version information
--help Display all command modes
--help all Display help for all command modes
--help [mode] Display help for current command mode
--version Display version information
We recommend you read the Tripwire Release Notes and README file.
|