Tripwire

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search

Tripwire is software used to monitor your system to detect server intrusions. Tripwire is security software known as a host-based intrusion detection system (HIDS). Tripwire is Open Source under the GNU General Public License.

Rather than attempting to detect intrusions at the network interface level (as in network intrusion detection systems), Tripwire detects changes to file system objects.

When first initialized, Tripwire scans the file system as directed by the administrator and stores information on each file scanned in a database. At a later date the same files are scanned and the results compared against the stored values in the database. Changes are reported to the user. Cryptographic hashes are employed to detect changes in a file without storing the entire contents of the file in the database.

While useful for detecting intrusions after the event, it can also serve many other purposes, such as integrity assurance, change management, and policy compliance.

installation

For Debian/Ubuntu (as root or sudo)

apt-get update
apt-get install tripwire

configure

Tripwire uses two different keys for authentication and encryption of files. The site key is used to protect files that could be used across several systems. This includes the policy and configuration files. You are being prompted for this passphrase either because no site key exists at this time or because you have requested the rebuilding of the policy or configuration files. Remember this passphrase; it is not stored anywhere! Enter site-key passphrase

Tripwire uses two different keys for authentication and encryption of files. The local key is used to protect files specific to the local machine, such as the Tripwire database. The local key may also be used for signing integrity check reports.

The Tripwire binaries are located in /usr/sbin and the database is located in /var/lib/tripwire. It is strongly advised that these locations be stored on write-protected media (e.g. mounted RO floppy). See /usr/share/doc/tripwire/README.Debian for details.

twadmin --create-polfile /etc/tripwire/twpol.txt

Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol

The basic way to initialize the database is by running:

tripwire --init
vi /etc/tripwire/twpol.txt

Do a search for each of the files that were returned in the test_results file. Comment out all of the lines that you find that match.

In the "Boot Scripts" section, you should comment out the /etc/rc.boot line, since this isn't present in an Ubuntu system:

twadmin -m P /etc/tripwire/twpol.txt
tripwire --init

check to see what the tripwire report looks like and if there are truly no warnings:

tripwire --check
rm /etc/tripwire/test_results
apt-get install mailutils

test of our system's ability to mail out a tripwire report.

tripwire --check | mail -s "Tripwire report for `uname -n`" tripwire@foo.com

Receive a report shortly in your email with details about the new mail software you just installed.

Approve the software changes we made by doing an interactive check to update the database.

tripwire --check --interactive

This generates a report and opens it in pico editor.

crontab -e

further customize

You should have deleted the plain text configuration file after the initial configuration. Now that you have been running tripwire for awhile you may find you need further customization. Recreate the plain text configuration file that has your custom settings.

sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'

troubleshoot

resources