Linux-Tripwire
From DevRandom
Contents |
Installing tripwire on CentOS/Redhat
What is tripwire
Tripwire is an file integrity verification system and can be used as an intrusion detection system or for detecting changes to critical files. The first time Tripwire is run it stores checksums of all the configured files in a internal database. Successive runs check whether every file against this database and provides a report for administrator review. Tripwire has been around for a while and is now offered under two versions; one under GPL and another proprietary($). We off course are discussing the open source (Free as in Freedom) version.
System Details
[root@slice01 ~]# uname -a Linux slice01 2.6.24-22-xen #1 SMP Mon Nov 24 21:35:54 UTC 2008 x86_64 x86_64 x86_64 GNU/Linux [root@slice01 ~]# cat /etc/redhat-release CentOS release 5.3 (Final)
Download and Install
Download it from RPM bone
http:rpm.pbone.net/index.php3/stat/4/idpl/11459214/com/tripwire-2.4.1.1-1.el5.x86_64.rpm.html
[root@slice01 ~]# rpm -ivh tripwire-2.4.1.1-1.el5.x86_64.rpm warning: tripwire-2.4.1.1-1.el5.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 217521f6 Preparing... ########################################### [100%] 1:tripwire ########################################### [100%]
Make a backup of the configuration files
etc/tripwire/twcfg.txt is the general configuration such as location of the Tripwire database, pass phrases, report options etc
etc/tripwire/twpol.txt contains the policy that declares all the files/directories that are monitored by Tripwire
[root@slice01 tripwire]# cd /etc/tripwire [root@slice01 tripwire]# cp twpol.txt twpol.txt.original [root@slice01 tripwire]# cp twcfg.txt twcfg.txt.original
Generate Keys & General Configuration
We need two keys
A site passphrase which is used to encrypt and sign the Tripwire system files.
[root@slice01 ~]# twadmin --generate-keys --site-keyfile slice01.key (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: Verify the site keyfile passphrase: Generating key (this may take several minutes)...Key generation complete.
The second one (local passphrase) is necessary to launch the Tripwire binaries. The two, ideally are separate (depends on ones' laziness and paranoia)
[root@slice01 ~]# twadmin --generate-keys --local-keyfile slice01-local.key (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: Verify the local keyfile passphrase: Generating key (this may take several minutes)...Key generation complete.
Copy both these files to etc/tripwire
Edit etc/tripwire/twcfg.txt and set the options for the keys
SITEKEYFILE =/etc/tripwire/slice01-site.key LOCALKEYFILE =/etc/tripwire/slice01-local.key
Now we need to encrypt the configuration file
[root@slice01 tripwire]# twadmin --create-cfgfile --cfgfile twcfg.cfg --site-keyfile slice01-site.key twcfg.txt Please enter your site passphrase: Wrote configuration file: /etc/tripwire/twcfg.cfg
NOTE: This must be done every time you edit the configuration file
</h3>Policy Configuration & Initialization</h3>
If done, right this is where one would spend most of the time. etc/tripwire/twpol.txt has some a long default listing. Go through this and and pick and chose the files you need to monitor.
There are some default categories defined and in most cases those should fit all your needs but there is nothing stopping you from creating your own.
After edit the file to your needs , we need to encrypt it
This is similar to the above, except we pass the encrypted configuration file twcfg.cfg as the --cfgfile
[root@slice01 tripwire]# twadmin --create-polfile --cfgfile twcfg.cfg --polfile twpol.cfg --site-keyfile slice01-site.key twpol.txt Please enter your site passphrase: Wrote policy file: /etc/tripwire/twpol.cfg
It's time to initialize.
[root@slice01 tripwire]# tripwire --init --cfgfile twcfg.cfg --polfile twpol.cfg --site-keyfile slice01-site.key --local-keyfile slice01-local.key Please enter your local passphrase:
Depending on how well you edited the file and what packages are installed on the system, you will get some warnings about missing files.
You should :-
* Re-edit the file and remove those lines * Encrypt the policy file again * Re-initialize the database
</h3>Using Tripwire and maintaining it</h3>
First you run a check to make sure it works as it should
[root@slice01]# tripwire --check --cfgfile /etc/tripwire/twcfg.cfg --polfile /etc/tripwire/twpol.cfg Parsing policy file: /etc/tripwire/twpol.cfg *** Processing Unix File System ***
This creates a report file under var/lib/tripwire/report
Since this is the first time you ran the check after the initialization there should not be any violations or warnings
To check how it is working you can either change a file or if you haven't now would be nice time to update your system packages.
In this example, we will edit /etc/hosts and add some random line and then run the report again
[root@slice01]# tripwire --check --cfgfile /etc/tripwire/twcfg.cfg --polfile /etc/tripwire/twpol.cfg Parsing policy file: /etc/tripwire/twpol.cfg *** Processing Unix File System ***
Part of you report should contain the following :-
------------------------------------------------------------------------------- Rule Name: Critical configuration files (/etc/hosts) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/etc/hosts"
The idea here is that once you reviewed the changes and certified that the changes are legitimate you need to update the policy. This ensures two things; one you don't the same warnings everyday and tripwire now has a new starting point.
This operation will require both local and site passphrases. The -Z low tell Tripwire to ignore any changes that happened after the specified integrity check. So it require both keys, the path to last report and the corresponding configuration files.
[root@slice01 tripwire]# tripwire --update-policy --twrfile /var/lib/tripwire/report/slice01-20090612-023931.twr -S /etc/tripwire/slice01-site.key -L /etc/tripwire/slice01-local.key --cfgfile /etc/tripwire/twcfg.cfg -Z low /etc/tripwire/twpol.txt
In secure-mode-high, any inconsistencies will prevent the database from being updated.
After this you can verify by running another check.
You have a working tripwire at this point.
</h3>Other settings</h3>
There are several other settings and fine tuning you can do. Please refer to the man pages for more details on this.
To use email reporting, you must
* Set the MAILMETHOD, MAILPROGRAM, SMPTHOST, and SMTPPORT parameters in the configuration file.
* Specify recipients by specifying the GLOBALEMAIL parameter
* Use the -M or --email-report option of the tripwire command
To specify the level of detail set EMAILREPORTLEVEL and REPORTLEVEL configuration parameters or use the command line way
tripwire --check --email-report-level <level> tripwire --check --text-report-level <level>
Known Issues
1. Prelinking
RHEL4/5 have a cron job named prelink (etc/cron.daily) that modifies shared libraries in order to optimize the dynamic linker (man prelink)
This results in changed Inode numbers or Inode change times and Tripwire will well truly report them as changed.
If you want to avoid this remove the cron job or better set prelinking to no in etc/sysconfig/prelink
And if you still want to prelinking working, after every update or install of packages run prelink manually and then run tripwire --update. You need to run tripwire --update after every update anyway to update the checksums
References and Links
Tripwire official site http:www.tripwire.com
Quick Reference http:www.ihtb.org/security/quickrefs/tfs_unix_refcard.pdf
Sourceforge Link http:sourceforge.net/projects/tripwire/
The PDF manual http:www.cosmic-ray.org/miscfiles/idsl_1_3.pdf
