In this tutorial you will learn what Tripwire is, how to install it and how to use it. You will learn the basics needed for simple monitoring of your system.
Tripwire is a file integrity checking tool initially written by Gene Kim with Dr. Eugene Spafford. Tripwire examines system files and creates an MD5 hash of each file. It then stores that hash in a database for future reference. When Tripwire is run, it examines the current files on a system, creates a MD5 check and compares that to the MD5 hash of that same file stored in its’ database.
Download the Tripwire program from sourceforge (http://sourceforge.net/projects/tripwire) or from RPMfind (www.rpmfind.net). Next, perform the installation that’s right for your package. Foe example, for the RPM version, issue:
Rpm –ivh tripwire.xxx
For the Gz format, issue:
Tar zxvf tripwire.xxx
Where xxx is the version you downloaded. Once that is complete, the installation is next. Change Directory (cd) to the appropriate directory. The default is /etc/tripwire. In this directory, the script to install Tripwire is found. As seen in Figure 1, issue the command to launch the installation script:
After a few moments, you will be prompted to enter a local keyfile passphrase. Choose a passphrase that contains letters, numbers, and punctuation and is at least 8 characters in length. Also, please don’t forget to choose something you will not easily forget. After entering the passphrase, figure 2 displays what should be seen.
A passphrase for the site is now required. Again, choose a passphrase using the same requirements used for the Local passphrase. Tripwire is now installed on the Linux system and is ready to be implemented.
Initialization is when a database is created including all the MD5 hash marks of the local file system. This is important to perform before any software is installed to the system or before the system is placed on the network or Internet. If this is done first before those actions, only then can one be assured the integrity of the file system is true and untampered with.
To initialize the database, enter in the command:
Once that has begun, you should see output similar to Figure 3. This process may take some time. You will notice some error messages and such on the screen. This is because the database has a predefined set of files that it looks for in all Operating Systems and rates them on a scale of importance. Since this tutorial is how to get Tripwire up and running quickly with minimal configuration, just ignore those messages. They will not cause problems when you update the database or check the integrity of the file system.
To get help or information on Tripwire, simply type:
This will bring up a display similar to Figure 4.
As shown in Figure 4, the primary commands used are:
Tripwire --init (Initializes and builds the database)
Tripwire --check (This checks the file system and compares it to the database maintained by Tripwire)
Tripwire --update-policy (This updates the database policy named ‘policyfile.txt’)
Tripwire --update (updates the database. For example, if you install a new software package or add a user, you will want to update)
Tripwire --help all (displays more help options than listed above)
The easiest way to perform a check of your file-system is to run the following command:
As seen in Figure 5, the ‘-m c’ switches, check the system and display the report seen at the end. If there were a change in the file-system, you would be alerted in the report. In the example above, please note the 3 columns ‘Added’, ‘Removed’, and ‘Modified’. Figure 5 shows that 15 files were added and 55 files were modified on the system since the last update was performed to the Tripwire database. The first time the check is done, it is recommended that the command be run piped into a text file that you can reference. This can be accomplished as:
Tripwire --m c > tripwire_results.txt
After the command is completed, and Tripwire has completed its check of the file system, open the text document. This document will contain all the files Tripwire could not find on your system. Since Tripwire is designed for multiple Operating systems, many of the files Tripwire looks for may not exist on the system being scanned. Therefore, open that text file and comment out or delete the files not found. The Tripwire file that holds the files it checks is located at:
Performing this step will remove all the warnings Tripwire will report about missing files that never existed on the system.
Once the initialization has been completed, it is important to customize the policy so that it does not report files that you do not have. To accomplish this, in the default directory of Tripwire (/etc/tripwire) a file named twpol.txt, edit that file manually using VI or your favorite editor. Simply use the information printed on screen from the initialization part or the tripwire_results.txt file, and locate every file that was reported as an error in the twpol.txt file. Then place a pound sign (#) in front of it. This remarks it out so that Tripwire will not look for this file again when checking the system. After all the files not found in the initialization part are remarked out, the next step is to update the policy. This is accomplished by issuing the following command:
Tripwire --update-policy twpol.txt
You will be prompted for the passwords that you assigned and then it will parse the policy based on the changes made to the twpol.txt file. Once completed, missing files that were originally reported during the initialization stage will not be reported on again. Please note that if any of these files wish to be monitored at a later date, simply open up the twpol.txt file and remove the # sign in front of the specified file. Then launch the --update-policy command again.
Tripwire is an essential for anyone looking to know what is happening to their systems. It is part of the Defense in Depth strategy, also known as ‘layered security’. Firewalls are critical at the borders. Network Intrusion Detection (NIDS) is also very important in a secure environment. However, if one is alerted to an incident by either the firewall or the NIDS, Tripwire will help you determine the integrity of a system instantly. It removes the guesswork out of trying to figure out what has happened to the system and allows the administrator(s) to assess and repair with limited downtime.
Further reports on installing and using Tripwire are in the works. Also, for those craving more, a more advanced how-to is also in the works.