Tripwire is made up of two major components: policy and database. Policy lists all the files and directories that the integrity checker should take a snapshot of, in addition to creating rules for identifying violations of changes to directories and files. Database consists of the snapshot taken by Tripwire. Tripwire also has a configuration file, which specifies the locations of the database, policy file, and Tripwire executable.
It also provides two cryptographic keys—site key and local key—to protect important files against tampering. The site key protects the policy and configuration files, while the local key protects the database and generated reports. Tripwire works by periodically comparing the directories and files against the snapshot in the database and reporting any changes. In order to use Tripwire, we need to download and install it first.
Tripwire works on almost all Linux distributions; you can download an open source version from Sourceforge and install it as follows, depending on your version of Linux. Debian and Ubuntu users can install Tripwire directly from the repository using apt-get.
Non-root users should type the sudo command to install Tripwire via apt-get. CentOS and other rpm-based distributions use a similar process. For the sake of best practice, update your repository before installing a new package such as Tripwire.
The command yum install epel-release simply means we want to install extra repositories. This command causes the installation to run a configuration of packages that are required for Tripwire to function effectively. You can use these directives to divide the policies into sections with specific conditions and individual messages. The developers have summarized frequently used properties in several variables. A rule usually extends over a line and ends with a semicolon.
Rules can also be combined into groups so that they are easier to manage later on. Tripwire can manage several criteria for a file. These include Atime and Mtime, the blocks occupied by an object, the hard disk ID, the inode number, the file size, the user and group IDs, and the permissions. Furthermore, you can select the hash method through the properties.
For an overview of the main properties and the above-mentioned predefined variables, see Table 3. The rulename attribute lets you define report-friendly names for rules, set the focus of a rule, specify an email address and command to be executed in the event of an attack, or specify wildcard patterns for the file types to be monitored. Additionally, you can specify the recursion depth to which Tripwire investigates the contents of a directory see Table 4. Value from 0 to If the severity is specified during an integrity check, only rules from this level are tested.
Recursion depth for directories. Possible values: true , false , and numbers from -1 to You can enter multiple addresses separated by commas. The command to run onviolation can be used, for example, to stop services for security reasons. In recurse , -1 and true have an identical effect. In both cases, Tripwire investigates the entire contents of a directory. The settings 0 or false mean that Tripwire only checks the inode for a directory, whereas 1 means that Tripwire would include the files in the directory in the integrity checks but ignore the content in subdirectories.
These are directories or files that are excluded from the check. Stop points also let you choose exceptions within a directory to be checked. Each server is different and requires individual protection; thus, you need to customize the policy file for each machine. The rule for the bit libraries also shows how to group multiple objects.
Additionally, email addresses are stored so that stakeholders receive email notifications in case of incidents. After creating the configuration and policy files, you need to encrypt them before you initialize the Tripwire database.
You can create the two plain-text files at the command line with the commands in Listing 3. After encryption, the configuration and policy files exist in a format that is not easily readable.
After successfully creating the Tripwire database, remove the plain-text files. If you want to look at the files later, all you need is the twadmin --print-polfile or twadmin --print-cfg-file command.
You create the Tripwire database with the tripwire --init command. It is then located by default as a file with the. Tripwire may report a few errors when creating the database because the policy file contains invalid entries, such as missing files. In this case, change the policy file and generate it again until Tripwire creates the database without complaining. Before you bundle Tripwire off into a cron job, you should check whether the software really sends email without any glitches.
There is, of course, also commercial support available for the enterprise edition. I'm going to demonstrate how to install and configure the open source version of Tripwire on the Ubuntu Server Tripwire can be found within the standard repositories, so installation is as simple as issuing the command:.
During the installation, you will be presented with a number of ncurses-based windows Figure A , that require you to:. Next we begin the configuration process. To start this, initialize the database with the command sudo tripwire --init. You will immediately be prompted for your sudo password and then the local passphrase created during installation. The initialization process will proceed, only to error out with "No such file or directory" Figure B.
To get around this error, the Tripwire configuration file must be edited. However, before we do this, we need to first find out what directories are missing. To do that, issue the command:. There will now be a text file, called missing-directory.
Open the Tripwire configuration file in your text editor of choice and prepare to make a number of changes. You will be prompted for your site-key passphrase.
Once you authenticate that passphrase, the policy file will regenerate. You then must reinitialize the Tripwire database with the command:. Consequently, there is no need to write them in plain text anywhere. How often this operation should be performed depends on how critical the system is and how often it is exposed to external attacks. Although a corporate firewall should be checked daily, a weekly check may be enough for a department print server behind it or a regular desktop.
Figure 1 shows an example of what a Tripwire report looks like. It tells you, for every rule defined in the policy, which of the corresponding files were added, changed or modified.
Command-line options are available to check only specific sections of the policy file, or just some files. This could be useful, for example, when nothing was modified in the system, but there is the suspicion that some particular disc or partition was damaged. The integrity checking procedure also can be interactive. Adding the -interactive switch causes Tripwire to open an editor, after the check, to allow the user to declare which files should be permanently updated in the Tripwire database.
This is a manual alternative to the update mode described below. Immediately after any system change, be it due to installation, update or removal of software or configuration files, it is mandatory to update the plain-text policy file and regenerate the binary database. Any successive Tripwire check would be meaningless otherwise. Therefore, run this command whenever it's necessary:.
Because it is so critical, this operation requires both your local and site passphrases. When launched in this way, Tripwire detects as violations any changes that happened after the specified integrity check. In such a case, an actual update of the policy, ignoring such violations, is possible only if the user explicitly tells the program to run in low security mode.
The corresponding option is -Z low and is explained in detail in the Tripwire man page. Reading the twfiles and twintro man pages, which contain short and up-to-date overviews of all the files and programs that compose the Tripwire suite, is highly recommended before starting the installation.
The actual Tripwire binary, if called with the -help option, lists all the available options. Like many FOSS programs, all the utilities of this package accept both short and long forms of their command-line options.
For example, tripwire -check also can be written as tripwire -m c. The second form is faster when one already knows Tripwire and has to use it interactively, but the explicit command is recommended in scripts, for documentation or didactical purposes.
The -v option puts any Tripwire command in verbose mode. Common wisdom also suggests that both the binary and text versions of the Tripwire system files be stored on a separate computer, write-protected floppy disk or USB drive. Remember that one of the first things a determined cracker will do is to replace just those files with her own copies, to hide any trace of attack.
Consequently, they can't be read straight from the prompt, and they also can't even be processed directly by a shell script for automatic comparison or other purposes.
0コメント