20130709

tripwire ...

Tripwire Setup on Debian Notes

Install Tripwire
# apt-get install tripwire


Well, the packaged tripwire installation automation on Debian 6.0.7 does not automagically fix everything --not-- for me.

Tripwire keeps its configuration in a encrypted database that is generated, by default, from /etc/tripwire/twcfg.txt

Tripwire keeps its policies on what attributes of which files should be monitored in a encrypted database that is generated, by default, from /etc/tripwire/twpol.txt

The Tripwire binaries are located in /usr/sbin and the database is located in /var/lib/tripwire

Create a site key
# cd /etc/tripwire/
# mkdir nope
# mv site.key nope
# twadmin --generate-keys --site-keyfile site.key 
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.
# chmod 600 site.key


Create a local key
# cd /etc/tripwire/
# twadmin --generate-keys --local-keyfile `hostname`-local.key
# chmod 600 *local.key


Create and sign with site.key the configuration file tw.cfg from the text configuration file twcfg.txt. You may want to change a few things in twcfg.txt (eg: the SMTPHOST ).
# cd /etc/tripwire/
# cp twcfg.txt nope
# vi twcfg.txt
# twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt
Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg


Create and sign with site.key the policy file tw.pol from the editable twpol.txt. You may want to adjust twpol.txt to your system and preferences.
# cd /etc/tripwire/
# mv tw.pol nope/
# vi twpol.txt
# twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol


Make sure all the configuration files are owned by root and that root is the only one who can read them.
# cd /etc/tripwire/
# chown root.root tw*
# chmod 600 tw*
You may delete or copy your txt files to another host.

Initialize the tripwire database.
# tripwire --init
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***


To change-update your policy
# cd /etc/tripwire/
# vi twpol.txt
# twadmin -m P -S site.key twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol


To update your configuration
# cd /etc/tripwire/
# vi twcfg.txt
# twadmin -m F -S site.key twcfg.txt
Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg


Initialize the Tripwire database
# tripwire -m i
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
...
### Continuing...
Wrote database file: /var/lib/tripwire/anydns.twd
The database was successfully generated.


Email alerts and reports

Test if tripwire can send email
# /usr/sbin/tripwire --test --email systems-no@ipduh.awmn


To set email alerts for a rule eg: "Root file-system executables" adjust twpol.txt accordingly sign it and write tw.pol.
#
# Critical executables
#
(
  rulename = "Root file-system executables",
  severity = $(SIG_HI),
  emailto = systems-no@ipduh.awmn
)
You may put more email addresses separated by ';' colons on emailto eg:
#
# Critical executables
#
(
  rulename = "Root file-system executables",
  severity = $(SIG_HI),
  emailto = systems-no@ipduh.awmn;systems-no@ipduh.com
)
Sign and write tw.pol
# twadmin -m P -S site.key twpol.txt


Email a report
# /usr/sbin/tripwire --check --email-report
...
### Continuing...
Beginning email reporting...
Emailing the report to: systems-no@ipduh.awmn
...


The report is:
mailed to the email address(es) in the emailto(s)
and saved in /var/lib/tripwire/report/ as well.

To create and email the report regularly put:
/usr/sbin/tripwire --check --quiet --email-report
in a cronjob

The Debian package cronjob
#!/bin/sh -e

tripwire=/usr/sbin/tripwire

[ -x $tripwire ] || exit 0

umask 027

$tripwire --check --quiet --email-report


You may put the tripwire database on a read-only medium or copy it to another host.

Update the database --exclude valid violations-- after an Integrity Check.

First of all set the system default editor to vi

Enter `exclude mode` :)
# tripwire --update --twrfile /var/lib/tripwire/report/lastest.twr
where latest.twr is the latest report

Now, remove the "x" from the adjacent boxes [x] to prevent updating the database with the new values for these objects, exit the editor, and enter your local passphrase.

The authorized integrity violations will no longer show up as warnings when the next integrity check is run.

Test --Create a Report and then look at it
# /usr/sbin/tripwire --check 
# twprint -m r --twrfile /var/lib/tripwire/report/latest.twr
where latest.twr is the latest report

View the tripwire database
# /usr/sbin/twprint -m d --print-dbfile |less


View information for a file tracked by tripwire eg: the tripwire database
# /usr/sbin/twprint -m d --print-dbfile /var/lib/tripwire/`hostname`.twd


Further:
twfiles(5)
twadmin(8)
tripwire(8)
twprint




Tripwire ...