tripwire notes

Yet another tripwire ( as in the open source file integrity checker for Unix Systems ) how-to for debian , like tripwire ... but, hopefully, easier to follow.

Assuming you trust your repositories, your distribution, etc
# apt-get install tripwire
and then click the no, no, and OK buttons.

Ideally, the tripwire binaries and the tripwire database are stored in a read only medium that can be mounted as read-write for updates. I would use an SD card or some other medium that I can set "mechanically" to read-only. Some administrators put the binaries and the DB in an NFS.I think that putting the binaries and the DB in an NFS would increase the attack surface. If you are not in the mood or do not have the resources to take the extra steps to secure further the integrity of the tripwire binaries and the tripwire DB at least save copies of the files and their cryptographically secure checksums in other hosts.

In debian the tripwire binaries are statically linked and located in /usr/sbin and the DB is located in /var/lib/tripwire.
# sha256sum /usr/sbin/tripwire |tee ~/twsums
0e4791bb58dfc4095dba902621b72111d61bf1838d77aff4ae00d3c7432d5739  /usr/sbin/tripwire
# sha256sum /usr/sbin/tw* |tee -a ~/twsums
bc01ac66aa421d2e5324983150bea573b2e2d3ee004293501b0dcc4ce1560898  /usr/sbin/twadmin
e1b097eaf28f3ec54114cba7cc82a1ab4122a9fb82590422d9820711c884e5e9  /usr/sbin/twprint
# sha256sum /usr/sbin/siggen |tee -a ~/twsums 
e5e72b264f9b4fa86aa88e0f893b6031457e30b510f28bcb31ea1296b38566bd  /usr/sbin/siggen


Tripwire uses $HOSTNAME a lot in the configuration and policy files. Make sure that you are happy with hostname, if not change the hostname before continuing the tripwire configuration.

Create a site key.
# cd /etc/tripwire/
# twadmin --generate-keys --site-keyfile site.key
# chmod 400 site.key
The site key is used to secure the integrity of the tripwire configuration files.

Create a local key.
# twadmin --generate-keys --local-keyfile `hostname`-local.key
# chmod 400 *cal.key
The local key is used to protect the integrity of the local tripwire database.

Create and sign tw.cfg --the tripwire configuration file.
# stor twcfg.txt
# vi twcfg.txt 
# twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt
Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg


Create and sign tw.pol --the tripwire policy file.
# stor twpol.txt
# vi twpol.txt
# twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol


Make the policy and configuration files readable and writable only by the root user.
# chmod 600 *txt
# chmod 600 *cfg
# chmod 600 *pol


Initialize the tripwire database.
# tripwire --init
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
# ...
Wrote database file: /var/lib/tripwire/anaxagoras.twd
The database was successfully generated.


Test that tripwire can send email.
# tripwire --test --email example@example.net


Check integrity and produce report.
# tripwire --check


View report.
# twprint -m r --twrfile /var/lib/tripwire/report/hostname-latest.twr |less


It is highly unlikable that you are using all the files in the "Root config files" rulename in the debian default twpol.txt. Also you may want to adjust the "Devices & Kernel information" rulename since /proc (meaning recursive /proc/*) may be too much to track in normal servers.

Adjust the tripwire policy and initialize a new tripwire database.
# stor twpol.txt
# vi twpol.txt
# twadmin -m P -S site.key twpol.txt 
# tripwire --init


Check for integrity, create a report and OK changes if any.
Once the editor opens look for [x] and delete the x if you are not OK with that change.
# tripwire --check --interactive
Integrity check complete.
Please enter your local passphrase: 
Wrote database file: /var/lib/tripwire/anaxagoras.twd


You may enter an `interactive` mode from a report as well. eg:
# tripwire --update --twrfile /var/lib/tripwire/report/hostname-date-time.twr
and again look for [x] and delete the x if you are not OK with that change.

Email alerts.
To email an alert we need to add an emailto definition to at least one rulename.
So we need to update the tripwire policy. eg:
#
# Critical Libraries
#
(
  rulename = "Root file-system libraries",
  severity = $(SIG_HI),
  emailto = root,
  emailto = systembot@ares.ipduh.rox
)
{
        /lib                    -> $(SEC_BIN) ;
}

If /lib is changed an alert will be sent to root and systembot@ares.ipduh.rox.


Check integrity, produce report and email alerts.
# tripwire --check --email-report


The debian package sets a cronjob that creates reports and emails alerts daily.
#!/bin/sh -e

tripwire=/usr/sbin/tripwire

[ -x $tripwire ] || exit 0

umask 027

$tripwire --check --quiet --email-report


View the tripwire database.
# twprint -m d --print-dbfile |less


View tripwire information for a file eg:/var/test
# twprint -m d --print-dbfile /lib/test


The system used in this how-to.
ii  tripwire                           2.4.2.2-2                     amd64        file and directory integrity checker
# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 7 \n \l

7.6





Links:
The Design and Implementation of Tripwire: A File System Integrity Checker





Tripwire how-to