====== Tripwire ====== ===== 1. Install Tripwire ===== apt-get install tripwire * Site passphrase will secure the tw.cfg tripwire configuration file and tw.pol tripwire policy file. You have to assign a site passphrase even for a single instance tripwire. * Local passphrase will protect tripwire database and report files. ===== 2. Initialize Tripwire Database ===== For the first time use, you should initialize the tripwire database as shown below. cd /opt/tripwire/sbin/ ./tripwire --init Please enter your local passphrase: Parsing policy file: /opt/tripwire/etc/tw.pol Generating the database... *** Processing Unix File System *** The object: "/sys" is on a different file system...ignoring. ### Warning: File system error. ### Filename: /cdrom ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /floppy ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /initrd ### No such file or directory ### Continuing... ### Warning: File system error. Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd The database was successfully generated. ===== 3. Modify Tripwire Policy File ===== As shown above, during the tripwire database initialization, it may display “No such file or directory” error message for some of the default files mentioned in the tripwire policy file. If your system don’t have those files, edit the policy file and comment those entries. For example, modify the /opt/tripwire/etc/twpol.txt tripwire policy file and comment out /cdrom and /floppy as shown below. ( rulename = "OS Boot Files and Mount Points", ) { /boot -> $(ReadOnly) ; # /cdrom -> $(Dynamic) ; # /floppy -> $(Dynamic) ; /mnt -> $(Dynamic) ; } Using the tripwire policy files you can define the directories and files that needs to be monitored for the changes. You can also be more granular and specify the file attributes that should be either monitored or ignored. Following are some of the UNIX system properties that are monitored by tripwire. * File addition, deletion and modification * File permissions and properties * Access timestamp * Modification timestamp * File type and file size * User id of owner and group id of owner * Hash checking: CRC-32, POSIX 1003.2 compliant 32-bit Cyclic Redundancy Check; MD5, the RSA Security Message Digest Algorithm; SHA, part of the SHS/SHA algorithm; HAVAL, a strong 128-bit signature algorithm ===== 4. Update Tripwire Policy File ===== Once you’ve modified the policy file, it needs to be updated as shown below. ./tripwire --update-policy --secure-mode low ../etc/twpol.txt Parsing policy file: /opt/tripwire/etc/twpol.txt Please enter your local passphrase: Please enter your site passphrase: ======== Policy Update: Processing section Unix File System. ======== Step 1: Gathering information for the new policy. The object: "/sys" is on a different file system...ignoring. ======== Step 2: Updating the database with new objects. ======== Step 3: Pruning unneeded objects from the database. Wrote policy file: /opt/tripwire/etc/tw.pol Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd Note: if any files has been modified from the time you’ve done the tripwire initialization until the tripwire update policy, they will be listed under the “Step 1: Gathering information for the new policy” output of the above command. ### Warning: Policy Update Changed Object. ### An object has been changed since the database was last updated. ### Object name: Conflicting properties for object ### /u01/app/oracle/oradata/dbfiles/prod01.dbf ### > Modify Time ### > CRC32 ### > MD5 ====== 5. Check for any changes to the files and update tripwire database. ====== Once the tripwire setup is completed, you should regularly perform checks to find out what files where added or modified from the last time the tripwire database was updated. You can perform this check interactively from command line as shown below. ./tripwire --check --interactive Parsing policy file: /opt/tripwire/etc/tw.pol *** Processing Unix File System *** Performing integrity check... Wrote report file: /opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336.twr This will automatically open the following tripwire report file in your default editor, where you can review all the files that has been added or modified to the system. As shown below, the “Added” and “Modified” files will have a check mark in front of them, indicating that you are accepting these changes to be updated to the tripwire database. =============================================================================== Report Summary: =============================================================================== Host name: prod-db-srv Host IP address: 192.168.1.10 Host ID: None Policy file used: /opt/tripwire/etc/tw.pol Configuration file used: /opt/tripwire/etc/tw.cfg Database file used: /opt/tripwire/lib/tripwire/prod-db-srv.twd Command line used: ./tripwire --check --interactive Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trc" [x] "/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trm" Modified: [x] "/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_CONFIG.ams" [x] "/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_INFO.ams" Added object name: /u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trc Property: Expected Observed ------------- ----------- ----------- * Object Type --- Regular File * Device Number --- 2049 * Inode Number --- 12026017 * Mode --- -rw-r----- * Num Links --- 1 * UID --- oracle (1082) * GID --- oinstall (1083) * Size --- 837 * Modify Time --- Sat 06 Dec 2008 10:01:51 AM PST * Blocks --- 8 * CRC32 --- AYxMeo * MD5 --- AXSkOul8R/np0fQP4q3QLv Modified object name: /u01/app/oracle/diag/tnslsnr/proddb/listener/trace/listener.log Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 2049 2049 Inode Number 2295281 2295281 Mode -rw-r----- -rw-r----- Num Links 1 1 UID oracle (1082) oracle (1082) GID oinstall (1083) oinstall (1083) * Size 5851880 5858608 * Modify Time Sat 06 Dec 2008 09:58:53 AM PST Sat 06 Dec 2008 11:39:56 AM PST * Blocks 11456 11472 * CRC32 ANdM8R CK+bWM * MD5 DCW84lCuD2YJOhQd/EuVsn CV8BMvZNJB9KQBXAf5yRDY Please enter your local passphrase: Incorrect local passphrase. Please enter your local passphrase: Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd ====== 6. How to view the twr report file? ====== All the tripwire report files with *.twr extension are stored under /opt/tripwire/lib/tripwire/report directory. tripwire report file *.twr is not a text file, which you can view directly. In order to view the report, use twprint and convert the *.twr file to a readable text format as shown below. ./twprint --print-report --twrfile \ /opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336.twr > \ /tmp/readable-output.txt ====== 7. Monitor Linux System Integrity Regularly ====== Add tripwire checking as a cron job to monitor and report any changes on an on-going basis. For example, add the following line to your crontab to execute tripwire check daily at 4:00 a.m. # Tripwire Monitor process 00 4 * * * /opt/tripwire/sbin/tripwire --check ====== 8. Tripwire Configuration and Policy File Locations ====== Use twadmin to view the current tripwire policy files. Only partial output is shown below. ./twadmin --print-polfile @@section GLOBAL TWDOCS="/opt/tripwire/doc/tripwire"; TWBIN="/opt/tripwire/sbin"; TWPOL="/opt/tripwire/etc"; TWDB="/opt/tripwire/lib/tripwire"; TWSKEY="/opt/tripwire/etc"; TWLKEY="/opt/tripwire/etc"; TWREPORT="/opt/tripwire/lib/tripwire/report"; HOSTNAME=prod-db-srv; Use twadmin to get information about all the tripwire configuration files as shown below. ./twadmin --print-cfgfile ROOT =/opt/tripwire/sbin POLFILE =/opt/tripwire/etc/tw.pol DBFILE =/opt/tripwire/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/opt/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/opt/tripwire/etc/site.key LOCALKEYFILE =/opt/tripwire/etc/prod-db-srv-local.key EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t