How to Set Up and Use Tripwire

All about Tripwire and what it can do for you.
Initial Configuration

After everything has been placed in the proper directories, either from a binary package or compiling the sources, the first action to take as root is to generate two robust—that is, hard to guess—passphrases. The first one (site passphrase) is used to encrypt and sign the Tripwire system files. The second one (local passphrase) is necessary to launch the Tripwire binaries.

Theoretically, the Tripwire distribution should include an /etc/tripwire/twinstall.sh script that should prompt the user for passphrases and other information and then perform all the steps below. At the time of this writing, both the Tripwire 2.3.1 RPM package for Fedora Core 4 tested for this article and several on-line tutorials still say to use that script, but it just wasn't there after the installation. In any case, the utility that performs these tasks is twadmin. Because it has a complete man page, and it should be used anyway if you want to change keys after installation, we just show how it works. The actions described above are executed with the following commands:

twadmin --generate-keys --site-keyfile my_home_key
 ↪--site-passphrase 'Hello LJ readers'
twadmin --generate-keys --local-keyfile my_local_key
 ↪--local-passphrase 'Penguins are cool'

This leaves the two keys encoded in the my_home_key and, respectively, my_local_key files. Remember to copy these two names in the twcfg.txt file before running twadmin:

SITEKEYFILE	=/etc/tripwire/my_home_key
LOCALKEYFILE	=/etc/tripwire/my_local_key

Once the passphrases have been stored, the configuration file must be encrypted in this way:

twadmin --create-cfgfile --cfgfile twcfg.enc
 ↪--site-keyfile my_home_key twcfg.txt
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/twcfg.enc

The procedure to create a binary version of the policy is similar:

twadmin --create-polfile --cfgfile twcfg.enc --polfile
 ↪twpol.enc --site-keyfile my_home_key twpol.txt

The difference, with respect to the former command, is that now the encrypted configuration file must be passed to twadmin. The reason why the two files must be encrypted is that Tripwire will discover if they are corrupted much more easily than if they were in plain-text format. In order to directly read such files, you need (besides the passphrases, obviously) the -print-cfgfile or --print-polfile options of twadmin.

Database Creation

Once the passphrases and system files are all set, it's time to go into what the documentation calls Database Initialization Mode:

tripwire --init --cfgfile twcfg.enc --polfile tw.pol
 ↪--site-keyfile my_home_key --local-keyfile my_local_key

By default, the result is stored in /var/lib/tripwire/YOURHOSTNAME.twd. Path and name can be changed in twcfg.txt or given as a command-line option. Eventually, if everything goes fine, you'll be greeted by this message:

Wrote database file: /var/lib/tripwire/YOURHOSTNAME.twd
The database was successfully generated

Periodic Checks

As soon as encrypted system files, passphrases and a complete snapshot of your system are available, Tripwire finally can do the only thing we really care about—that is, to check the integrity of our computers periodically. This is normally accomplished by running the program as a cron job with this switch:

tripwire --check

Note that, just to allow secure, automatic usage the program doesn't need passphrases when launched in this way. Consequently, there is no need to write them in plain text anywhere. The integrity report is printed both to STDOUT (so it can be e-mailed to the system administrator) and saved in the location specified by the REPORTFILE variable in the configuration file. How often this operation should be performed depends on how critical the system is and how often it is exposed to external attacks. Although a corporate firewall should be checked daily, a weekly check may be enough for a department print server behind it or a regular desktop.

Figure 1 shows an example of what a Tripwire report looks like. It tells you, for every rule defined in the policy, which of the corresponding files were added, changed or modified. Command-line options are available to check only specific sections of the policy file, or just some files. This could be useful, for example, when nothing was modified in the system, but there is the suspicion that some particular disc or partition was damaged.

Figure 1. Sample Tripwire Report

The integrity checking procedure also can be interactive. Adding the -interactive switch causes Tripwire to open an editor, after the check, to allow the user to declare which files should be permanently updated in the Tripwire database. This is a manual alternative to the update mode described below.

______________________

Articles about Digital Rights and more at http://stop.zona-m.net CV, talks and bio at http://mfioretti.com

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Worked perfect

Anonymous's picture

Article seems old (2006), It worked exactly as it described. Great article. I am using tripwire now without any problem. Thanks a lot Mr. author.

--
anil
(anil.softx@gmail.com)

Tripwire Missing tw.cfg

Anonymous's picture

I have followed you instructions but get:

tripwire --check
### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting..

Can you please help

Try running the command as

Anonymous's picture

Try running the command as superuser, such as "sudo tripwire --check".

Typo?

Tri Trinh's picture

Great Article! :)

tripwire --init --cfgfile twcfg.enc --polfile tw.pol
↪--site-keyfile my_home_key --local-keyfile my_local_key

should be...

tripwire --init --cfgfile twcfg.enc --polfile twpol.enc
↪--site-keyfile my_home_key --local-keyfile my_local_key

tw.pol missing.

Anonymous's picture

Under Database Creation:

You have the commnad argument:
--polfile tw.pol

I got the error:
### Error: File could not be found.
### tw.pol
### Exiting...

I checked the directory it was never created. At what step does it get created in this process?

nice tutorial. my tripwire

Anonymous's picture

nice tutorial. my tripwire rpm also did not have the /etc/tripwire/twinstall.sh script. i used tripwire-2.3.1-21

'tripwire --check ' was not good enough

### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting...

i needed to explicitly list it as an arg to tripwire

Stuck on the encrypting steps...

Perry Huang's picture

I'm using Tripwire 2.4.0.1 on RHEL 4 and I am having problems at the encryption step. I don't have the twcfg.enc file needed to encrypt the config and policy files. Any ideas?

Read those steps again. You

Anonymous's picture

Read those steps again. You don't have it initially. You create twcfg.enc.

twinstall.sh

Robert's picture

If you look through the docs it mentions twinstall.sh has been replaced by tripwire-setup-keyfiles.

It should also be noted that the prelinker will affect the md5 sums etc when it runs.

Rob

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState