How to Set Up and Use Tripwire
Immediately after any system change, be it due to installation, update or removal of software or configuration files, it is mandatory to update the plain-text policy file and regenerate the binary database. Any successive Tripwire check would be meaningless otherwise. Therefore, run this command whenever it's necessary:
tripwire -update-policy -twrfile ↪a_previous_integrity_report.twr
Because it is so critical, this operation requires both your local and site passphrases. When launched in this way, Tripwire detects as violations any changes that happened after the specified integrity check. In such a case, an actual update of the policy, ignoring such violations, is possible only if the user explicitly tells the program to run in low security mode. The corresponding option is -Z low and is explained in detail in the Tripwire man page.
Reading the twfiles and twintro man pages, which contain short and up-to-date overviews of all the files and programs that compose the Tripwire suite, is highly recommended before starting the installation. The actual Tripwire binary, if called with the -help option, lists all the available options. Like many FOSS programs, all the utilities of this package accept both short and long forms of their command-line options.
For example, tripwire -check also can be written as tripwire -m c. The second form is faster when one already knows Tripwire and has to use it interactively, but the explicit command is recommended in scripts, for documentation or didactical purposes. The -v option puts any Tripwire command in verbose mode. Common wisdom also suggests that both the binary and text versions of the Tripwire system files be stored on a separate computer, write-protected floppy disk or USB drive.
Remember that one of the first things a determined cracker will do is to replace just those files with her own copies, to hide any trace of attack. The periodical reports placed by Tripwire in /var/lib/tripwire are in binary, optionally signed format. Consequently, they can't be read straight from the prompt, and they also can't even be processed directly by a shell script for automatic comparison or other purposes. The solution is to use the twprint command, which comes with its own complete man page, as in this example (note that you must pass the binary configuration file for it to work):
twprint --print-report --cfgfile twcfg.enc --twrfile ↪/var/lib/tripwire/report/my_tripwire_report
The digital signatures of each binary file can be checked directly with the siggen utility, which also has its own man page:
/usr/sbin/siggen /etc/tripwire/twcfg.enc --------------------------------------------- Signatures for file: /etc/tripwire/twcfg.enc CRC32 Dmjk1z MD5 DTn311w6Wx3+7TXv7SHPjA SHA D5N1Pv4biCnd14igf/anGM3pvVH HAVAL BEJmfzpcA/Txq5nf9kgsVb
Tripwire certainly isn't the only IDS solution for GNU/Linux systems. Its more popular competitors are briefly described below. Other similar packages in the same category are listed on a Purdue University Web page (see the on-line Resources).
AIDE: the Advanced Intrusion Detection Environment is proposed as a free software replacement for everything Tripwire does and then some. The integrity database is defined by writing regular expressions in the configuration file. Besides MD5, several other algorithms can be added to verify file the integrity. Today, AIDE already supports sha1, tormd160, tiger, haval and some others.
Tripwire for Servers: this is a proprietary product by Tripwire, Inc., the company created by the original Tripwire developers. It is targeted at centralized monitoring of groups of Linux, UNIX or Windows servers.
Tripwire Enterprise: the flagship product of Tripwire, Inc., is for automated monitoring of mixed networks of up to thousands of servers, desktops, directory servers and network devices. Starting with version 5.2, Tripwire Enterprise includes centralized management through a Web interface, as well as customizable reporting and control.
The Open Source Tripwire Project had been quiescent for some time. Luckily, just a few days before the deadline of this article, version 22.214.171.124 was released on SourceForge, and it is the one you'll likely find packaged for your distribution by the time you read this. Besides the source tarball, it is also possible to download x86 static binaries built on a Gentoo 2005 distribution. There are no remarkable changes in functionality, so everything explained in this article should still apply as is. The other good news is that this is the first release in which the old build system has been replaced by a standard autoconf/configure environment. Unfortunately, due to some gcc 4 compatibility problems on Fedora Core 4, it wasn't possible to test this version in time. However, as soon as this porting is completed, it should be much easier to add new features and package Open Source Tripwire for all modern GNU/Linux distributions. You're welcome to join the effort and report bugs on the developers mailing list (see Resources). Thanks to Paul Herman and Ron Forrester for releasing this new version and the time they spent to answer my questions.
Resources for this article: /article/8950.
Marco Fioretti is a hardware systems engineer interested in free software both as an EDA platform and, as the current leader of the RULE Project, as an efficient desktop. Marco lives with his family in Rome, Italy.
Articles about Digital Rights and more at http://stop.zona-m.net CV, talks and bio at http://mfioretti.com
- Resurrecting the Armadillo
- High-Availability Storage with HA-LVM
- Real-Time Rogue Wireless Access Point Detection with the Raspberry Pi
- DNSMasq, the Pint-Sized Super Dæmon!
- March 2015 Issue of Linux Journal: System Administration
- Localhost DNS Cache
- Days Between Dates: the Counting
- The Usability of GNOME
- Linux for Astronomers
- You're the Boss with UBOS