How to Set Up and Use Tripwire

All about Tripwire and what it can do for you.

Tripwire is an intrusion detection system (IDS), which, constantly and automatically, keeps your critical system files and reports under control if they have been destroyed or modified by a cracker (or by mistake). It allows the system administrator to know immediately what was compromised and fix it.

The first time Tripwire is run it stores checksums, exact sizes and other data of all the selected files in a database. The successive runs check whether every file still matches the information in the database and report all changes. Tripwire initially was released in 1992. Today, several programs share this name, one is GPLed and two are proprietary. The rest of this article discusses only the GPL version 2.3.1.

When Is the Right Moment to Start Using Tripwire?

IDS tools are particular beasts, and Tripwire is no exception. Even if you don't need to be an expert programmer to use this package, actually taking advantage of it requires some patience, attention and manual work.

First, using Tripwire is one of those cases in which blindly pressing Enter at every prompt really isn't a smart thing to do. Do yourself a favor and check at least the relevant parts of the good documentation provided with the Tripwire programs (more on this later).

Second, using Tripwire for real makes sense only if it is installed, fully configured and initialized at the very first boot after an installation from scratch, before ever connecting to the Internet or doing anything else. It takes only one attack to install a back door. All you would accomplish by installing and using Tripwire after such an event would be to guarantee that the back door remains just as open as the day a cracker installed it! Of course, even if you don't want to or can't re-install everything now, nothing prevents you from downloading the package anyway and becoming familiar with it.

Here is how to explain to Tripwire what's important to you. The Tripwire distribution includes several binaries, the corresponding man pages and two files that regulate the program's behavior, which we will call, for brevity, the Tripwire system files. The first one (/etc/tripwire/twcfg.txt), where several variables are defined, is for general configuration and even may be the same for all the computers on the same LAN. Its contents go from the location of the Tripwire database to instructions on minimizing the amount of time the passphrases are kept in memory or the number of redundant reports.

Other important parameters are the editor (the default is vi) for interactive usage and how reports should be sent by e-mail. The complete syntax and meaning of all possible variables is described in the twconfig man page.

The other system file (/etc/tripwire/twpol.txt) contains the policy that declares all the objects that must be monitored and what to do when one of them is lost or altered. Unlike the configuration file, the policy could (and almost certainly will) vary across the several computers on the same network. For example, the packages installed on a firewall will be different from those on a development workstation or an office laptop, even if the same GNU/Linux distribution is used.

The first thing to do to create a good Tripwire policy (and, in general, have a less stressful sysadmin life) is to remove as many unneeded programs as possible before starting. Next, to make your usage of Tripwire as quick and effective as possible, your policy must cover everything you really need to monitor and nothing else. This includes, at least, all the system binary and library directories (that is, the contents of /bin, /sbin, /usr/bin, /lib and so on) and the corresponding configuration files in /etc/. The example twpol.txt files distributed with Tripwire contains anything that could be on a UNIX system, so it is guaranteed to complain about programs that you never installed or placed in a different location. This is an example of what you might see:

### Warning: File system error.
### Filename: /dev/cua0
### No such file or directory
### Continuing...

There is a safe and easy way, even if potentially long and boring, to remove such bogus warnings. Simply run the initial configuration procedure described below several times. Scan the report each time, and comment out the checks that generated false alarms until they all disappear. Of course, before starting, do what should be done before configuring any new package—that is, make a copy of the originals:

cp -p twcfg.txt twcfg.txt.orig
cp -p twpol.txt twpol.txt.orig

A Tripwire policy is a sequence of two kind of rules. Normal ones define which properties of a file or directory tree must be checked, in this format:

object_name    ->    property_mask (rule attribute = value);

The property_mask specifies which properties must be examine or ignored. Attributes provide additional, rule-specific information like the rule severity or who should be informed by e-mail if that rule is violated. The other kind of rules are stop points, which tell Tripwire not to scan a particular file or directory. Tripwire also understands several directives for conditional interpretation of the policy, diagnostics and debugging. To know all the gory details, print out and study the twpolicy man page.

______________________

Articles about Digital Rights and more at http://stop.zona-m.net CV, talks and bio at http://mfioretti.com

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Worked perfect

Anonymous's picture

Article seems old (2006), It worked exactly as it described. Great article. I am using tripwire now without any problem. Thanks a lot Mr. author.

--
anil
(anil.softx@gmail.com)

Tripwire Missing tw.cfg

Anonymous's picture

I have followed you instructions but get:

tripwire --check
### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting..

Can you please help

Try running the command as

Anonymous's picture

Try running the command as superuser, such as "sudo tripwire --check".

Typo?

Tri Trinh's picture

Great Article! :)

tripwire --init --cfgfile twcfg.enc --polfile tw.pol
↪--site-keyfile my_home_key --local-keyfile my_local_key

should be...

tripwire --init --cfgfile twcfg.enc --polfile twpol.enc
↪--site-keyfile my_home_key --local-keyfile my_local_key

tw.pol missing.

Anonymous's picture

Under Database Creation:

You have the commnad argument:
--polfile tw.pol

I got the error:
### Error: File could not be found.
### tw.pol
### Exiting...

I checked the directory it was never created. At what step does it get created in this process?

nice tutorial. my tripwire

Anonymous's picture

nice tutorial. my tripwire rpm also did not have the /etc/tripwire/twinstall.sh script. i used tripwire-2.3.1-21

'tripwire --check ' was not good enough

### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting...

i needed to explicitly list it as an arg to tripwire

Stuck on the encrypting steps...

Perry Huang's picture

I'm using Tripwire 2.4.0.1 on RHEL 4 and I am having problems at the encryption step. I don't have the twcfg.enc file needed to encrypt the config and policy files. Any ideas?

Read those steps again. You

Anonymous's picture

Read those steps again. You don't have it initially. You create twcfg.enc.

twinstall.sh

Robert's picture

If you look through the docs it mentions twinstall.sh has been replaced by tripwire-setup-keyfiles.

It should also be noted that the prelinker will affect the md5 sums etc when it runs.

Rob

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix