Search:  
Gentoo Wiki

Tripwire

This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

Introduction

This guide will attempt to instruct you on how to set up Tripwire on Gentoo. An assumption that this guide makes is that you plan on guarding the configuration, policy, and database files by putting them on a floppy disk, and (after initializing) flipping the read-only switch to prevent tampering. Similar results can be achieved by using a CD-R, a USB drive, or a remote backup location (somewhere that you have another shell account?). If you have another idea on how to protect these files, please update this guide with your approach.

Emerge tripwire

Code: Emerge Tripwire

emerge tripwire

Warning: Refrain from following the directions posted by the emerge command until mentioned in later steps.

Edit twcfg.txt

File: /etc/tripwire/twcfg.txt
 ROOT                   =/usr/sbin
 POLFILE                =/mnt/floppy/tw.pol
 DBFILE                 =/mnt/floppy/$(HOSTNAME).twd
 REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
 SITEKEYFILE            =/mnt/floppy/site.key
 LOCALKEYFILE           =/mnt/floppy/$(HOSTNAME)-local.key
 EDITOR                 =/bin/vim
 LATEPROMPTING          =false
 LOOSEDIRECTORYCHECKING =false
 MAILNOVIOLATIONS       =true
 EMAILREPORTLEVEL       =3
 REPORTLEVEL            =3
 MAILMETHOD             =SENDMAIL
 SYSLOGREPORTING        =false
 MAILPROGRAM            =/usr/lib/sendmail -oi -t
 

Edit /etc/tripwire/twpol.txt

Novice Policy File Modification

I will be proceeding with a assuredly erroneous assumption that the default policy list is exhaustive for my Linux system, and must merely be pruned for nonexistant files/directories. This is a poor approach, but I wanted to get something running as fast as possible after a fresh install, and the most crucial system binaries seem to be getting covered by the defaults.

Generate Keys

The most efficient way to prune out bad entries in twpol.txt is to run an initialization, and pipe the File not found output messages for later perl -pi -e action. So, on to key generation:

  1. run /etc/tripwire/twinstall.sh
  2. Input strong passphrases for the following keyfiles:
    • site keyfile: with multiple hosts, used on the server actually performing the analysis
    • local keyfile: with multiple hosts, unique keyfile per host
  3. Sign the initial tw.cfg and tw.pol files

Initial Database Creation

After these steps have been completed, a first database initialization may proceed:

Code: run tripwire init command
 tripwire --init 2> ~/stufftoprune
 

Prune initial twpol.txt file

The following is the command I used to trim the output of the stufftoprune file redirected from the database initialization step above:

Code: get file list
 grep Filename ~/stufftoprune | awk '{print $3}' > ~/filestoprune
 

Executing the following command, which should comment out files not present in your system:

Code: comment out policy file entries
 cat ~/filestoprune | xargs -i perl -pi.bak -e 's!\A(\s+){}\b!\1#{}!g' /etc/tripwire/twpol.txt 
 

Look at the diff to make sure there aren't any problems, and copy it back into wherever you are working.

Regenerate signed tw.pol file

The signed file needs to be reconstituted before your changes will be recognized.

Code: sign policy manually
 twadmin -m P /etc/tripwire/twpol.txt
 
Note: Be mindful of locations of files; you may need to manually specify certain files if you have already moved them from default locations (e.g., site key file)

Rerun Database Initialization

Since the first initialization was merely executed to grab the errors, this next initialization will be what is used for checking, until the next update.

Code: rerun database initialization
 tripwire --init
 

Move files to Floppy

If you really want your system to remain secure, you should offload all the files we've been dealing with to some kind of read-only media. I choose a floppy because it has a physical read-only switch, but can be updated indefinitely (for some value of indefinitely). Any time you update your system you will have to run a database regeneration, so this last characteristic is valuable.

Similar results are achieved with a removable USB drive (flash drive/thumb stick), or another location over a network (altough this is not the most secure option).

Testing Tripwire

Email

You will have to modify the policy file again if you want to have emails alert you to integrity failures. Read the comments in the policy file for more details. Before you do this, however, you must make sure that tripwire can successfully transmit emails. Luckily, the tripwire executable has a switch for a test mode:

Code: testing tripwire
tripwire --test -e me@example.com

I found that my MTA wasn't handling things properly (ssmtp, default on Gentoo 2006.0). (still working this out; will post later).

Retrieved from "http://www.gentoo-wiki.info/Tripwire"

Last modified: Tue, 08 Jul 2008 02:41:00 +0000 Hits: 7,075