In this tutorial you will learn what Tripwire is, how to install it and how
to use it. You will learn the basics needed for simple monitoring of your system.
What is Tripwire
Tripwire is a file integrity checking tool initially written by Gene Kim with
Dr. Eugene Spafford. Tripwire examines system files and creates an MD5 hash
of each file. It then stores that hash in a database for future reference. When
Tripwire is run, it examines the current files on a system, creates a MD5 check
and compares that to the MD5 hash of that same file stored in its database.
Download the Tripwire program from sourceforge (http://sourceforge.net/projects/tripwire)
or from RPMfind (www.rpmfind.net).
Next, perform the installation thats right for your package. Foe example,
for the RPM version, issue:
Rpm ivh tripwire.xxx
For the Gz format, issue:
Tar zxvf tripwire.xxx
Where xxx is the version you downloaded. Once that is complete, the installation
is next. Change Directory (cd) to the appropriate directory. The default is
/etc/tripwire. In this directory, the script to install Tripwire is found. As
seen in Figure 1, issue the command to launch the installation script:
After a few moments, you will be prompted to enter a local
keyfile passphrase. Choose a passphrase that contains letters, numbers,
and punctuation and is at least 8 characters in length. Also, please dont
forget to choose something you will not easily forget. After entering the passphrase,
figure 2 displays what should be seen.
Figure 2: Install2
A passphrase for the site is now required. Again, choose a passphrase
using the same requirements used for the Local passphrase. Tripwire is now installed
on the Linux system and is ready to be implemented.
Initialization is when a database is created including all the
MD5 hash marks of the local file system. This is important to perform before
any software is installed to the system or before the system is placed on the
network or Internet. If this is done first before those actions, only then can
one be assured the integrity of the file system is true and untampered with.
Figure 3: Initialization
To initialize the database, enter in the command:
Once that has begun, you should see output similar to Figure 3. This process
may take some time. You will notice some error messages and such on the screen.
This is because the database has a predefined set of files that it looks for
in all Operating Systems and rates them on a scale of importance. Since this
tutorial is how to get Tripwire up and running quickly with minimal configuration,
just ignore those messages. They will not cause problems when you update the
database or check the integrity of the file system.
To get help or information on Tripwire, simply type:
This will bring up a display similar to Figure 4.
Figure 4: Help
As shown in Figure 4, the primary commands used are:
Tripwire --init (Initializes and builds the database)
Tripwire --check (This checks the file system and compares it to the database
maintained by Tripwire)
Tripwire --update-policy (This updates the database policy named policyfile.txt)
Tripwire --update (updates the database. For example, if you install a new software
package or add a user, you will want to update)
Tripwire --help all (displays more help options than listed above)
The easiest way to perform a check of your file-system is to run the following
Figure 5: check
As seen in Figure 5, the -m c switches, check the
system and display the report seen at the end. If there were a change in the
file-system, you would be alerted in the report. In the example above, please
note the 3 columns Added, Removed, and Modified.
Figure 5 shows that 15 files were added and 55 files were modified on the system
since the last update was performed to the Tripwire database. The first time
the check is done, it is recommended that the command be run piped into a text
file that you can reference. This can be accomplished as:
Tripwire --m c > tripwire_results.txt
After the command is completed, and Tripwire has completed its check of the
file system, open the text document. This document will contain all the files
Tripwire could not find on your system. Since Tripwire is designed for multiple
Operating systems, many of the files Tripwire looks for may not exist on the
system being scanned. Therefore, open that text file and comment out or delete
the files not found. The Tripwire file that holds the files it checks is located
Performing this step will remove all the warnings Tripwire will report about
missing files that never existed on the system.
Configuring the Policy
Once the initialization has been completed, it is important to customize the
policy so that it does not report files that you do not have. To accomplish
this, in the default directory of Tripwire (/etc/tripwire) a file named twpol.txt,
edit that file manually using VI or your favorite editor. Simply use the information
printed on screen from the initialization part or the tripwire_results.txt file,
and locate every file that was reported as an error in the twpol.txt file. Then
place a pound sign (#) in front of it. This remarks it out so that Tripwire
will not look for this file again when checking the system. After all the files
not found in the initialization part are remarked out, the next step is to update
the policy. This is accomplished by issuing the following command:
Tripwire --update-policy twpol.txt
You will be prompted for the passwords that you assigned and then it will parse
the policy based on the changes made to the twpol.txt file. Once completed,
missing files that were originally reported during the initialization stage
will not be reported on again. Please note that if any of these files wish to
be monitored at a later date, simply open up the twpol.txt file and remove the
# sign in front of the specified file. Then launch the --update-policy command
Tripwire is an essential for anyone looking to know what is happening to their
systems. It is part of the Defense in Depth strategy, also known as layered
security. Firewalls are critical at the borders. Network Intrusion Detection
(NIDS) is also very important in a secure environment. However, if one is alerted
to an incident by either the firewall or the NIDS, Tripwire will help you determine
the integrity of a system instantly. It removes the guesswork out of trying
to figure out what has happened to the system and allows the administrator(s)
to assess and repair with limited downtime.
Further reports on installing and using Tripwire are in the works. Also, for
those craving more, a more advanced how-to is also in the works.