You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
273 lines
11 KiB
273 lines
11 KiB
tripwire.txt v. 11 Sept 2013
|
|
|
|
Introduction to Tripwire, with Gentoo-specific installation information
|
|
|
|
Tripwire software can monitor the integrity of critical system files and
|
|
directories by identifying specified changes made to selected system
|
|
files and directories. Configure Tripwire software to monitor your
|
|
system in the way that is best for you.
|
|
|
|
Tripwire software works by comparing files and directories against a
|
|
defined baseline, stored in a tripwire-created database. Tripwire
|
|
generates the baseline by taking a "snapshot" of specified files and
|
|
directories. Tripwire software then compares the current system against
|
|
the baseline and reports modifications, additions, or deletions. Use
|
|
Tripwire software for system security, intrusion detection, damage
|
|
assessment, and recovery forensics.
|
|
|
|
|
|
To set-up Tripwire Configuration
|
|
|
|
The Tripwire tarball installs the basic program files needed to run the
|
|
software. However, this installation does not prepare the configuration
|
|
files that Tripwire needs to perform correctly. After you install the
|
|
tripwire executable files and example configuration, you must:
|
|
|
|
1. Review and perhaps edit the plain-text tripwire configuration file
|
|
(/etc/tripwire/twcfg.txt) with a text editor, if desired.
|
|
|
|
2. Either run a configuration script (twsetup.sh from Gentoo's mktwpol
|
|
package, or tripwire-setup-keyfiles from Red Hat, or deprecated
|
|
twinstall.sh, also from Red Hat), or run the program `twadmin` with
|
|
the correct command line switches to make key files and encrypt/sign
|
|
the tripwire configuration file.
|
|
|
|
Make site key file
|
|
------------------
|
|
`twadmin --generate-keys -S /etc/tripwire/site.key`
|
|
|
|
Make local key file
|
|
-------------------
|
|
`twadmin --generate-keys -L /etc/tripwire/$HOSTNAME-local.key`
|
|
|
|
Make mandatory signed tripwire configuration file (tw.cfg)
|
|
----------------------------------------------------------
|
|
`twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt`
|
|
|
|
Note: Once encrypted/signed, the configuration file, tw.cfg, must not be
|
|
renamed or moved. The plain-text tripwire configuration file (twcfg.txt)
|
|
should be deleted. It can be recreated with `twadmin --print-cfgfile`
|
|
|
|
3. Make a plain-text policy file. The use of the name twpol.txt is
|
|
common, but the name of this file is not defined or used by Tripwire,
|
|
other than preparation of the encrypted/signed policy file.
|
|
|
|
To make the plain-text policy file, either run a policy file generator
|
|
(for example, mktwpol.sh from Gentoo's mktwpol package), or edit the
|
|
plain-text policy file (twpol-GENERIC.txt, or twpol.txt, or similar)
|
|
with a text editor. The plain-text policy file should not refer to
|
|
any non-existent file or directory.
|
|
|
|
If you edit twpol-GENERIC.txt to act as your plain-text policy file,
|
|
provide your system's HOSTNAME at line 61. If you don't provide
|
|
the correct HOSTNAME, a tripwire inspection of the target computer's
|
|
filesystem will fail to check the tripwire database file for changes.
|
|
|
|
TWDB=/var/lib/tripwire/YOUR_HOSTNAME.twd;
|
|
|
|
4. Convert the plain-text policy file into the encrypted/signed form
|
|
that tripwire will refer to as it examines the files on the target
|
|
computer's filesystem. The default filename for the encrypted/signed
|
|
policy file is defined in the tripwire configuration file (tw.cfg)
|
|
and is usually tw.pol. The encryption/signing of plain-text twpol.txt
|
|
is done with yet another `twadmin` command line.
|
|
|
|
Make mandatory encrypted/signed system inspection policy file
|
|
--------------------------------------------------------------
|
|
`twadmin -m P -c /etc/tripwire/tw.cfg /etc/tripwire/twpol.txt`
|
|
|
|
Note: If you modify the plain-text policy file after running the
|
|
configuration script, you must re-sign the plain-text policy file before
|
|
initializing the database file. Tripwire baseline database creation and
|
|
inspections refer to the encrypted/signed policy file, not to the
|
|
plain-text policy file.
|
|
|
|
Note: The plain-text tripwire policy file (twpol.txt) should be deleted.
|
|
It can be recreated with `twadmin --print-polfile`
|
|
|
|
5. Initialize the Tripwire database file.
|
|
|
|
Record current file attributes in the tripwire database
|
|
-------------------------------------------------------
|
|
`tripwire --init -c /etc/tripwire/tw.cfg`
|
|
|
|
Note: Tripwire might issue some "Warning: File system error" errors,
|
|
and appear to hang. But as long as it follows with "### Continuing...",
|
|
it is still working.
|
|
|
|
6. Run the first integrity check.
|
|
|
|
`tripwire --check -c /etc/tripwire/tw.cfg`
|
|
|
|
Note: The use of "-c /etc/tripwire/tw.cfg" is not required if Tripwire
|
|
uses the default tripwire configuration directory and file names. If
|
|
you defer to tripwire default filenames, then updating a text policy
|
|
file into a tripwire database, and running an integrity check, can be
|
|
done with these commands:
|
|
|
|
`twadmin --create-polfile /etc/tripwire/twpol.txt`
|
|
`tripwire --init`
|
|
`tripwire --check`
|
|
|
|
Modifying the Policy File
|
|
|
|
How Tripwire software checks your system is specified in the Tripwire
|
|
plain-text policy file (twpol.txt). A default policy file is included in
|
|
the Tripwire software installation. This policy file should be tailored
|
|
to fit your particular system. Tailoring the policy file is necessary
|
|
to take advantage of Tripwire software's ability to monitor changes on
|
|
your system.
|
|
|
|
The plain-text policy file is usually located at /etc/tripwire/twpol.txt.
|
|
An example policy file (located at /etc/tripwire/twpol-GENERIC.txt, or
|
|
at /usr/share/doc/tripwire-VER#-REL#/policyguide.txt) is included to
|
|
help you learn the policy language. Read the sample policy files and
|
|
the comments in the sample policy file to learn the policy language.
|
|
|
|
After you modify the plain-text policy file, don't forget!
|
|
|
|
encrypt/sign using `twadmin --create-polfile /etc/tripwire/twpol.txt`
|
|
|
|
|
|
Selecting Passphrases
|
|
|
|
Tripwire files are encrypted/signed using site or local keys. These keys
|
|
are protected by passphrases. When selecting passphrases, the following
|
|
recommendations apply:
|
|
|
|
Use at least eight alphanumeric and symbolic characters for each
|
|
passphrase. The maximum length of a passphrase is 1023 characters.
|
|
Quotes should not be used as passphrase characters.
|
|
|
|
Assign a unique passphrase for the site key. The site key passphrase
|
|
protects the site key, which is used to sign Tripwire software
|
|
configuration and policy files. Assign a unique passphrase for the local
|
|
key. The local key signs the Tripwire baseline database file. The local
|
|
key may sign the Tripwire report files also.
|
|
|
|
Store the passphrases in a secure location. There is no way to remove
|
|
encryption from a signed file if you forget your passphrase and lost the
|
|
key files. If you forget the passphrases, the files are unusable. In
|
|
that case you must create new key files and the baseline database.
|
|
|
|
|
|
Initializing the Database
|
|
|
|
In Database Initialization mode, Tripwire software builds a database of
|
|
filesystem objects based on the rules in the policy file. This database
|
|
serves as the baseline for integrity checks. The syntax for Database
|
|
Initialization mode is:
|
|
|
|
`tripwire --init -c /etc/tripwire/tw.cfg`
|
|
|
|
|
|
Running an Integrity Check
|
|
|
|
The Integrity Check mode compares the current file system objects with
|
|
their properties recorded in the Tripwire database. Violations are
|
|
printed to stdout. The report file is saved and can later be accessed by
|
|
twprint. An email option enables you to send email. The syntax for
|
|
Integrity Check mode is:
|
|
|
|
`tripwire --check -c /etc/tripwire/tw.cfg`
|
|
|
|
|
|
Printing Reports - twprint Print Report Mode
|
|
|
|
The twprint --print-report mode prints the contents of a Tripwire
|
|
report. If you do not specify a report with the --twrfile or -r
|
|
command-line argument, the default report file specified by the
|
|
configuration file REPORTFILE variable is used.
|
|
|
|
Example: On a machine named LIGHTHOUSE, the command could be:
|
|
|
|
`twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr`
|
|
|
|
|
|
Updating the Database after an Integrity Check
|
|
|
|
Database Update mode enables you to update the Tripwire database after
|
|
an integrity check if you determine that the violations discovered are
|
|
valid. This update process saves time by enabling you to update the
|
|
database without having to re-initialize it. It also enables selective
|
|
updating, which cannot be done through re-initialization. The syntax for
|
|
Database Update mode is:
|
|
|
|
`tripwire --update`
|
|
|
|
|
|
Updating the Policy File
|
|
|
|
Change the way that Tripwire software scans the system by changing the
|
|
rules in the policy file. You can then update the database without a
|
|
complete re-initialization. This saves a significant amount of time and
|
|
preserves security by keeping the policy file synchronized with the
|
|
database it uses. The syntax for Policy Update mode is:
|
|
|
|
`tripwire --update-policy`
|
|
|
|
|
|
Testing email functions
|
|
|
|
Test mode tests the software's email notification system, using the
|
|
settings currently specified in the configuration file. The syntax for
|
|
Email Test Reporting mode is:
|
|
|
|
`tripwire --test`
|
|
|
|
|
|
Tripwire Components
|
|
|
|
The policy file begins as a text file containing comments, rules,
|
|
directives, and variables. These dictate the way Tripwire software
|
|
checks your system. Each rule in the policy file specifies a system
|
|
object to be monitored. Rules also describe which changes to the object
|
|
to report, and which to ignore.
|
|
|
|
System objects are the files and directories you wish to monitor. Each
|
|
object is identified by an object name. A property refers to a single
|
|
characteristic of an object that Tripwire software can monitor.
|
|
Directives control conditional processing of sets of rules in a policy
|
|
file. During installation, the text policy file is encrypted/signed and
|
|
renamed, and becomes the active policy file.
|
|
|
|
The database file is an important component of Tripwire software. When
|
|
first installed, Tripwire software uses the policy file rules to create
|
|
the database file. The database file is a baseline "snapshot" of the
|
|
system in a known secure state. Tripwire software compares this baseline
|
|
against the current system to determine what changes have occurred. This
|
|
is an integrity check.
|
|
|
|
When you perform an integrity check, Tripwire software produces report
|
|
files. Report files summarize any changes that violated the policy file
|
|
rules during the integrity check. You can view the report file in a
|
|
variety of formats, at varying levels of detail.
|
|
|
|
The Tripwire configuration file stores system-specific information, such
|
|
as the location of Tripwire data files. Tripwire software generates some
|
|
of the configuration file information during installation. The system
|
|
administrator can change parameters in the configuration file at any
|
|
time. The configuration file variables POLFILE, DBFILE, REPORTFILE,
|
|
SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database
|
|
file, report files, and site and local key files reside. These variables
|
|
must be defined or the configuration file is invalid. If any of these
|
|
variables are undefined, an error occurs on execution of Tripwire
|
|
software and the program exits.
|
|
|
|
|
|
Tripwire Help
|
|
|
|
All Tripwire commands support the help arguments.
|
|
|
|
Example: To get help with Create Configuration File mode, type:
|
|
|
|
`twadmin --help --create-cfgfile`
|
|
|
|
-? Display usage and version information
|
|
--help Display all command modes
|
|
--help all Display help for all command modes
|
|
--help [mode] Display help for current command mode
|
|
--version Display version information
|
|
|
|
We recommend you read the Tripwire Release Notes and README file.
|