SECURITY-Tripwire

Douglas J. Hunley (Linux User #174778)
http://hunley.homeip.net/

After installing and playing w/ Tripwire on my box over the past couple of months, I decided it was time to write things up.

So here's how to setup Tripwire on a Caldera system:

1. Download Tripwire (www.tripwire.org) binaries
2. run the install.sh file included in the tar.gz file
3. Review and edit the attached twcfg.txt file (it's commented)
4. install the twcfg.txt file as your site config by typing:

twadmin --create-cfgfile --site-keyfile \
/etc/tripwire/site.key /path/to/twcfg.txt

5. review and edit the attached twpol.txt file (it's commented)
6. install the twcfg.txt file as your site policy file by typing:

twadmin --create-polfile /path/to/twpol.txt

7. initialiaze your Tripwire database by typing: tripwire --init
8. create some cron jobs to check your system against the new tripwire database like so:

cd /etc/cron.d/lib
echo << EOF > tripwire_hourly
#!/bin/sh
/usr/sbin/tripwire --check --email-report --email-report-level 1 >/dev/null 2>&1
EOF
echo << EOF > tripwire_daily
#!/bin/sh
/usr/sbin/tripwire --check --email-report --email-report-level 3 >/dev/null 2>&1
EOF
cd ../Hourly
ln -s ../lib/tripwire_hourly 10tripwire
cd ../Daily
ln -s ../lib/tripwire_daily 10tripwire

You're done. You will now get an hourly email showing a brief report of anything that's changed on your system like this:

Added: /usr/bin/bash
Modified: /usr/bin
Modified: /etc/passwd

And you'll get a daily email showing the day's changes to your system with a faily detailed level of report. It will look something like:

Modified Object Name: /usr/bin
 property:     Expected                   Observed
 --------      --------                   --------
*Modify time   Tue Oct 05 16:00:45 1999   Sun Oct 17 18:38:42 1999

Once you get a report, review the changes and decide that everything is as it should be, you need to update your database. Do this by typing:

tripwire --update --verbose --twrfile \
/var/lib/tripwire/report/<latest tripwire report>

Please note that Tripwire uses 2 different keys for operation. A site key, and a local key. Please do NOT make both keys the same! That entirely defeats the purpose. One cool trick with the dual-key system is that you can create a site key that is good on all machines in your enterprise, and each admin can have a different local key for all the machines he/she is in control of. This allows you to write one policy file for all your systems (you can use the conditional features to "if/else" machine specific things), sign it with the site key, and distribute it. You install the policy on all the boxes, the local admin can't change it, but they can update the database, etc..

Note: To generate the list of SUID/SGID files on your system, execute

find / -type f \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
\( -perm -u+s -or -perm -g+s \) -print

Enjoy!

searchSearch Index