In the past, one would store the baseline image of the system on a locked floppy disk or another system, however this commercial/binary version of Tripwire stores the database or snapshot directly on the hard drive in an encrypted format. This made it quite easy for me to do the installation directly from home. The process was not difficult, particularly in that it did not require making or compiling--it was already a binary. However, it did entail two levels of configuration: the first concerning the program particulars, like final directory for Tripwire and the default editor, etc; the second dealt with the configuration file that instructs Tripwire as to what it should include in the baseline image of the system. The latter of course was a little more difficult, but I was rather comfortable with the overall process. In the future, I’d like to start with a cleaner system, as this Redhat Linux box has been up for just over a month now, with no active security measures other than my patching of security holes and disabling of insecure daemons (ftp, telnet).
TWROOT="/usr/local/tripwire"
...
TWMAILPROGRAM="/usr/lib/sendmail -oi -t"
I opted for tripwire to be stored in the same place as the rest of my installations (/usr/local/) and I corrected the location of sendmail for my system.
Then I began the installation:
# ./install.sh
Immediately there was some concern with the version of my system, as Tripwire 2.2.1 only supported Redhat through version 6.0. Obviously they're a little behind, but I assumed that my 6.2 system couldn't be much different that 6.0. Then I selected a site and a local passphrase. At this point tripwire was copied to the appropriate directories, and policy files were created that I could configure to customize what what and where tripwire scanned for the baseline image.
#./twadmin --create-polfile ../policy/twpol.txt
Please enter your site passphrase:
Wrote policy file: /usr/local/tripwire/policy/tw.pol
Finally, I needed to initialize the database. This is the crucial step where Tripwire takes a snapshot of the system based on the configurations in the tw.pol file. To do this I issued the command:
# ./tripwire --init
Please enter your local passphrase:
Parsing policy file: /usr/local/tripwire/policy/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /usr/local/bin/ssh1
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/local/bin/ssh-signer2
### No such file or directory
### Continuing...
As you can see, Tripwire immediately found errors in the pol file, mostly because I didn’t know what on my system existed, and what did not. In fact it spit out a list of over 45 different files and directories that it couldn’t find. A handful, like ssh and httpd looked familiar to me, so I went back and edited the twpol.txt file. Others just weren’t installed on my system (I checked for them using the locate command) so I commented most of the errors out. After two iterations of searching for these errors, I again updated the .pol configuration file:
#./tripwire -m p --secure-mode low ../policy/twpol.txt
And then I issued that command that would create the secure snapshot of files specified in tw.pol:
# ./tripwire --init
Generating the database...
*** Processing Unix File System ***
Wrote database file: /usr/local/tripwire/db/ttk210.sph.unc.edu.twd
The database was successfully generated.
The database generation took several minutes, but eventually it completed. Assuming my system is secure, this baseline image is what Tripwire will use to compare furture system states against.
/usr/local/tripwire/bin/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu
This also took quite some time to complete, but eventually I received a message in my UNC email account that looked like this:
Parsing policy file: /usr/local/tripwire/policy/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /usr/local/tripwire/report/ttk210.sph.unc.edu-20001024-002026.twr
Tripwire(R) 2.2.1 Integrity Check Report
Report generated by:
root
Report created on:
Tue 24 Oct 2000 12:20:26 AM EDT
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name:
ttk210.sph.unc.edu
Host IP address:
152.2.38.210
Host ID:
298d226
Policy file used:
/usr/local/tripwire/policy/tw.pol
Configuration file used: /usr/local/tripwire/bin/tw.cfg
Database file used:
/usr/local/tripwire/db/ttk210.sph.unc.edu.twd
Command line used:
./tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name
Severity Level Added Removed
Modified
---------
-------------- ----- -------
--------
Invariant Directories
66
0 0
0
Tripwire Data Files
100
0 0
0
Temporary directories
33
0 0
0
Critical devices
100
0 0
0
Tripwire Binaries
100
0 0
0
User binaries
66
0 0
0
Configuration Files
0
0 0
0
Libraries
66
0 0
0
Critical configuration files 100
0 0
0
setuid/setgid
100
0 0
0
OS executables and libraries 100
0 0
0
Shell Binaries
0
0 0
0
Security Control
0
0 0
0
Boot Scripts
0
0 0
0
Login Scripts
0
0 0
0
System boot changes
100
0 0
0
Critical system boot files
100
0 0
0
(/boot)
Root config files
100
0 0
0
(/root)
Total objects scanned: 11056
Total violations found: 0
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Copyright (C) 1998-2000 Tripwire(R) Security Systems, Inc.
Tripwire(R) is a registered trademark of the Purdue Research
Foundation and is licensed exclusively to Tripwire(R) Security
Systems, Inc.
Integrity check complete.
Basically it confirmed for me that the system had not changed since I created the baseline image. The last step then involved putting that command above in root’s crontab file which looked like this:
# Checks system against Tripwire database every day at 10pm
0 22 * * * /usr/local/tripwire/bin/tripwire --check | /bin/mail
-s "nchcap tripwire" jwatt@email.unc.edu
As the comment hints, this has Tripwire check the system every night at 10pm. So far in two nights, the only changes I’ve seen have been caused by me, but at least Tripwire is out there watching for the changes made by not me.