Tripwire software can help to ensure the integrity of critical system files and directories by identifying all changes made to them. Tripwire configuration options include the ability to receive alerts via email if particular files are altered and automated integrity checking via a cron job. Using Tripwire for intrusion detection and damage assessment helps you keep track of system changes and can speed the recovery from a break-in by reducing the number of files you must restore to repair the system.
Tripwire compares files and directories against a baseline database of file locations, dates modified, and other data. It generates the baseline by taking a snapshot of specified files and directories in a known secure state. (For maximum security, Tripwire should be installed and the baseline created before the system is at risk from intrusion.) After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions
Tripwire installation and configuration
Download tripwire package:
Place it under a directory, assume under /root, so once place execute below commands to get it unzipped:
<root>#tar –xvf tripwire-220.127.116.11-src.tar.bz2
=> Now navigate to the directory: cdtripwire-18.104.22.168-srcß
< tripwire-22.214.171.124-src># ./configure
Now continue to the installation, will get site. Key and local key registered (please check the hostname of servers via command “hostname” before proceeding with local key generation)
Now above process will be done, and you can configure your tripwire as per your requirement:
Install Location would be: /usr/local/etc
Files where you need to change: twcfg.txt (in this case no change required as you are using default keys)
twpol.txt : this is the file where you can make the changes in order to monitor the required directory and files.
Please note post every change you need to generate the binary version of the file using commands
twadmin create polfile:
Make Binary version of policy file--
twadmin --create-polfile --cfgfile tw.cfg --polfile tw.pol --site-keyfile site.key twpol.txt
tripwire --init --cfgfile tw.cfg --polfile tw.pol --site-keyfile site.key --local-keyfile server2.test.com-local.key
/usr/sbin/twprint -m d --print-dbfile /etc/hosts
· Within the /usr/sbin/ directory you will find the following programs:
Within the /etc/tripwire/ directory you will find the following files:
o twinstall.sh — The initialization script for Tripwire.
o twcfg.txt — The sample configuration file supplied by the Tripwire RPM.
o tw.cfg — The signed configuration file created by the twinstall.sh script.
o twpol.txt — The sample policy file supplied by the Tripwire RPM.
o tw.pol — The signed policy file created by the twinstall.sh script.
o Key Files — The local and site keys created by the twinstall.sh script which end with a .key file extension.
After running the twinstall.sh installation script you will find the following files in the
o The Tripwire Database — The database of your system's files which has a .twd file extension.
o Tripwire Reports — The report/ directory is where Tripwire reports are stored.
The next section explains more about the roles these files play in the Tripwire system.
Tripwire Components The following describes in more detail the roles the listed in the previous section play in the Tripwire system.
This is the encrypted Tripwire configuration file which stores system-specific information, such as the location of Tripwire data files. The twinstall.sh installer script and twadmin command generates this file using the information in the text version of the configuration file, /etc/tripwire/twcfg.txt.
After running the the installation script, the system administrator can change parameters by editing /etc/tripwire/twcfg.txt and regenerating a signed copy of the tw.cfg file using the twadmin command.
The active Tripwire policy file is an encrypted file containing comments, rules, directives, and variables. This file dictates the way Tripwire checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report and which to ignore.
System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the sample text policy file , /etc/tripwire/twpol.txt, is used to generate the active Tripwire policy file.
After running the the installation script, the system administrator can update the Tripwire policy file by editing /etc/tripwire/twpol.txt and regenerating a signed copy of the tw.pol file using the twadmin command.
When first initialized, Tripwire uses the signed policy file rules to create this database file. The Tripwire database is a baseline snapshot of the system in a known secure state. Tripwire compares this baseline against the current system to determine what changes have occurred. This comparison is called an integrity check.
When you perform an integrity check, Tripwire produces report files in the /var/lib/tripwire/report/ directory. The report files summarize any file changes that violated the policy file rules during the integrity check. Tripwire reports are named using the following convention: host_name-date_of_report-time_of_report.twr. These reports detail the differences between the Tripwire database and your actual system files.