: llm4-lab3-exercise-2

1/10/11 10:33 PM

llm4-lab3-exercise-2
Tripwire
One of the first things you should do after building any new system is to get a snap shot of a known good state of the system before the system is contaminated or before deploying the system into production. There are several tools available for doing this. One of such tools is tripwire. Tripwire tries to do so much at time that it can be quite a difficult program to use. So brace yourself for a plethora of options, syntax, idiosyncrasies and switches. Tripwire can be regarded as a form of a host based intrusion detection system (IDS). It performs its so called intrusion detection function by taking a snapshot of a "healthy system" and later on comparing this healthy state with any other suspect states. It provides a means of knowing/monitoring whether certain sensitive files have been altered illegally. The system administrator of course decides what files are to be monitored. The authors of tripwire describe it as an Open Source Security, Intrusion Detection, Damage Assessment and Recovery, Forensics software. Tripwire simply compares a files new signature with that taken when the database was initially created. The steps involved in installing and configuring tripwire are as listed below: i. Install the software from source or binary ii. Run the configuration script: (twinstall.sh). This script is used to: a) Create the site key and the local key and prompts for pass phrases for both b) Sign the policy file and configuration file with the site key. iii. Initialize the tripwire database iv. Run the first integrity check. v. Edit the configuration file (twcfg.txt) vi. Edit the policy file (twpol.txt) Tripwire accepts the following command line options: Database Initialization mode: -m i --init -v --verbose -s --silent, --quiet -c cfgfile --cfgfile cfgfile -p polfile --polfile polfile -d database --dbfile database -S sitekey --site-keyfile sitekey -P passphrase --local-passphrase passphrase -L localkey --local-keyfile localkey -e --no-encryption The -v and -s options are mutually exclusive. The -L and -e options are mutually exclusive. The -P and -e options are mutually exclusive. Integrity Check mode: -m c --check -I --interactive
http://www.labmanual.org/tiki-print.php?page_ref_id=1449&page=llm4-lab3-exercise-2 Page 1 of 6

: llm4-lab3-exercise-2

1/10/11 10:33 PM

-v --verbose -s --silent, --quiet -c cfgfile --cfgfile cfgfile -p polfile --polfile polfile

-S sitekey --site-keyfile sitekey -L localkey --local-keyfile localkey -d database --dbfile database -r report --twrfile report -P passphrase --local-passphrase passphrase -n --no-tty-output -V editor --visual editor -E --signed-report -R rule --rule-name rule -l {level | name} --severity {level | name} -x section --section section -i list --ignore list -M --email-report -t { 0|1|2|3|4 } --email-report-level { 0|1|2|3|4 } [object1 object2...] The -v and -s options are mutually exclusive. The -l and -R options are mutually exclusive. The -P option is only valid with -E or -I. The -V option is only valid with -I. The -t option is only valid with -M. Specifying objects overrides the -l and -R options. Database Update mode: -m u --update -v --verbose -s --silent, --quiet -c cfgfile --cfgfile cfgfile -p polfile --polfile polfile -S sitekey --site-keyfile sitekey -L localkey --local-keyfile localkey -d database --dbfile database -r report --twrfile report -P passphrase --local-passphrase passphrase -V editor --visual editor -a --accept-all -Z {low | high} --secure-mode {low | high} The -v and -s options are mutually exclusive. The -a and -V options are mutually exclusive.

Policy Update mode: -m p --update-policy -v --verbose -s --silent, --quiet -c cfgfile --cfgfile cfgfile -p polfile --polfile polfile
http://www.labmanual.org/tiki-print.php?page_ref_id=1449&page=llm4-lab3-exercise-2 Page 2 of 6

: llm4-lab3-exercise-2

1/10/11 10:33 PM

-S sitekey --site-keyfile sitekey -L localkey --local-keyfile localkey -d database --dbfile database -P passphrase --local-passphrase passphrase -Q passphrase --site-passphrase passphrase -Z {low | high} --secure-mode {low | high} policyfile.txt The -v and -s options are mutually exclusive. Test mode: -m t --test -e user@domain.com --email user@domain.com Only one address may be entered.

Summary Of Options for the tripwire command: Database Initialization: tripwire --init options Integrity Checking: tripwire --check [object1 object2...] Database Update: tripwire --update Policy Update: tripwire --update-policy policyfile.txt Test: tripwire --test --email address twadmin The twadmin utility is used to perform administrative functions related to tripwire files and configuration options. Specifically, twadmin allows encoding, decoding, signing, and verification of tripwire files, and provides a means to generate and change local and site keys. Create Configuration File: twadmin --create-cfgfileoptions cfgfile.txt Print Configuration File: twadmin --print-cfgfile options Create Policy File: twadmin --create-polfile options polfile.txt Print Policy File: twadmin --print-polfile options Remove Encryption: twadmin --remove-encryption options file1... Encryption: twadmin --encrypt options file1... Examine Encryption: twadmin --examine options file1... Generate Keys: twadmin --generate-keys options twprint Prints Tripwire database and report files in clear text format. Print Report mode: -m r --print-report -v --verbose -s --silent, --quiet -c cfgfile --cfgfile cfgfile -r report --twrfile report -L localkey --local-keyfile localkey -t { 0|1|2|3|4 } --report-level { 0|1|2|3|4 } Print Database mode: -m d --print-dbfile
http://www.labmanual.org/tiki-print.php?page_ref_id=1449&page=llm4-lab3-exercise-2 Page 3 of 6

: llm4-lab3-exercise-2

1/10/11 10:33 PM

-v --verbose -s --silent, --quiet -c cfgfile --cfgfile cfgfile -d database --dbfile database -L localkey --local-keyfile localkey [object1 object2 ...

siggen siggen is a signature gathering routine for Tripwire. It is a utility that displays the hash function values for the specified files. Usage: siggen options file1 file2... -t --terse -h --hexadecimal -a --all -C --CRC32 -M --MD5 -S --SHA -H --HAVAL file1 file 2 ...

Exercise 2
To install Tripwire 1. Check to see if you already have tripwire installed on your system. Type: root@localhost root# rpm -q tripwire tripwire-* If you get an output similar to the one above then you already have it installed. Skip the next step. 2. If you dont have it installed, obtain the tripwire binary and install it. Type: root@localhost root# rpm -Uvh tripwire*

To Configure tripwire Configuring tripwire involves customizing the tripwire configuration file if needed, then customizing the policy file if needed and then running the configuration script which will prompt you for a passphrase that will be used to sign/protect the configuration file, the policy file and the database file.

1. Change your pwd to the tripwires working directory: Type: root@localhost root# cd /etc/tripwire/ 2. List the contents of the directory here:

3. Use any pager or text editor to view/study the files in the directory.

http://www.labmanual.org/tiki-print.php?page_ref_id=1449&page=llm4-lab3-exercise-2

Page 4 of 6

: llm4-lab3-exercise-2

1/10/11 10:33 PM

4. We will accept the settings that come with the default config. file (twcfg.txt) and the provided default policy file (twpol.txt) for now. 5. Execute the tripwire configuration script as root. Type: root@localhost tripwire# ./twinstall.sh You will be prompted (twice) for site keyfile passphrase. Select any passphrase that you WILL NOT forget ( The site key is meant for the twcfg.txt file and the twpol.txt file) Enter the site keyfile passphrase: Verify the site keyfile passphrase: Next you will be prompted for a local key. Again select another password YOU WILL not forget. ( The local key signs the tripwire database files and the reports files) Enter the local keyfile passphrase: Verify the local keyfile passphrase: After choosing your passphrases the twinstall.sh script will then proceed with the actual creation/signing of the encrypted versions of the original plain text files ( i.e tw.cfg and tw.pol will be created respectively) You will be prompted again for the passphrases you choose earlier. At this point just follow the prompts until the script exits. 6. List the new contents of the /etc/tripwire directory.

7. Per the warning you got while the twinstall.sh script was running, you will now move the plain text versions of the configuration file and policy files away from the local system. You could store them on a floppy disk if you want or completely delete them if you are feeling particularly daring. Type: root@localhost tripwire# mount /dev/fd0 && mv twcfg.txt twpol.txt /mnt/floppy/

NOTE: It may be useful to keep the plain text versions in safe place, just incase you forget your passphrases. You can then always re-run the twinstall.sh script based on the configurations and policies you have fine tuned over time.

To initialize the database Initializing the database is the tripwire terminology for, taking an initial untainted snapshot of the files you have decided to monitor (based on the policy file). This generates the database and also signs the database with the local key. The database serves as the baseline for all future integrity checks. 1. While still logged in as root type: root@localhost tripwire# tripwire - - init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... Processing Unix File System ***

http://www.labmanual.org/tiki-print.php?page_ref_id=1449&page=llm4-lab3-exercise-2

Page 5 of 6

: llm4-lab3-exercise-2

1/10/11 10:33 PM

Enter your local passphrase when prompted. The database creation will run to conclusion and you should get an output similar to the one below: The database was successfully generated. 2. Use the ls command to verify that the database was indeed created under the stated location. Type: root@localhost tripwire# ls -lh /var/lib/tripwire/$(hostname).twd -rw-r--r-- 1 root root 1.9M Jul 4 17:43 /var/lib/tripwire/localhost.localdomain.twd

Created by: system. Last Modification: Sunday 16 of November, 2008 17:27:09 EST by wale. The original document is available at http://www.labmanual.org/tiki-index.php ?page=llm4-lab3-exercise-2

http://www.labmanual.org/tiki-print.php?page_ref_id=1449&page=llm4-lab3-exercise-2

Page 6 of 6