Alwanza Home How To Linux - Tripwire How To Linux
Introduction:  What is Tripwire

Tripwire is a program that helps Linux Administrators detect "unauthorized activity" on their computers by creating a database of all the files on the computer, including information about each file's size and last modification date.  The Administrator sets up regular times to check the files on the computer against the records in the database and uses the generated information to determine if any of those changes require further investigation.


Setting up Tripwire

Starting point:  you have a recent Linux distribution loaded on your computer, and root access to it.

Tripwire comes already loaded (but not installed) on RedHat Linux beginning with version 7.1.

Supplemental research:
man tripwire
tuxslare.org/docs/tripwire.shtml
Setting up tripwire is a multi-step process (the following are internal links):
  • Essential Preparation for First Run (choose passwords, edit configuration file)
  • Initial Installation (create passwords, write binary scripts)
    /etc/tripwire/twinstall.sh
  • Database Initialization (compare your file system with the defaults in sample files)
    tripwire --init      same as      tripwire -m -i
  • Generate a List of Errors
    tripwire --check      same as      tripwire -m c
  • Edit Policy File (manually adjust the policy file to correctly reflect the architecture of the files on your computer)
  • Update Policies (creates a binary file to be used by tripwire from the text policy file)
    tripwire --update-policy -Z low /etc/tripwire/twpol.txt
    same as      tripwire -m p -Z low /etc/tripwire/twpol.txt
  • Additions, Modifications, Customization (tweak policy and configuration files to your special needs)
    tripwire --update-policy -Z low /etc/tripwire/twpol.txt
    same as      tripwire -m p -Z low /etc/tripwire/twpol.txt
    and possibly
    tripwire --test --email user@domain.com
    same as      tripwire -m t -e user@domain.com

Essential Preparation before the First Use of Tripwire
You need to be root to set up tripwire.

In the tripwire directory:
cd /etc/tripwire
you will find both the default configuration file:  twcfg.txt; and the default policy file:  twpol.txt.  During the installation process, (./twinstall.sh), these text files will be used to create binary files.  The tripwire utility uses the binary files for database checking rather than plain text files, for security reasons.  If you make incorrect edits to either of the text files, you will have to restore from back-up or tripwire will not be able to create its database.

You should make a modification to the configuration file before installing tripwire.  Make a copy first, of course.

cp twcfg.txt twcft_original.txt

Now change:

LOOSEDIRECTORYCHECKING =false
to
LOOSEDIRECTORYCHECKING =true

This change is necessary to prepare for the first time the script is run because whatever is on your computer will not match the default sample file exactly.  After the install is successfully completed and the policy file edited, LOOSEDIRECTORYCHECKING should be restored to "false".

Edits to the policy file, twpol.txt, are trickier.  It might be best to initialize tripwire without making any changes to this file the first time.  However, if your installation hangs, or takes more than a couple of hours and if you have multiple error messages about missing files in the same directory, terminate the process Control-c.  Find those files on your computer and correct the directory structure in twpol.txt and rerun your first installation.  If, on general examination, you already know that your computer's directory structure is different from the mapping in twpol.txt, then correct that mapping now.  Pay special attention to punctuation (commas, parentheses, brackets) in this file.  Adding a comma where it doesn't belong or removing one where it does could make it unrunnable.

I recommend not writing any additional file listings nor mailing instructions to the policy file, twpol.txt, until after the first run.  The longer you have waited since you first installed RedHat before running tripwire for the first time, the longer the process will take.  If you have an older computer, running tripwire may use a large percentage of its resources.

You are going to be asked to create 2 passwords ('keyfile passphases'):
  1. a site keyfile passphrase (used for exits to configuration and policy files)
  2. and a local keyfile passphrase (used to run the tripwire utility)
These need to be well-formed passwords.  They will be used to 'digitally sign' files that tripwire creates and to verify the origin and integrity of files.

During the install, you must re-enter the site passphrase to create the default configuration file and then the policy file (which lists which files you want "protected").  The text copy of the configuration file twpol.txt may now be edited and the updates made.  I recommend keeping a copy of the old twpol.txt file, renamed.

Initial Installation
Run the install script:

./twinstall.sh

This script will require both your passwords and will create binary files (tw.cfg and tw.pol) from the text files (twcfg.txt and twpol.txt).

Database Installation
This next step produces the initial checksum database for your file system.  Warning, this command will take a while to process (usually less than an hour):

tripwire --init      same as      tripwire -m -i

You will need to enter your local key passphrase.  File system error warnings will be printed when a file is either missing or when the directory path is different from what the sample policy file, twpol.txt, expects.  The checksum database will be written to

/var/lib/tripwire/host.twd       (where "host" is your hostname)

The files that tripwire writes into /var/lib/tripwire and /var/lib/tripwire/reports are binary files.

Make sure this file exists before going further.  If the file has not been created, you will need to figure out what went wrong, make whatever modifications are necessary and rerun your installation, and configuration.  Also, if the initialization process takes a long time and doesn't seem to be progressing, there might be a problem.  One good way to troubleshoot this process is by running the --init command in the verbose mode.

tripwire -m i -v

Generate a List of Errors
You can use either the error messages generated by the output from the installation (unless you used verbose mode), or this command:

tripwire --check      same as      tripwire -m c

to generate a list of errors.  Use the error list to assist your manual editing of the policy file (remember to make a backup copy before editing).  The tripwire -m c command may also take some time to complete, but less time than tripwire -m i did.

Edit Policy File
Search for the files on your computer that tripwire could not find.  If several of them all have a similar directory path, it is a good bet that the files are all together in a slightly different path.   Also, unless you have installed all the options that came along with your version of RedHat, there is a good chance that you won't have all the files that the original sample policy file, twpol.txt is trying to find.  If those files aren't on your computer, you can comment out the lines that reference them from your policy file.

cp /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak
vi /etc/tripwire/twpol.txt

Update Policies
After editing the text version of your policy file, twpol.txt, you will want to write those changes to the binary database so they will be used the next time you run tripwire --check.

tripwire --update-policy -Z low /etc/tripwire/twpol.txt
same as      tripwire -m p -Z low /etc/tripwire/twpol.txt

You will be asked for your local passphrase and then your site passphrase.  Notice the -Z low switch on this command.  If you don't use this option, tripwire will operate in high security mode, which will result in a report being generated, but an error message at the end of the report will inform you that the (binary) policy file has not been updated. 
Policy update failed:  policy and database files were not altered.

Repeat the Generate List of Errors, Edit Policies and Update Policies as many times as required to remove all errors.  If Update Policies does not work, you can try re-installing twinstall.sh.

When you are free of errors, you can restore the twcfg.txt from:

LOOSEDIRECTORYCHECKING =true
to
LOOSEDIRECTORYCHECKING =false

Use the update-policy command after restoring twcfg.txt.

tripwire --update-policy -Z low /etc/tripwire/twpol.txt
same as      tripwire -m p -Z low /etc/tripwire/twpol.txt

Additions, Modifications, Customization
There are other edits you might want to make on your policy file:  For example, add your email address to the file to get notices about severe file changes in your mailbox.  Use the following command to test emailing from your tripwire utility:

tripwire --test --email user@domain.com
same as      tripwire -m t -e user@domain.com

To substitute your hostname for "localhost" find this line:

HOSTNAME=localhost;

You might also want to add more directories to the list of frequently updated directories that should not have permissions or owners changed frequently.  For those above changes, you will want to edit the policy file, and then run:

tripwire --update-policy -Z low /etc/tripwire/twpol.txt
same as      tripwire -m p -Z low /etc/tripwire/twpol.txt


Using Tripwire for Security

(the following are internal links):
  • Periodic Checks (to inform yourself about unauthorized activity)
    tripwire --check      same as      tripwire -m c
  • Regular Updates (to readjust your database after you have made changes to your filesystem) tripwire --update -Z low      same as      tripwire -m u -Z low
  • Tips (recommendations to improve utilization)

Periodic Checks
Installing and configuring tripwire doesn't improve your security unless you follow up with periodic checks.  You will need to decide how frequently to run tripwire checks.

tripwire --check      same as      tripwire -m c

Anacron may already be set up to mail tripwire checks to you (root).  If it is, then you (root) have already been receiving emails to inform you that tripwire has not yet been configured (until now).  I was strangely surprised when, although there were no email instructions in my policy file twpol.txt, I received emails about tripwire from anacron.  After I configured tripwire, tripwire check reports were mailed to me (root) daily, without my having to set up a cron job.

If anacron is not sending you tripwire checks by default, decide if you want your reports to be written to a file or sent in email, and if the checks should be automated by cron.  Get accustomed to looking at the reports and following up on a few of the changes that are noted, so that you become familiar with your normal patterns of changes and can determine if any of the changes are unauthorized.

Regular Updates
Along with periodic checks, you will also need to do regular updates to keep your database current with your file system.  Do the checks and examine the before making updates.  Perform updates regularly (determine your schedule) and also after making any major changes to the file architecture.

tripwire --update -Z low      same as      tripwire -m u -Z low

This command will compare your database against your current file system and then launch an editor so that you can choose to make changes to your database.

If you try this command but get an error message about a missing report file, the reason is most likely that the last check was not run immediately prior to the update.  The report file in the /var/lib/tripwire/report directory is named by hostname, then date (yyyymmdd) then time.  If you have recently run a check and want the update to proceed using your most recent report file, then use the -r option and provide the report filename that you want the update to use.
tripwire --update -Z low --twrfile host-yyyymmdd-tttttt.twr      same as      tripwire -m u -Z low -r host-yyyymmdd-tttttt.twr

Tips
Notice that when you ran

tripwire --check      or       tripwire -m c

you were not prompted for a passphrase.  This was done intentionally so that the command could be run as a cron job without the need of storing your passphrases somewhere in plain text. 

It is a very good idea to run tripwire --check regularly and have the results printed to a file or sent to you in an email.  It is also recommended that COPIES of these files:
  • /var/lib/tripwire/host.twd
  • /etc/tripwire/tw.pol
  • /etc/tripwire/tw.cfg
  • /etc/tripwire/twpol.txt
  • /etc/tripwire/twcfg.txt
be stored on separate machine or removable media.  It is pretty safe to store the originals on your own computer, as long as you run checks before running updates.  The binary files cannot be easily tampered with without tripwire complaining.  The plain text files are easier to tamper with, which is why tripwire runs checks from the binaries and not the plain text files.

If you pass a new policy filename to the tripwire --update-policy command, you might have difficulty getting tripwire --check to accept the new filename.  If you get into a situation like this, copy the new file into the old name, and run tripwire --init and stick with the original policy filename twpol.txt.
 
To email please see:  contact.cgi if you have any comments or questions about this page.

Authored & created by Meryll Larkin:  12/29/02
Updated:  6/01/06