2012. március 1., csütörtök

how to use tripwire simply

Just recently I decided to try out the famous file integrity checking and intrusion detection tool: Tripwire. It is a brilliant software product and it's FOSS. It can be used to track down the changes on your Unix system by running periodic checks. Report is generated each time the checks run to see what has changed since the database was generated. Let's have a short look how to use Tripwire.

First, you need to initialise the database on your system. This is called Database Initialization Mode. This involves generating a site and local key file with the passwords and the tw.pol file which is part of the Debian package install process. The file mentioned is a binary file generated from the text file version twpol.txt on Debian systems. If you have accidentally removed the binary version and want to regenerate it (like it happened to me), you can easily do it as root without reinstalling the entire package.

root@debian:/etc/tripwire# twadmin -m P --polfile tw.pol twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
root@debian:/etc/tripwire#

That's it. Now, let's go ahead and initialise the Tripwire database.

root@debian:/etc/tripwire# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /var/lib/tripwire/debian.twd
### No such file or directory
### Continuing...
Wrote database file: /var/lib/tripwire/debian.twd
The database was successfully generated.

As seen above, the database has been generated into the filename /var/lib/tripwire/debian.twd. This will be used as a reference file later on during the integrity checks. Let's run an integrity check and see the report. This is called Integrity Checking Mode .

root@debian:/etc/tripwire# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/debian-20120301-122000.twr


Open Source Tripwire(R) 2.4.2.2 Integrity Check Report

Report generated by:          root
Report created on:            Thu Mar  1 12:20:00 2012
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    debian
Host IP address:              127.0.1.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/debian.twd
Command line used:            tripwire --check

===============================================================================
Rule Summary:
===============================================================================


-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  Other binaries                  66                0        0        0       
  Tripwire Binaries               100               0        0        0       
  Other libraries                 66                0        0        0       
  Root file-system executables    100               0        0        0       
* Tripwire Data Files             100               1        0        0       
  System boot changes             100               0        0        0       
  Root file-system libraries      100               0        0        0       
  (/lib)
  Critical system boot files      100               0        0        0       
  Other configuration files       66                0        0        0       
  (/etc)
  Boot Scripts                    100               0        0        0       
  Security Control                66                0        0        0       
  Root config files               100               0        0        0       
  Invariant Directories           66                0        0        0       
* Low security filesystems        33                0        0        1       

Total objects scanned:  29964
Total violations found:  2

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire/debian.twd)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/debian.twd"

-------------------------------------------------------------------------------
Rule Name: Low security filesystems (/proc)
Severity Level: 33
-------------------------------------------------------------------------------

Modified:
"/proc"

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***


Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.

It looks brilliant! The only thing looks a bit strange, is that it says 'Total violations found: 2'. One is that it finds the very file, the database as a new file added to the system: '/var/lib/tripwire/debian.twd'. That is true. Now, each time we will integrity checks in the future, the reports will complain about any changes that happen on our system. But we don't want to see the same thing over and over again, we want to avoid the false positives. Tripwire can give an option for that. It is called Database Update Mode. This allows your changes to be reconciled with the Tripwire database, meaning you allow the changes into your system. Let's do it.

root@debian:/etc/tripwire# tripwire --update --twrfile /var/lib/tripwire/report/debian-20120301-122052.twr

The report file is given above in the command line as a reference what needs to be updated. Right after, it will jump you into an editor to review and allow changes. You only need to do is to exit with save from your favourite editor.

Please enter your local passphrase:
Wrote database file: /var/lib/tripwire/debian.twd
root@debian:/etc/tripwire#

Brilliant! A new database has been written. Now, let's run our check again. You can see it from the report that the violations have been disappeared and number of total violations have been either changed or disappeared depending on what changes you have allowed. To summarise and to better understand, the following three commands have been used.

tripwire --init
tripwire --check
tripwire --update

From the above list, the first command is typically run once during setting up Tripwire on a clean system. The next 2 commands are to be run periodically.

Hope this article helped to understand how Tripwire works. Any comments, let me know!

Nincsenek megjegyzések: