Tripwire is one of the most useful tools in UNIX security specification, the tripwire can deteck up to 10 kinds of UNIX file system attributes and more than 20 kinds of attributes (including registry). Tripwire firstly use a specific signature function to create a signature database for which system files or directory need to be
monitored. the signature function is the use of arbitrary files as input, produces a fixed size data (signature) function. If the file was modified by intruder, even if the file size unchanged, will also destroy the signature file. Using this database, the Tripwire can easily find that the system have slight change. And signature files is almost impossible to fake, any changes in the system can not escape surveillance by Tripwire.
In order to prevent tampering, Tripwire made encryption and signature for some important files. Here involves two keys: site key and local key. Among them, the former is used to protect the policy file and configuration file, if multiple machines with the same strategy and configuration, so they can use the same site key; the latter is used to protect the database and report, so different machine must use different local key.
you can get the software from the Sourceforge:
Tripwire Installation
1. Extract The Installation File To /usr/local directory
1 #cd /usr/local //switch directory to /usr/local
2 #tar xvfj tripwire-2.4.1.2-src.tar.bz2
2.Run “congiure;make;make install” Commands
1 //enter into tripwire package
2 #cd tripwire-2.4.1.2-src
3 //generate “makefile” file
4 #./configure
5 //execute “make” command
6 #make
7 //execute “make install”
8 #make install
3. Generate Tripwire Database
After Compiled Tripwire, you can start to scan the file that need to monitor , so that generate a Tripwire database, type the following commad in the Tripwire src directory:
1 #./tripwire –init
4.testing
When the database is generated, you can use the command to run Tripwire to scan system changes.
1 #./tripwire—check
When the first time tripwire is run, you need to do some preparation work, mainly include editing config files, checking email is normal, configuring policy file and initialing the database file that create a signature baseline database. The next time it is run, it uses the twpol.txt file to create a new signature database. Then, comparing the two database, excluding files that often changed. Finally a readable report will be displayed in the terminal or by emal.
In order to ensure that the Tripwire is running properly, should pay attention to the installation and configuration process, the steps are as follows:
1.create a key and signature
After installing Tripwire, can be set by using the following command:
1 #./twinstall.sh
The script twinstall.sh is to perform the following tasks:
• Create site and local key, then will be asked to enter the password; if both two keys already exist, you can skip this step. site keys are stored in the site.key file and the local key is stored in the hostname-local.key file.
• Using site key to sign for default configuration file twcfg.txt, and store the signature in the file tw.cfg.
• Using site key to sign for default policy file twcfg.pol, and store the signature in the file tw.pol.
2.Editing Configuration file
First, open the configuration file twcfg.txt, the file location is in /usr/local/etc directory. Then modify the configuration file like as below example. Finally, use the twadmin command to generate an encrypted configuration file.
1 ROOT =/usr/local/sbin
2 POLFILE =/usr/local/etc/tw.pol
3 DBFILE =/usr/local/lib/tripwire/$(HOSTNAME).twd
4 REPORTFILE =/usr/local/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
5 SITEKEYFILE =/usr/local/etc/site.key
6 LOCALKEYFILE =/usr/local/etc/localhost.localdomain-local.key
7 EDITOR =/bin/vi
8 LATEPROMPTING =false
9 LOOSEDIRECTORYCHECKING =false
10 MAILNOVIOLATIONS =true
11 EMAILREPORTLEVEL =3
12 REPORTLEVEL =3
13 MAILMETHOD =SENDMAIL
14 SYSLOGREPORTING =false
15 MAILPROGRAM =/usr/sbin/sendmail -oi -t
1 #twadmin –create-cfgfile –site-keyfile /etc/tripwire/site.key twcfg.txt
At this time we should test if the Email report is normal, enter the following commands:
1 #tripwire –test –mail user@domain.com
3.Editing Policy file
First, open the policy file twpol.txt, it located in the ” /usr/local/etc” directory. After tripwire installed, it has been written inspection rules by default in the policy file. These default rules are mainly important to check the integrity of system files and Tripwire its own files.
Since the default configuration does not monitor SUID and SGID files, which for our system security is very important, so we need to modify the configuration to monitor these files. Use the following command to find all SUID file:
1 #find / -type f -perm -4000 -print
Use the following command to find all SGID file”
1 #find / -type f -perm -2000 -print
Now we need to add all of above outputs into policy file.
Finally, using the following twadmin command to generate an encrypted policy file.
1 #twadmin –create-polfile twpol.txt
4.Generate Baseline Database
According to the configuration files and policy files to generate the baseline database using the following command:
1 #tripwire –init
5.Integrity Check
After the baseline database generation is completed, we can use the tripwire command to check the integrity at any time.
1 #tripwire –check
6.Checking Report
After checked the integrity, we can view the reports whether the file was changed, what has changed. Use the twprint command to output the report:
1 #twprint –print-report –twrfile /var/lib/report/report.twr