Creating site and local keyfile pass-phrases
At first install from epel repository.
[[email protected] ~]# tripwire-setup-keyfiles
----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: ## Enter site pass-phrase ##
Verify the site keyfile passphrase: ## Re-enter pass-phrase ##
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ## Enter local pass-phrase ##
Verify the local keyfile passphrase: ## Re-enter pass-phrase ##
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase: ## Enter site pass-phrase ##
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase: ## Enter site pass-phrase ##
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
Initializing Tripwire Database
[[email protected] ~]# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /dev/kmem
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/ksyms
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/pci
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/sbin/fixrmtab
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/bin/vimtutor
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/local/lib64
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/lib64
### No such file or directory
### Warning: File system error.
### Filename: /sbin/fsck.reiserfs
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /bin/tcsh
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.Xresources
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.esd_auth
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.gnome
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.ICEauthority
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.Xauthority
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /dev/cua0
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /dev/initctl
### No such file or directory
### Continuing...
Wrote database file: /var/lib/tripwire/server.ostechnix.com.twd
The database was successfully generated.
Modifying Tripwire policy file
As per the above result, you may get an error like
No such file or directory or
File system error.
This means that your tripwire scans every files which are mentioned in
the tripwire config file. Comment out the files which are doesn’t exist
in your system in the tripwire config file.
[[email protected] ~]# vi /etc/tripwire/twpol.txt
{
# /dev/kmem -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
# /proc/pci -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/driver/rtc -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
Once modifying all the files, update the tripwire policy file.
[[email protected] ~]# tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
Parsing policy file: /etc/tripwire/twpol.txt
Please enter your local passphrase:
Please enter your site passphrase:
======== Policy Update: Processing section Unix File System.
======== Step 1: Gathering information for the new policy.
### Continuing...
### Warning: Policy Update Added Object.
### An object has been added since the database was last updated.
### Object name: /var/lib/tripwire/server.ostechnix.com.twd
### Continuing...
### Warning: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object /root
### > Modify Time
### > Change Time
### Continuing...
======== Step 2: Updating the database with new objects.
======== Step 3: Pruning unneeded objects from the database.
Wrote policy file: /etc/tripwire/tw.pol
Wrote database file: /var/lib/tripwire/server.ostechnix.com.twd
Checking for any changes in files/directories
[[email protected] ~]# tripwire --check --interactive
Once you entered this command tripwire will collect all the details
and open the result automatically in your vi editor. The report might be
too long. Scroll down to view any changes in files or folders. As per
the below result the newly
Added and
Modified
files will have check mark(The Added and Modified sections are
highlighted in bold). Finally save and quit the report by typing
:wq. The
Added and
Modified files will be automatically updated to Tripwire policy file.
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root
Report created on: Fri 10 May 2013 12:26:58 PM IST
Database last updated on: Fri 10 May 2013 12:23:43 PM IST
===============================================================================
Report Summary:
===============================================================================
Host name: server.ostechnix.com
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/server.ostechnix.com.twd
Command line used: tripwire --check --interactive
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
* Tripwire Data Files 100 1 0 1
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
* Root config files 100 0 0 1
Total objects scanned: 10071
Total violations found: 3
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Added:
[x] "/var/lib/tripwire/server.ostechnix.com.twd.bak"
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/etc/tripwire/tw.pol)
Severity Level: 100
-------------------------------------------------------------------------------
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/etc/tripwire/tw.pol"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/root"
===============================================================================
.
.
.
.
.
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
Please enter your local passphrase:
Wrote database file: /var/lib/tripwire/server.ostechnix.com.twd
Now let us add a new file called
sk.
[[email protected] ~]# touch sk
Now check this file with
tripwire –check –interactive command. You may find the file
sk under the
Added section in the result.
[[email protected] ~]# tripwire --check --interactive
.
.
.
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Added:
[x] "/root/sk"
.
.
.
Now the new file
sk is updated automatically in the tripwire policy file.
Viewing the tripwire report file
All tripwire report files having extension
.twr are stored in
/var/lib/tripwire/report/
directory. These are not text files, so you can’t view them using any
editor. First convert them using the following command to human readable
format.
[[email protected] ~]# twprint --print-report --twrfile /var/lib/tripwire/report/server.ostechnix.com-20130510-124159.twr > /tmp/twrreport.txt
Now open the file using any editor.
[[email protected] ~]# vi /tmp/twrreport.txt
Note: Report is not encrypted.
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root
Report created on: Fri 10 May 2013 12:41:59 PM IST
Database last updated on: Fri 10 May 2013 12:37:53 PM IST
===============================================================================
Report Summary:
===============================================================================
Host name: server.ostechnix.com
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/server.ostechnix.com.twd
Command line used: tripwire --check --interactive
.
.
.
.
Viewing tripwire configuration and policy file locations
To view the policy file locations enter the following command.
[[email protected] ~]# twadmin --print-polfile
# policy:
# Global Variable Definitions
@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=server.ostechnix.com;
.
.
.
.
To view the configuration files enter the following command.
[[email protected] ~]# twadmin --print-cfgfile
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
Scheduling Tripwire Check
You may find a cron file
tripwire-check might be created automatically in the
/etc/cron.daily/
directory. If it isn’t created, open your crontab file and add lines as
shown below. The following example will execute the tripwire daily at 5
am.
[[email protected] ~]# vi /etc/crontab
# Tripwire Monitor process
00 5 * * * /usr/sbin/tripwire --check
found at:
http://ostechnix.wordpress.com/2013/05/10/install-tripwire-intrusion-detection-system-on-centos-6-4-rhel-6-4-scientific-linux-6-4/