Installing and configuring Tripwire on CentOS
Creating site and local keyfile pass-phrases
At first install from epel repository.
[[email protected] ~]# tripwire-setup-keyfiles ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ## Enter site pass-phrase ## Verify the site keyfile passphrase: ## Re-enter pass-phrase ## Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ## Enter local pass-phrase ## Verify the local keyfile passphrase: ## Re-enter pass-phrase ## Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ## Enter site pass-phrase ## Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ## Enter site pass-phrase ## Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. Once you have a satisfactory Tripwire policy file, you should move the clear-text version to a secure location and/or encrypt it in place (using a tool such as GPG, for example). Now run "tripwire --init" to enter Database Initialization Mode. This reads the policy file, generates a database based on its contents, and then cryptographically signs the resulting database. Options can be entered on the command line to specify which policy, configuration, and key files are used to create the database. The filename for the database can be specified as well. If no options are specified, the default values from the current configuration file are used.
Initializing Tripwire Database
[[email protected] ~]# tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** ### Warning: File system error. ### Filename: /dev/kmem ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /proc/ksyms ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /proc/pci ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/sbin/fixrmtab ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/bin/vimtutor ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/local/lib64 ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/lib64 ### No such file or directory ### Warning: File system error. ### Filename: /sbin/fsck.reiserfs ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /bin/tcsh ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /root/.Xresources ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /root/.esd_auth ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /root/.gnome ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /root/.ICEauthority ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /root/.Xauthority ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /dev/cua0 ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /dev/initctl ### No such file or directory ### Continuing... Wrote database file: /var/lib/tripwire/server.ostechnix.com.twd The database was successfully generated.
Modifying Tripwire policy file
As per the above result, you may get an error like No such file or directory or File system error. This means that your tripwire scans every files which are mentioned in the tripwire config file. Comment out the files which are doesn’t exist in your system in the tripwire config file.[[email protected] ~]# vi /etc/tripwire/twpol.txt { # /dev/kmem -> $(Device) ; /dev/mem -> $(Device) ; /dev/null -> $(Device) ; /dev/zero -> $(Device) ; /proc/devices -> $(Device) ; /proc/net -> $(Device) ; /proc/sys -> $(Device) ; /proc/cpuinfo -> $(Device) ; /proc/modules -> $(Device) ; /proc/mounts -> $(Device) ; /proc/dma -> $(Device) ; /proc/filesystems -> $(Device) ; # /proc/pci -> $(Device) ; /proc/interrupts -> $(Device) ; /proc/driver/rtc -> $(Device) ; /proc/ioports -> $(Device) ; /proc/scsi -> $(Device) ; /proc/kcore -> $(Device) ; /proc/self -> $(Device) ; /proc/kmsg -> $(Device) ; /proc/stat -> $(Device) ;Once modifying all the files, update the tripwire policy file.
[[email protected] ~]# tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt Parsing policy file: /etc/tripwire/twpol.txt Please enter your local passphrase: Please enter your site passphrase: ======== Policy Update: Processing section Unix File System. ======== Step 1: Gathering information for the new policy. ### Continuing... ### Warning: Policy Update Added Object. ### An object has been added since the database was last updated. ### Object name: /var/lib/tripwire/server.ostechnix.com.twd ### Continuing... ### Warning: Policy Update Changed Object. ### An object has been changed since the database was last updated. ### Object name: Conflicting properties for object /root ### > Modify Time ### > Change Time ### Continuing... ======== Step 2: Updating the database with new objects. ======== Step 3: Pruning unneeded objects from the database. Wrote policy file: /etc/tripwire/tw.pol Wrote database file: /var/lib/tripwire/server.ostechnix.com.twd
Checking for any changes in files/directories
[[email protected] ~]# tripwire --check --interactiveOnce you entered this command tripwire will collect all the details and open the result automatically in your vi editor. The report might be too long. Scroll down to view any changes in files or folders. As per the below result the newly Added and Modified files will have check mark(The Added and Modified sections are highlighted in bold). Finally save and quit the report by typing :wq. The Added and Modified files will be automatically updated to Tripwire policy file.
Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Fri 10 May 2013 12:26:58 PM IST Database last updated on: Fri 10 May 2013 12:23:43 PM IST =============================================================================== Report Summary: =============================================================================== Host name: server.ostechnix.com Host IP address: Unknown IP Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/server.ostechnix.com.twd Command line used: tripwire --check --interactive =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 * Tripwire Data Files 100 1 0 1 Critical devices 100 0 0 0 User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Critical configuration files 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 Critical system boot files 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 Shell Related Programs 100 0 0 0 Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 * Root config files 100 0 0 1 Total objects scanned: 10071 Total violations found: 3 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/var/lib/tripwire/server.ostechnix.com.twd.bak" ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/etc/tripwire/tw.pol) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/etc/tripwire/tw.pol" ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/root" =============================================================================== . . . . . Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. Please enter your local passphrase: Wrote database file: /var/lib/tripwire/server.ostechnix.com.twdNow let us add a new file called sk.
[[email protected] ~]# touch skNow check this file with tripwire –check –interactive command. You may find the file sk under the Added section in the result.
[[email protected] ~]# tripwire --check --interactive . . . ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/root/sk" . . .Now the new file sk is updated automatically in the tripwire policy file.
Viewing the tripwire report file
All tripwire report files having extension .twr are stored in /var/lib/tripwire/report/ directory. These are not text files, so you can’t view them using any editor. First convert them using the following command to human readable format.[[email protected] ~]# twprint --print-report --twrfile /var/lib/tripwire/report/server.ostechnix.com-20130510-124159.twr > /tmp/twrreport.txtNow open the file using any editor.
[[email protected] ~]# vi /tmp/twrreport.txt Note: Report is not encrypted. Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Fri 10 May 2013 12:41:59 PM IST Database last updated on: Fri 10 May 2013 12:37:53 PM IST =============================================================================== Report Summary: =============================================================================== Host name: server.ostechnix.com Host IP address: Unknown IP Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/server.ostechnix.com.twd Command line used: tripwire --check --interactive . . . .
Viewing tripwire configuration and policy file locations
To view the policy file locations enter the following command.[[email protected] ~]# twadmin --print-polfile # policy: # Global Variable Definitions @@section GLOBAL TWROOT=/usr/sbin; TWBIN=/usr/sbin; TWPOL="/etc/tripwire"; TWDB="/var/lib/tripwire"; TWSKEY="/etc/tripwire"; TWLKEY="/etc/tripwire"; TWREPORT="/var/lib/tripwire/report"; HOSTNAME=server.ostechnix.com; . . . .To view the configuration files enter the following command.
[[email protected] ~]# twadmin --print-cfgfile ROOT =/usr/sbin POLFILE =/etc/tripwire/tw.pol DBFILE =/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site.key LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t
Scheduling Tripwire Check
You may find a cron file tripwire-check might be created automatically in the /etc/cron.daily/ directory. If it isn’t created, open your crontab file and add lines as shown below. The following example will execute the tripwire daily at 5 am.[[email protected] ~]# vi /etc/crontab # Tripwire Monitor process 00 5 * * * /usr/sbin/tripwire --check
found at: http://ostechnix.wordpress.com/2013/05/10/install-tripwire-intrusion-detection-system-on-centos-6-4-rhel-6-4-scientific-linux-6-4/
Comments
Post a Comment