Skip to main content
Tripwire detecting intrusions

How we managed to use Tripwire for detecting intrusions

We all should be aware that security is very important for our servers. Having informed about the changes to server file system is always important, as unauthorised access could very well breach security. Here comes our saviour Open Source Tripwire, which is a free security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. 

Open Source Tripwire functions as a host-based intrusion detection system. It detects changes to file system objects and alerts the server administrator.

Installation and Configuration

  • Install tripwire using apt-get install
  # sudo apt-get install tripwire
  • Next step is to create site key. Tripwire requires a site passphrase for securing the tw.cfg config file and tw.pol policy file. Just select <Yes> and proceed.
  • Local key passphrase is required to protect tripwire database and report files. We need to select <Yes> and proceed.
  • Tripwire configuration are saved in /etc/tripwire/twcfg.txt file. It is used to generate the encrypted configuration file tw.cfg. Rebuild the tripwire configuration file.
  • Rebuild the Tripwire policy file. Tripwire policies are saved in /etc/tripwire/twpol.txt file and used for the generation of encrypted policy file tw.pol.

Tripwire Configuration file (twcfg.txt)

  The details of tripwire config file is given below:

ROOT                    =       /usr/sbin

POLFILE                 =       /etc/tripwire/tw.pol

DBFILE                  =       /var/lib/tripwire/$(HOSTNAME).twd

REPORTFILE              =       /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr

SITEKEYFILE             =       /etc/tripwire/site.key

LOCALKEYFILE            =       /etc/tripwire/$(HOSTNAME)-local.key

EDITOR                  =       /usr/bin/editor

LATEPROMPTING           =       false

LOOSEDIRECTORYCHECKING  =       false

MAILNOVIOLATIONS        =       true

EMAILREPORTLEVEL        =       3

REPORTLEVEL             =       3

SYSLOGREPORTING         =       true

MAILMETHOD              =       SMTP

SMTPHOST                =       localhost

SMTPPORT                =       25

TEMPDIRECTORY           =       /tmp

Tripwire Policy Configuration

  Configure tripwire configuration before generation of baseline database. It is necessary to disable few policies such as /dev, /proc , /root/mail, etc. The details of twpol.txt file are given below:

@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;

#
# File System Definitions
#
@@section FS

#
# First, some variables to make configuration easier
#
SEC_CRIT      = $(IgnoreNone)-SHa ; # Critical files that cannot change

SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change

SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed
# infrequently but accessed
# often

SEC_LOG       = $(Growing) ;         # Files that grow, but that
# should never change ownership

SEC_INVARIANT = +tpug ;              # Directories that should never
# change permission or ownership

SIG_LOW       = 33 ;                 # Non-critical files that are of
# minimal security impact

SIG_MED       = 66 ;                 # Non-critical files that are of
# significant security impact

SIG_HI        = 100 ;                # Critical files that are
# significant points of
# vulnerability

#
# Tripwire Binaries
#
(
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
)
{
  $(TWBIN)/siggen            -> $(SEC_BIN) ;
  $(TWBIN)/tripwire        -> $(SEC_BIN) ;
  $(TWBIN)/twadmin        -> $(SEC_BIN) ;
  $(TWBIN)/twprint        -> $(SEC_BIN) ;
}
{
  /boot            -> $(SEC_CRIT) ;
  /lib/modules        -> $(SEC_CRIT) ;
}

(
  rulename = "Boot Scripts",
  severity = $(SIG_HI)
)
{
  /etc/init.d        -> $(SEC_BIN) ;
  #/etc/rc.boot        -> $(SEC_BIN) ;
  /etc/rcS.d        -> $(SEC_BIN) ;
  /etc/rc0.d        -> $(SEC_BIN) ;
  /etc/rc1.d        -> $(SEC_BIN) ;
  /etc/rc2.d        -> $(SEC_BIN) ;
  /etc/rc3.d        -> $(SEC_BIN) ;
  /etc/rc4.d        -> $(SEC_BIN) ;
  /etc/rc5.d        -> $(SEC_BIN) ;
  /etc/rc6.d        -> $(SEC_BIN) ;
}

(
  rulename = "Root file-system executables",
  severity = $(SIG_HI)
)
{
  /bin            -> $(SEC_BIN) ;
  /sbin            -> $(SEC_BIN) ;
}

#
# Critical Libraries
#
(
  rulename = "Root file-system libraries",
  severity = $(SIG_HI)
)
{
  /lib            -> $(SEC_BIN) ;
}

#
# Login and Privilege Raising Programs
#
(
  rulename = "Security Control",
  severity = $(SIG_MED)
)
{
  /etc/passwd        -> $(SEC_CONFIG) ;
  /etc/shadow        -> $(SEC_CONFIG) ;
}
{
  #/var/lock        -> $(SEC_CONFIG) ;
  #/var/run        -> $(SEC_CONFIG) ; # daemon PIDs
  /var/log        -> $(SEC_CONFIG) ;
}

# These files change the behavior of the root account
(
  rulename = "Root config files",
  severity = 100
)
{
  /root                -> $(SEC_CRIT) ; # Catch all additions to /root
  #/root/mail            -> $(SEC_CONFIG) ;
  #/root/Mail            -> $(SEC_CONFIG) ;
  /root/.xsession-errors        -> $(SEC_CONFIG) ;
  #/root/.xauth            -> $(SEC_CONFIG) ;
  #/root/.tcshrc            -> $(SEC_CONFIG) ;
  #/root/.sawfish            -> $(SEC_CONFIG) ;
  #/root/.pinerc            -> $(SEC_CONFIG) ;
  #/root/.mc            -> $(SEC_CONFIG) ;
  #/root/.gnome_private        -> $(SEC_CONFIG) ;
  #/root/.gnome-desktop        -> $(SEC_CONFIG) ;
  #/root/.gnome            -> $(SEC_CONFIG) ;
  #/root/.esd_auth            -> $(SEC_CONFIG) ;
  #    /root/.elm            -> $(SEC_CONFIG) ;
  #/root/.cshrc                -> $(SEC_CONFIG) ;
  #/root/.bashrc            -> $(SEC_CONFIG) ;
  #/root/.bash_profile        -> $(SEC_CONFIG) ;
  #    /root/.bash_logout        -> $(SEC_CONFIG) ;
  #/root/.bash_history        -> $(SEC_CONFIG) ;
  #/root/.amandahosts        -> $(SEC_CONFIG) ;
  #/root/.addressbook.lu        -> $(SEC_CONFIG) ;
  #/root/.addressbook        -> $(SEC_CONFIG) ;
  #/root/.Xresources        -> $(SEC_CONFIG) ;
  #/root/.Xauthority        -> $(SEC_CONFIG) -i ; # Changes Inode number on login
  /root/.ICEauthority            -> $(SEC_CONFIG) ;
}

#
# Critical devices
#
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
)
{
  #/dev        -> $(Device) ;
  #/proc        -> $(Device) ;
}

Tripwire Report

  tripwire --check command checks the twpol.txt file and generates tripwire report based on the twpol.txt. If there are any error in the twpol.txt file, tripwire does not generate report.

  # sudo tripwire --check

Set Up Email Notifications

  We can setup email notifications from tripwire using the following command:

  # sudo tripwire --check | mail -s "Tripwire report for `uname -n`" email@domain.com

Automate Tripwire with Cron

 We can set up a cron job to execute a tripwire check every day.

  # sudo crontab -e

  30 1 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" email@domain.com

The above command triggers tripwire and send tripwire report to the specified email at 1.30AM.

Add new comment

The content of this field is kept private and will not be shown publicly.

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.