How we managed to use Tripwire for detecting intrusions
We all should be aware that security is very important for our servers. Having informed about the changes to server file system is always important, as unauthorised access could very well breach security. Here comes our saviour Open Source Tripwire, which is a free security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.
Open Source Tripwire functions as a host-based intrusion detection system. It detects changes to file system objects and alerts the server administrator.
Installation and Configuration
- Install tripwire using apt-get install
# sudo apt-get install tripwire
- Next step is to create site key. Tripwire requires a site passphrase for securing the tw.cfg config file and tw.pol policy file. Just select <Yes> and proceed.
- Local key passphrase is required to protect tripwire database and report files. We need to select <Yes> and proceed.
- Tripwire configuration are saved in /etc/tripwire/twcfg.txt file. It is used to generate the encrypted configuration file tw.cfg. Rebuild the tripwire configuration file.
- Rebuild the Tripwire policy file. Tripwire policies are saved in /etc/tripwire/twpol.txt file and used for the generation of encrypted policy file tw.pol.
Tripwire Configuration file (twcfg.txt)
The details of tripwire config file is given below:
ROOT = /usr/sbin
POLFILE = /etc/tripwire/tw.pol
DBFILE = /var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE = /etc/tripwire/site.key
LOCALKEYFILE = /etc/tripwire/$(HOSTNAME)-local.key
EDITOR = /usr/bin/editor
LATEPROMPTING = false
LOOSEDIRECTORYCHECKING = false
MAILNOVIOLATIONS = true
EMAILREPORTLEVEL = 3
REPORTLEVEL = 3
SYSLOGREPORTING = true
MAILMETHOD = SMTP
SMTPHOST = localhost
SMTPPORT = 25
TEMPDIRECTORY = /tmp
Tripwire Policy Configuration
Configure tripwire configuration before generation of baseline database. It is necessary to disable few policies such as /dev, /proc , /root/mail, etc. The details of twpol.txt file are given below:
@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;
#
# File System Definitions
#
@@section FS
#
# First, some variables to make configuration easier
#
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed
# infrequently but accessed
# often
SEC_LOG = $(Growing) ; # Files that grow, but that
# should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never
# change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of
# minimal security impact
SIG_MED = 66 ; # Non-critical files that are of
# significant security impact
SIG_HI = 100 ; # Critical files that are
# significant points of
# vulnerability
#
# Tripwire Binaries
#
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
{
/boot -> $(SEC_CRIT) ;
/lib/modules -> $(SEC_CRIT) ;
}
(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
#/etc/rc.boot -> $(SEC_BIN) ;
/etc/rcS.d -> $(SEC_BIN) ;
/etc/rc0.d -> $(SEC_BIN) ;
/etc/rc1.d -> $(SEC_BIN) ;
/etc/rc2.d -> $(SEC_BIN) ;
/etc/rc3.d -> $(SEC_BIN) ;
/etc/rc4.d -> $(SEC_BIN) ;
/etc/rc5.d -> $(SEC_BIN) ;
/etc/rc6.d -> $(SEC_BIN) ;
}
(
rulename = "Root file-system executables",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/sbin -> $(SEC_BIN) ;
}
#
# Critical Libraries
#
(
rulename = "Root file-system libraries",
severity = $(SIG_HI)
)
{
/lib -> $(SEC_BIN) ;
}
#
# Login and Privilege Raising Programs
#
(
rulename = "Security Control",
severity = $(SIG_MED)
)
{
/etc/passwd -> $(SEC_CONFIG) ;
/etc/shadow -> $(SEC_CONFIG) ;
}
{
#/var/lock -> $(SEC_CONFIG) ;
#/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
}
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
#/root/mail -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
/root/.xsession-errors -> $(SEC_CONFIG) ;
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.tcshrc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.gnome_private -> $(SEC_CONFIG) ;
#/root/.gnome-desktop -> $(SEC_CONFIG) ;
#/root/.gnome -> $(SEC_CONFIG) ;
#/root/.esd_auth -> $(SEC_CONFIG) ;
# /root/.elm -> $(SEC_CONFIG) ;
#/root/.cshrc -> $(SEC_CONFIG) ;
#/root/.bashrc -> $(SEC_CONFIG) ;
#/root/.bash_profile -> $(SEC_CONFIG) ;
# /root/.bash_logout -> $(SEC_CONFIG) ;
#/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
#/root/.Xresources -> $(SEC_CONFIG) ;
#/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
/root/.ICEauthority -> $(SEC_CONFIG) ;
}
#
# Critical devices
#
(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
)
{
#/dev -> $(Device) ;
#/proc -> $(Device) ;
}
Tripwire Report
tripwire --check command checks the twpol.txt file and generates tripwire report based on the twpol.txt. If there are any error in the twpol.txt file, tripwire does not generate report.
# sudo tripwire --check
Set Up Email Notifications
We can setup email notifications from tripwire using the following command:
# sudo tripwire --check | mail -s "Tripwire report for `uname -n`" email@domain.com
Automate Tripwire with Cron
We can set up a cron job to execute a tripwire check every day.
# sudo crontab -e
30 1 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" email@domain.com
The above command triggers tripwire and send tripwire report to the specified email at 1.30AM.
