Tripwire
Contents
Checking for changes
This looks at all the files specified in the policyfile, and compares their fingerprints with those in the tripwire database. It also saves a copy of the report in /var/lib/tripwire/reports
tripwire --check [--email-report]
Updating after known changes (eg. apt-get upgrade)
To use a recently generated report as the basis for the files to update (you can choose to update or not update fingerprints for any of the files marked as changed on the recent report):
tripwire --update --twrfile /var/lib/tripwire/report/recent-report.twr
Or to generate a report and then identify desired or undesired changes (this is equivalent to both of the commands in the sections above):
tripwire --check --interactive
Changing tripwire configuration
Policy file
This file details the files to be watched for changes, and so is the most common configuration change.
- Create a plaintext version of the policy file
twadmin --print-polfile > mypol.txt
- Edit mypol.txt
- Encrypt the policyfile, and update the database to reflect the new policy
tripwire --update-policy [-Z low] mypol.txt
Then, tidy up temporary and backup files, and rerun an update to pick up changed files (as above).
Policy Options
- Ignore the following properties + Record and check the following properties a Access timestamp b Number of blocks allocated c Inode timestamp (create/modify) d ID of device on which inode resides g File owner's group ID i Inode number l File is increasing in size (a "growing file") m Modification timestamp n Number of links (inode reference count) p Permissions and file mode bits r ID of device pointed to by inode (valid only for device objects) s File size t File type u File owner's user ID C CRC-32 hash value H Haval hash value M MD5 hash value S SHA hash value
Builtin variables
- ReadOnly
- ReadOnly is good for files that are widely available but are intended to be read-only. Value: +pinugtsdbmCM-rlacSH
- Dynamic
- Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior. Value: +pinugtd-srlbamcCMSH
- Growing
- The Growing variable is intended for files that should only get larger. Value: +pinugtdl-srbamcCMSH
- Device
- Device is good for devices or other files that Tripwire should not attempt to open. Value: +pugsdr-intlbamcCMSH
- IgnoreAll
- IgnoreAll tracks a file's presence or absence, but doesn't check any other properties. Value: -pinugtsdrlbamcCMSH
- IgnoreNone
- IgnoreNone turns on all properties and provides a convenient starting point for defining your own property masks (for example, mymask = $(IgnoreNone) -ar;). Value: +pinugtsdrbamcCMSH-l
Configuration file
This file only stores basic settings about the site keys, the location of the various tripwire files etc, and so shouldn't often need changing.
twadmin --print-cfgfile > mycfg.txt
Edit mycfg.txt
twadmin --create-polfile mycfg.txt rm mypol.txt
Common Options
- EMAILNOVIOLATIONS
- Send a report email even if no files were reported changed
- LOOSEDIRECTORYCHECKING
- Only report changes to files, not to contents of directories
References
Intrustion Detection for the Masses: http://www.linuxjournal.com/article/4718 HOWTO - Setting up tripwire: http://www.alwanza.com/howto/linux/tripwire.html