Tripwire

From Briki
Jump to: navigation, search

Checking for changes

This looks at all the files specified in the policyfile, and compares their fingerprints with those in the tripwire database. It also saves a copy of the report in /var/lib/tripwire/reports

tripwire --check [--email-report]

Updating after known changes (eg. apt-get upgrade)

To use a recently generated report as the basis for the files to update (you can choose to update or not update fingerprints for any of the files marked as changed on the recent report):

tripwire --update --twrfile /var/lib/tripwire/report/recent-report.twr

Or to generate a report and then identify desired or undesired changes (this is equivalent to both of the commands in the sections above):

tripwire --check --interactive

Changing tripwire configuration

Policy file

This file details the files to be watched for changes, and so is the most common configuration change.

  • Create a plaintext version of the policy file
twadmin --print-polfile > mypol.txt
  • Edit mypol.txt
  • Encrypt the policyfile, and update the database to reflect the new policy
tripwire --update-policy [--secure-mode low] mypol.txt

Then, tidy up temporary and backup files, and rerun an update to pick up changed files (as above).

Policy Options

-     Ignore the following properties
+     Record and check the following properties
a     Access timestamp
b     Number of blocks allocated
c     Inode timestamp (create/modify)
d     ID of device on which inode resides
g     File owner's group ID
i     Inode number
l     File is increasing in size (a "growing file")
m     Modification timestamp
n     Number of links (inode reference count)
p     Permissions and file mode bits
r     ID of device pointed to by inode (valid only for device objects)
s     File size
t     File type
u     File owner's user ID
C     CRC-32 hash value
H     Haval hash value
M     MD5 hash value
S     SHA hash value

Builtin variables

ReadOnly
ReadOnly is good for files that are widely available but are intended to be read-only. Value: +pinugtsdbmCM-rlacSH
Dynamic
Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior. Value: +pinugtd-srlbamcCMSH
Growing
The Growing variable is intended for files that should only get larger. Value: +pinugtdl-srbamcCMSH
Device
Device is good for devices or other files that Tripwire should not attempt to open. Value: +pugsdr-intlbamcCMSH
IgnoreAll
IgnoreAll tracks a file's presence or absence, but doesn't check any other properties. Value: -pinugtsdrlbamcCMSH
IgnoreNone
IgnoreNone turns on all properties and provides a convenient starting point for defining your own property masks (for example, mymask = $(IgnoreNone) -ar;). Value: +pinugtsdrbamcCMSH-l

Configuration file

This file only stores basic settings about the site keys, the location of the various tripwire files etc, and so shouldn't often need changing.

twadmin --print-cfgfile > mycfg.txt

Edit mycfg.txt

twadmin --create-polfile mycfg.txt
rm mypol.txt

Common Options

EMAILNOVIOLATIONS
Send a report email even if no files were reported changed
LOOSEDIRECTORYCHECKING
Only report changes to files, not to contents of directories

References

Intrustion Detection for the Masses: http://www.linuxjournal.com/article/4718 HOWTO - Setting up tripwire: http://www.alwanza.com/howto/linux/tripwire.html