1.

INTRODUCTION
At the heart of most computer systems is a file system. The file system contains user data,
executable programs, configuration and authorization information, and (usually) the base
executable version of the operating system itself. The ability to monitor file systems for
unauthorized or unexpected changes gives system administrators valuable data for
protecting and maintaining their systems.

Tripwire is a reliable intrusion detection system. It is a software tool that checks to see
what has changed in your system. It mainly monitors the key attribute of your files; by key
attribute we mean the binary signature, size and other related data. Security and operational
stability must go hand in hand; if the user does not have control over the various operations
taking place, then naturally the security of the system is also compromised. Tripwire has a
powerful feature which pinpoints the changes that has taken place, notifies the
administrator of these changes, determines the nature of the changes and provide you with
information you need for deciding how to manage the change.

Tripwire Integrity management solutions monitor changes to vital system and configuration
files. Any changes that occur are compared to a snapshot of the established good baseline.
The software detects the changes, notifies the staff and enables rapid recovery and remedy
for changes. All Tripwire installation can be centrally managed. Tripwire software’s cross
platform functionality enables you to manage thousands of devices across your
infrastructure.

"Security not only means protecting your system against various attacks but also means
taking quick and decisive actions when your system is attacked”.

First of all we must find out whether our system is attacked or not, earlier system logs are
certainly handy. You can see evidences of password guessing and other suspicious
activities. Logs are ideal for tracing steps of the cracker as he tries to penetrate into the
system. But who has the time and the patience to examine the logs on a daily basis??

1
MOTIVATION:
However, in environments of many networked heterogeneous platforms with
different policies and software, the task of monitoring changes becomes quite daunting.
Penetration usually involves a change of some kind, like a new port has been opened or a
new service. The most common change you can see is that a file has changed. If you can
identify the key subsets of these files and monitor them on a daily basis, then we will be
able to detect whether any intrusion took place. Tripwire is an open source program
created to monitor the changes in a key subset of files identified by the user and report on
any changes in any of those files. When changes made are detected, the system
administrator is informed.

Tripwire ‘s principle is very simple, the system administrator identifies key files
and causes tripwire to record checksum for those files. He also puts in place a cron job,
whose job is to scan those files at regular intervals (daily or more frequently), comparing
to the original checksum. Any changes, addition or deletion, are reported to the
administrator. The administrator will be able to determine whether the changes were
permitted or unauthorized changes. If it was the earlier case the n the database will be
updated so that in future the same violation wouldn’t be repeated. In the latter case then
proper recovery action would be taken immediately.

Tripwire is tool that aids UNIX system administrators and users in monitoring a
designated set of files and directories for any changes. Used with system files on a regular
(e.g., daily) basis, Tripwire can notify system administrators of corrupted or altered files,
so corrective actions may be taken in a timely manner.

Tripwire may also be used on user or group files or database to signal changes.
This paper describes the design and implementation of the Tripwire tool. It uses
interchangeable signature (usually, message digest) routines to identify changes in files,
and is highly configurable.

2
 2. BASIC PURPOSE OF TRIPWIRE

Almost the same principle is used in computers. If any change is met upon while
comparing the old values to the new ones, or if any data is being manipulated on the spot,
the logs are checked for intrusion and then detected, after which all the changes can be
undone.

Tripwire is a free and open-source1 software tool. It functions as a host-based intrusion

detection system. It does not concern itself directly with detecting intrusion attempts in real
time at the periphery of a computing system (as in network intrusion detection systems),
but rather looks for and reports on the resultant changes of state in the computing system
under observation
Intruders usually leave traces of their activities (changes in the system state). Tripwire
looks for these by monitoring key attributes of files that should not change—including
binary signatures, size, expected changes in size, etc.—and reporting its findings.

While useful for detecting intrusions after the event, it can also serve many other purposes,
such as integrity assurance, change management, policy compliance, and more.

A Host-based Intrusion Detection System (HIDS), as a special category of an Intrusion-

Detection System, focuses its monitoring and analysis on the internals of a computing
system rather than on its external interfaces (as a Network Intrusion Detection System
(NIDS) would do)

3
TRIPWIRE RELATED TOPICS:
Open source describes practices in production and development that promote
access to the end product's source materials—typically, their source code. Some consider it
as a philosophy, and others consider it as a pragmatic methodology. Before open source
became widely adopted, developers and producers used a variety of phrases to describe the
concept; the term open source gained popularity with the rise of the Internet and its
enabling of diverse production models, communication paths, and interactive communities.
Subsequently, open source software became the most prominent face of open source
practices.
The open source model can allow for the concurrent use of different agendas
and approaches in production, in contrast with more centralized models of development
such as those typically used in commercial software companies. "Open source" as applied
to culture defines a culture in which fixations are made generally available. Participants in
such a culture are able to modify those products and redistribute them back into the
community.

Pragmatism, as a school of philosophy, is a collection of many different

ways of thinking. Given the diversity among thinkers and the variety among schools of
thought that have adopted this term over the years, the term pragmatism has become all but
meaningless in the absence of further qualification. Most of the thinkers who describe
themselves as pragmatists point to some connection with practical consequences or real
effects as vital components of both meaning and truth. The precise character of these links
to pragmata is, however, as diverse as the thinkers who do the pointing.

4
 3. THE ACTUAL WORKING OF THE TRIPWIRE SYSTEM

A HIDS will monitor all or part of the dynamic behavior and of the state of a computer
system. Much as a NIDS will dynamically inspect network packets, a HIDS might detect
which program accesses what resources and assure that (say) a word-processor hasn't
suddenly and inexplicably started modifying the system password-database. Similarly a
HIDS might look at the state of a system, its stored information, whether in RAM, in the
file-system, or elsewhere; and check that the contents of these appear as expected.
One can think of a HIDS as an agent that monitors whether anything/anyone - internal or
external - has circumvented the security policy that the operating system tries to enforce.

3.1 MONITORING DYNAMIC BEHAVIOUR:

Many computer users have encountered tools that monitor dynamic system
behavior in the form of anti-virus (AV) packages. While AV programs often also monitor
system state, they do spend a lot of their time looking at who is doing what inside a
computer - and whether a given program should or should not access one or another system
resource. The lines become very blurred here, as many of the tools overlap in functionality.

3.2 MONITORING STATE:

The principle of operation of a HIDS depends on the fact that successful intruders
(crackers) will generally leave a trace of their activities. (In fact, such intruders often want
to own the computer they have attacked, and will establish their "ownership" by installing
software that will grant the intruders future access to carry out whatever activity (keyboard
logging, identity theft, spamming, botnet activity, spyware-usage etc.) they envisage.)
In theory, a computer user has the ability to detect any such modifications, and the HIDS
attempts to do just that and reports its findings. Ideally a HIDS works in conjunction with a
NIDS,such that a HIDS finds anything that’ slips past the NIDS.

Ironically, most successful intruders, on entering a target machine, immediately apply best-
practice security techniques to secure the system which they have infiltrated, leaving only

5
their own backdoor open, so that other intruders can not take over their computers.
(Crackers are a competitive bunch...) Again, one can detect (and learn from) such changes.

3.3 TECHNIQUE:

In general a HIDS uses a database (object-database) of system objects it should

monitor - usually (but not necessarily) file-system objects. A HIDS could also check that
appropriate regions of memory have not been modified, for example - the system-call table
comes to mind for Linux, and various vtable structures in Microsoft Windows.
For each object in question a HIDS will usually remember its attributes (permissions, size,
modifications dates) and perhaps create a checksum of some kind (an MD5 hash or similar)
for the contents, if any. This information gets stored in a database for later comparison
(checksum-database). Note that a matching MD5 hash does not provide a complete
guarantee that an intruder or other unauthorised user has not tampered with the target file.
Recent (2004) research has resulted in claims (still under debate) that the probability of
such tampering may exceed what one might hope.

6
 4. OPERATION OF TRIPWIRE

At installation time - and whenever any of the monitored objects change legitimately - a
HIDS must initialise its checksum-database by scanning the relevant objects. Persons in
charge of computer security need to control this process tightly in order to prevent intruders
making un-authorized changes to the database(s). Such initialisation thus generally takes a
long time and involves cryptographically locking each monitored object and the checksum
databases or worse. Because of this, manufacturers of HIDS usually construct the object-
database in such a way that makes frequent updates to the checksum database unnecessary.

Computer systems generally have many dynamic (frequently changing) objects which
intruders want to modify - and which a HIDS thus should monitor - but their dynamic
nature makes them unsuitable for the checksum technique. To overcome this problem,
HIDS employ various other detection techniques: monitoring changing file-attributes, log-
files that decreased in size since last checked, and a raft of other means to detect unusual
events.

Once a system administrator has constructed a suitable object-database - ideally with help
and advice from the HIDS installation tools - and initialized the checksum-database, the
HIDS has all it requires to scan the monitored objects regularly and to report on anything
that may appear to have gone wrong. Reports can take the form of logs, e-mails or similar.

4.1 PROTECTING THE HIDS:

A HIDS will usually go to great lengths to prevent the object-database, checksum-

database and its reports from any form of tampering. After all, if intruders succeed in
modifying any of the objects the HIDS monitors, nothing can stop such intruders from
modifying the HIDS itself - unless security administrators take appropriate precautions.
Many worms and viruses will try to disable anti-virus tools, for example. Sadly, a lot of
them succeed in doing so.

7
 Apart from crypto-techniques, HIDS might allow administrators to store the
databases on a CD-ROM or on other read-only memory devices (another factor militating
for infrequent updates...) or storing them in some off-system memory. Similarly, a HIDS
will often send its logs off-system immediately - in some instances via one-way
communications channels, such as a serial port which only has "Transmit" connected,

For example:- One could argue that the trusted platform module comprises a type
of HIDS. Although its scope differs in many ways from that of a HIDS, fundamentally it
provides a means to identify whether anything/anyone has tampered with a portion of a
computer. Architecturally this provides the ultimate (at least at this point in time) host-
based intrusion detection, as depends on hardware external to the CPU itself, thus making it
that much harder for an intruder to corrupt its object and checksum databases.

8
FIG4.1: FLOW CHART SHOWING THE WORKING OF TRIPWIRE

9
1. Install Tripwire and customize the policy file

Install the Tripwire software into the system and then specify the files to be checked by
writing the policy files. Using the version 4.0 writing the policy file is made very easy.

2. Initialize the Tripwire database

The database is initialized with the important key attribute in the file to be checked. Build
database of critical system files to monitor based on the contents of the new, signed
Tripwire policy file.

3. Run the integrity check

Compare the newly created Tripwire database with the actual system files, looking for
missing or altered files, according to the integrity check timing specified by in the policy
file for different files that are to be monitored.

4. Examine the Tripwire report file

View the Tripwire report file to note any integrity violations.

5. If unauthorized integrity violations occur, take appropriate security measures

If monitored files have been altered inappropriately, the system administrator have to
take immediate action, you can either replace the original files from backup copies
reinstall the program, or completely reinstall the operating system.

6. If the file alterations were valid, verify and update the Tripwire database file.

If the changes made to monitor files are intentional, edit Tripwire’s database file to ignore
those changes in subsequent report.

7. If the policy file fails verification, update the Tripwire policy file

To change the list of files Tripwire monitors or how it treats integrity violations, update
the supplied policy file, regenerate a signed copy, and update the Tripwire database.

5. TRIPWIRE MANAGER
10
Tripwire Manger is a fully functional, cross platform management console that allows
system and security professionals to easily manage all installations of Tripwire for Servers
software across an enterprise network. Tripwire Manager eliminates the need to manually
monitor multiple discrete network platforms and point solutions. Instead, IT professionals
have a comprehensive view of data integrity status from a single centralized console.
Tripwire Manager also enables you to view and analyze reports from installations of
Tripwire for Servers. With Tripwire Manager you can retrieve an integrity system, which
is made up of the configuration, database, policy, local and site key, from a single
“golden” machine which can then be distributed to as many servers that need to be
compared against this snapshot. In version 4.0 of the Tripwire Manager you can create
and modify policy files by using graphical policy editor. This GUI will scan the remote
file system of a Tripwire for Servers installation and provide you with an easy mechanism
for editing or creating a policy file without having to know the policy file syntax. Tripwire
Manager can manage the functions of Tripwire for Servers on up to 2500 machines.

Adding or removing recognition of Tripwire for Servers is easy to do from within the
Tripwire Manager console. All you need to know is host name, IP address and a port
number. The Tripwire for Servers database can be updated by using the database update
mode within Tripwire Manager. All communication between Tripwire Manager and
installation of Tripwire for Servers takes place using Secured Socket Layer (SSL)
technology with 168-bit Triple DES encryption. To protect against unauthorized
modification, important files on each Tripwire for Servers installation are stored in a
binary-encoded and signed form. Database, policy, configuration, and report files
generated by the integrity assessment are protected by using El Gamal asymmetric
cryptography with a 1024-bit signature.

There are mainly two types of Tripwire Manager

11
 • Active Tripwire Manager
• Passive Tripwire Manager

A user can have more than one Tripwire Manager managing the same set of Tripwire for
Servers machines. However, only one can be in active mode and have complete
management control of Tripwire for Servers machines. This active Tripwire Manager gives
a user the ability to update the database, schedule integrity checks, update and distribute
policy and configuration files and view integrity reports. The other Tripwire Manager is in
a passive mode. The passive mode only allows these Tripwire Manager to view the status
of the machines and integrity reports. Once the active Tripwire Manager shuts down, the
next time the passive Tripwire Manager pings the Tripwire for Servers machine it connects
as an active Tripwire Manager. If more than two passive Tripwire Managers, the one that
connects first to the Tripwire for Servers machine after the active Manager has hut down
becomes the active Manager.

12
 6. TRIPWIRE FOR SERVERS
Tripwire for Servers is software that is exclusively used by servers. This software can be
installed on any server that needs to be monitored for any changes. Typical servers
include mail servers, web servers, firewalls, transaction server, development server etc.
Any server where it is imperative to identity if and when a file system change has
occurred should be monitored with tripwire for servers. For the tripwire for server’s
software to work two important things should be present – the policy file and the
database.

The tripwire for Servers software conducts subsequent file checks, automatically
comparing the state of the system with the baseline database. Any inconsistencies are
reported to the Tripwire Manager and to the host system log file. Reports can also be
emailed to an administrator. If a violation is an authorized change, a user can update the
database so changes no longer show up as violations.

6.1 FLEXIBLE POLICY LANGUAGE:

The power behind Tripwire technology lies in its highly configurable

policy language. The policy file is how a user directs Tripwire for Servers to monitor
specific files or directories. The flexible policy tool can be customized to fit the needs of
each and every server. With the release of version 4.0, policy file creation has become
even easier. From Tripwire Manager 4.0, a graphical policy editor allows users to select
the files and directories, along with the scanning options that need to be monitored in each
integrity check.

Included in the products are default policy files for each supported operating
system to make it easy for the user to set up which files should be monitored. In the latest
version, wildcard application is also supported which enables users to add objects to the
policy file by specifying the file type. In 4.0, objects listed in the policy file but not
present on the user’s machine will no longer be categorized as violations. By only
showing violations caused by added, deleted or changed files, report noise is greatly

13
reduced. Tripwire policy languages also allow you to group objects around easy-to-
understand rule names and then prioritize them.

The snapshot and the policy file are cryptographically signed with 168-bit Triple DES
encryption algorithm that detects any unauthorized tampering. The default policy file also
monitors the tripwire binary files, in short, it uses tripwire itself to monitor the tripwire.

In the latest version 4.0 in addition to reporting the administrator which file has changed,
when the change occurred and where the change took place it also to some extend
determines who made these changes. Tripwire for Servers track the identity of who made
the change by correlating the information from the operating system’s event and audit log
with the integrity information that is detected by Tripwire for Servers. It uses this
information to provide the identity of who made a certain change. Since we rely on the
operating system to gather this information, the product only captures the “who”
information from the operating system that track this. Linux and FreeBSD do not track
this information. This feature is called Event Log Correlation.

Each Tripwire for Servers report details when the database was last updated, providing a
quick benchmark of if or when detailing if the data files have been replaced. In order to
replace these files, an attacker requires root or administrator level privileges and must
know where Tripwire for Servers has been installed. On a properly secured system,
gaining this level of access takes time and leaves physical evidence behind for Tripwire
for Servers to detect prior to the system being compromised. Methods for reducing the
risk of an intruder being able to replace a Tripwire for Servers installation include:

• Hiding the application by renaming configuration, data, and binary files and
installing to a hidden location.
• Installing Tripwire for Servers to a read-only partition such as a
CD-ROM.

14
 7. TRIPWIRE FOR NETWORK DEVICES

Router, switch, and firewall configurations are critical to overall network operation.
Unwanted changes to configuration files can result in downtime and security issues and
waste hours of staff time searching for the cause. Tripwire for Network Devices monitors
the integrity of routers, switches and firewalls-network devices that communicate network
traffic within and between networks. It helps network administrator answer the question,
“Has the state of my network devices changed from a known, trusted state? If so, how?”
Problem’s with one network device can seriously disable an organization’s entire
network. Network downtime can result in lost revenue and lost customer confidence.
Manual processes to secure your network devices are available and important. Tripwire
for Network Devices augments and helps guarantee that the security of your network
devices remains in tact. With Tripwire for Network Devices, downtime is minimized.
Network administrators can use Tripwire for Network Devices to quickly investigate and
isolate changes and restore changed configuration files within minutes of an alert.

Tripwire for Network Device includes six primary functions:

• Automatic notification of changes to your routers, switches and firewalls

• Automatic restoration of critical network devices
• Audit trail from log files and change reports – ideal for internal/external
network
audits.
• Baseline archiving and configuration file “Hot Back-up” solution
• Heterogeneous support for today’s most commonly used network devices
• Sets a framework for autonomic recovery

15
Tripwire for Network Devices does not provide real time monitoring. It checks your
network devices for change according to schedule you set. Device passwords stored by
the software are protected by robust 1024-bit Blowfish cryptography. The software has
four user authorization levels:

• “Monitors” are allowed only to monitor the application. They cannot make
changes to Tripwire for Network Devices or to the devices that the software
monitors.
• “Users” can make changes to Tripwire for Network Devices, such as add
routers, switches. Groups, tasks, etc., but they cannot make changes to the devices it
monitors.
• “Powerusers” can make changes to the software and to the devices it
monitors.
• “Administrator” can perform all actions, plus delete violations and log
messages as well as add, delete, or modify user accounts.

Tripwire for Network Devices maintains a log of all significant actions, including adding
and deleting nodes, rules, tasks, and user accounts. All log entries include a time and date,
and identify the user who initiated the process. The log entries cannot be modified by
anyone other than the administrator and can be copied and pasted into a text file so you
can create a library of log activities that are ideal for network audits.

Device password are stored by the software are protected by robust 1024-bit Blowfish
cryptography. Tripwire for Network Devices has been tested and can monitor thousands
of network devices. Tripwire for Network Devices software has been tested up to 6,000
network devices running integrity checks every 10 minutes. With correct configuration,
the software can monitor more than 6,000 devices at one time.

16
 8. HOW TO INSTALL AND USE THE TRIPWIRE SYSTEM

The following steps should be taken to properly install, use and maintain Tripwire:

• Install Tripwire and customize the policy file — If not already done, install
the tripwire RPM. Then, customize the sample configuration
(/etc/tripwire/twcfg.txt) and policy (/etc/tripwire/twpol.txt) files and run the
configuration script (/etc/tripwire/twinstall.sh).

• Initialize the Tripwire database — Build a database of critical system files to

monitor based on the contents of the new, signed Tripwire policy file
(/etc/tripwire/tw.pol).

• Run a Tripwire integrity check — Compare the newly-created Tripwire

database with the actual system files, looking for missing or altered files.

• Examine the Tripwire report file — View the Tripwire report file using
twprint to note integrity violations.

• Take appropriate security measures — If monitored files have been altered

inappropriately, you can either replace the originals from backups or reinstall the
program.

• Update the Tripwire database file — If the integrity violations are

intentional and valid, such as if you intentionally edited a file or replaced a
particular program, you should tell Tripwire's database file to not report them as
violations in future reports.

• Update the Tripwire policy file — If you need to change the list of files
Tripwire monitors or how it treats integrity violations, you should update your

17
 sample policy file (/etc/tripwire/twpol.txt), regenerate a signed copy
(/etc/tripwire/tw.pol), and update your Tripwire database.

9. HOW TO USE TRIPWIRE

Here is an experience of a web adminstrator:

A little over two years ago I was hacked. Someone broke into a web server I was
administrating that had only Apache and OpenSSH running publically, and all packages
were up-to-date. The hacker replaced my ps binary with his own to hide his processes,
added a new service that was executed from the binary "/bin/crond " (the space is
intentional - it makes it look like a normal and an expected process in a running-processes
listing and a normal binary in a directory listing). The "crond " process gathered usernames
and passwords and stored them in a text file in the directory "/dev/pf0 / /", (5 and 2
spaces respectively), which also contained a root shell. The chances of me finding and
identifying this intrusion would have been extremely remote if I had not been running
Tripwire.

Tripwire is a file integrity checker for UNIX/Linux based operating systems and works as
an excellent intrusion detection system. It will not prevent an intrusion; for this see my
previous articles on setting up firewalls and securing a Linux distribution for help.

The idea behind Tripwire is quite simple: it first creates a "baseline" database of the state of
the files and directories on your system and then on subsequent runs it compares the current
state of the files and directories against this baseline identifying any deletions, additions or
changes. The files and directories to be checked are decided by a "policy" file. This file
also defines what attributes to compare; this can include access, inode and modification
timestamps, owner and group IDs, permissions, file size and type, MD5 and SHA hash
values, etc.

18
In this article I will guide you through the process of getting and installing Tripwire,
configuring it and setting it up to run on a daily basis. In the final section I will mention a
few additional steps you can take to ensure the integrity of your Tripwire database and thus
your file system.

Acquiring and Installing Tripwire:

The easiest method of installing Tripwire is to use a vendor supplied package (I have
checked and these are available for RedHat/Fedora Core, SuSE, Mandrakesoft and
Debian). The advantages of using these are that the policy file will be already created and
configured for the system you are using. Make sure to use official packages for your
distribution to ensure they have not been trojaned.

If you cannot locate a precompiled package for your distribution, then you can download
the latest source code from http://sourceforge.net/projects/tripwire/. The version available
at time of going to press was 2.3.1-2. This version is dated March 2001 and when I tried to
compile it on my system I got a myriad of errors. The sources do not use the
autoconf/automake build system and this may be the main cause of the errors. I have
decided to place the resolution of these problems outside the scope of this article given the
availability of precompiled packages for many distributions.

An Overview of Tripwire's Files:

The operation of Tripwire is controlled by a configuration file and a policy file; both of
these files are encoded and signed before use for security reasons. These files usually reside
in /etc/tripwire. The plain text versions are called twcfg.txt and twpol.txt, and the encoded
and signed versions are called tw.cfg and tw.pol. The plain-text version of the
configuration file contains key-value pairs including the following required variables
(default values for my distribution shown):

POLFILE = /etc/tripwire/tw.pol
DBFILE = /var/lib/tripwire/$HOSTNAME.twd
REPORTFILE = /var/lib/tripwire/report/$HOSTNAME-$DATE.twr
19
SITEKEYFILE = /etc/tripwire/site.key
LOCALKEYFILE = /etc/tripwire/$HOSTNAME-local.key

The POLFILE, DBFILE and REPORTFILE dictate the locations of the policy file, the
database file and the report file respectively. A report file is generated each time Tripwire
is used to check the integrity of the file system and its name is determined by both the
hostname and current date. The SITEKEYFILE and LOCALKEYFILE variables hold the
locations of the two key files; site keys are used for signing files that can be used on
multiple systems within an organisation such as the policy and configuration files, while
the local key is used for files specific to this system such as the database file.

Ensure that the $HOSTNAME environment variable is correctly set to your system's
hostname before using any of Tripwire's commands. Also, the HOSTNAME variable in
twpol.txt must be set correctly so that it matches the system's hostname. Other
configuration file values we will use are shown here followed by a description of each:

EDITOR =/bin/vi
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
MAILPROGRAM =/usr/sbin/sendmail -oi -t
When updating the database after files have been added, removed or altered, a "ballot-box"
styled form must be completed by placing an 'x' opposite the files which we have changed
and do not indicate an intrusion; this variable sets the editor to use for this process.

MAILNOVIOLATIONS

Tripwire e-mails a report whenever a violation was found. This option tells Tripwire to
always e-mail a report whether a violation was found or not. This is useful as it shows the
system administrator that Tripwire is running as expected.

EMAILREPORTLEVEL and REPORTLEVEL

20
The amount of information Tripwire includes in its report file and e-mail. Valid values
range from 0 to 4 with the default being 3.

MAILMETHOD and MAILPROGRAM

The mail method can either be SMTP (in which case additional variables have to be set to
indicate the SMTP host and port) or SENDMAIL (in which case we include the
MAILPROGRAM variable).

There are a number of other options and these are explained in the man page:
TWCONFIG(4).

Creating your own policy file is a long and tedious task that is also outside the scope of this
article. If you get a packaged version of Tripwire for your distribution then the policy file
should already be created. The policy file is essentially a list of rules and associated files
which should be checked by Tripwire; the rules indicate the severity of a violation. The text
version of the file itself is quite readable and is worth a look to fully understand how
Tripwire works. Also, irrespective of your distribution, you will find that Tripwire
generates a lot of the following errors when checking the filesystem: File system error.

Filename: XXXXXXXXXXXXX
No such file or directory
For each of these errors there is an entry for the named file in the policy file but this file
does not exist on your system. You will have to edit the policy file and comment out these
lines.

Tripwire comes with four binary files:

tripwire :The main file; used for initialising the database, checking the integrity of the file
system, updating the database and updating the policy.

twadmin :Tripwire's administrative and utility tool; used for creating and printing
configuration files, replacing and printing a policy file, generating site and local keys and
other encryption related functions.

21
twprint :Used to print the reports and database in human-readable format.

siggen :Generates the various hashes that Tripwire supports for checking the integrity of
files.

Initialising the Keys and Database:

In this section we will set Tripwire up so that you can use it on a daily basis to check your
systems integrity. I am assuming that the current working directory is /etc/tripwire and that
the following files exist in the specified paths:

/etc/tripwire/twcfg.txtplain-text version of the configuration file

/etc/tripwire/twpol.txtplain-text version of the policy file

The first step is to generate the keys to be used when signing the database, policy file and
configuration file. You will be asked for a passphrase for each of the local and site keys; it
should be greater than 8 characters and include punctuation symbols as well as
alphanumeric characters.

[root@home /etc/tripwire]# twadmin --generate-keys --site-keyfile ./site.key

(When selecting a passphrase, keep in mind that good passphrases typically have upper and
lower case letters, digits and punctuation marks, and are at least 8 characters in length.)

Enter the site keyfile passphrase: XXXXXXXXXXXXXXXXXX

Verify the site keyfile passphrase: XXXXXXXXXXXXXXXXXX
Generating key (this may take several minutes)...Key generation complete.

22
[root@home /etc/tripwire]# twadmin --generate-keys --local-keyfile ./$HOSTNAME-
local.key

Enter the local keyfile passphrase: XXXXXXXXXXXXXXXXXX

Verify the local keyfile passphrase: XXXXXXXXXXXXXXXXXX
Generating key (this may take several minutes)...Key generation complete.
[root@home /etc/tripwire]#

Now that we have generated our keys, we need to sign the configuration and policy files
(after editing them as required):

[root@home /etc/tripwire]# twadmin --create-cfgfile --cfgfile ./tw.cfg --site-keyfile

./site.key \
twcfg.txt
Please enter your site passphrase: XXXXXXXXXXXXXXXXXX
Wrote configuration file: /etc/tripwire/tw.cfg

[root@home /etc/tripwire]# twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key

twpol.txt
Please enter your site passphrase: XXXXXXXXXXXXXXXXXX
Wrote policy file: /etc/tripwire/tw.pol
[root@home /etc/tripwire]#

Do not leave the plain-text versions of the configuration and policy files on your hard
drive.

Move them onto a floppy disk or encrypt them using a utility such as GPG. Also ensure
that the permissions of the signed files are set such that they are only readable/writable by
root:

[root@home /etc/tripwire]# chmod 0600 tw.cfg tw.pol

The last job we must do to complete the set-up is create the baseline database:

23
[root@home /etc/tripwire]# tripwire --init --cfgfile ./tw.cfg --polfile ./tw.pol \
--site-keyfile ./site.key --local-keyfile ./home.barryodonovan.com-local.key
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/$HOSTNAME.twd
The database was successfully generated.
[root@home /etc/tripwire]#

Integrity Checking:

Now that Tripwire is installed, configured and the baseline database has been created, we
can get on with the business of checking the integrity of the file system:

[root@home /etc/tripwire]# tripwire --check

Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/$HOSTNAME-20040823-210750.twr
Total objects scanned: 52387
Total violations found: 0

Each violation (an addition, removal or change) is reported to stdout and written to the
report file as indicated. On this occasion I have assumed the default locations of the
configuration and policy files. I could have specified these explicitly on the command line
as I have been doing with switches such as --cfgfile, etc.

Your goal should be to set this up to run on a daily basis. This can be done as a cron or an
Anacron job; Anacron is the better choice when the computer is not on 24/7. Using either
cron or Anacron, the output should be e-mailed to the root user on each run of Tripwire.

24
In the case of Anacron, create a file in /etc/cron.daily/ called (for example) tripwire-check
containing:

#!/bin/bash
/usr/sbin/tripwire --check

and ensure that it is executable (chmod u+x /etc/cron.daily/tripwire-check). If you want to

use a cron job, then add the following line to root's crontab to perform the check every day
at 3am (crontab -e):

00 03 * * * /usr/sbin/tripwire --check

Updating the Database:

When any file that Tripwire checks changes, you must update the Tripwire database so that
it reflects the new information for the file. This can be done as part of the integrity
checking process by using the interactive switch ('-I') or by using the database update mode
of the tripwire command:

[root@home /etc/tripwire]# tripwire --update --twrfile /var/lib/tripwire/report/

$HOSTNAME-20040823-210750.twr
< At this point you will be asked to choose which file records to update in the >
< database via the ballot-box mechanism. Unless you specified otherwise, vi >
< will be the editor chosen. If you have not used vi before then I suggest you >
< change it to a pico, nedit or whatever you prefer. Add/remove the x's from >
< the ballot boxes, save and exit >
Please enter your local passphrase: XXXXXXXXXXXXXXX
Wrote database file: /var/lib/tripwire/home.barryodonovan.com.twd
[root@home /etc/tripwire]#

As you can see from the command line above, you must specify a report file to be used
when updating the database. Choose the most recently generated report file. If you find

25
yourself having to constantly update the same non-critical files, then feel free to update the
policy so as to exclude those files.

If any changes are found you will be presented with a "ballot-box" styled form that must be
completed by placing an 'x' opposite the violations that are safe to be updated in the
database (for example you updated the Apache web server yesterday and Tripwire is
reporting a change in the binary /usr/sbin/httpd as would be expected). If anything has
changed that you cannot directly account for then you should check it out as it may indicate
that someone has broken into your system.

Updating the Policy:

The tripwire command has a policy update mode which means that a change in policy does
not require us to reinitialise the database. The policy update mode simply synchronises the
existing database with the new policy file. The new policy file expected is the plain-text
version - Tripwire will then ask for the local and site passphrases, synchronise the database
and sign both the new policy file and the database.

tripwire --update-policy --cfgfile ./tw.cfg --polfile ./tw.pol --site-keyfile ./site.key \

--local-keyfile ./$HOSTNAME-local.key new_policy_file.txt

Again, you should not leave the plain-text version of the policy file on the system.

Securing Tripwire:

Using Tripwire as an intrusion detection system is only as effective as the security of

Tripwire itself. There are a number of procedures you can follow to ensure maximum
security:

• ensure that no plain text copies of the configuration file or the policy file
exist on the system

26
 • ensure the access modes of the Tripwire binaries are 0500 (i.e. -r-x------); as
root execute: chmod 0500 /usr/sbin/tripwire /usr/sbin/twadmin /usr/sbin/twprint
/usr/sbin/siggen
• ensure the access modes of the configuration directory and the database and
report directory are 0700 (i.e. -rwx------) and similarly for its contents; as root
execute: chmod -R u=rwX,go-rwx /var/lib/tripwire - the capital 'X' in the
permissions sets the execute (or access if a directory) bit if the file already has it set
or if it is a directory.

The last procedure is something that I would consider a 'must' rather than a 'should'.
Tripwire's database must be secure for an integrity check to be sufficiently trustworthy. If
you are not updating the database on a regular occasion (such as on a server, etc) then you
can keep the database on removable media without too much inconvenience. This can be as
simple as leaving a write-protected floppy cantaining the database in the floppy drive, or a
re-writable CD in a CD-ROM drive (read-only drive). If the database changes then you can
update the database on these mediums by write-enabling the floppy or erasing and burning
the new database to the CD-RW; but an attacker will be unable to remove or alter the
database in anyway.

A second solution would be to keep the database on another machine and download it as
required. This could be as simple as using wget to fetch the database from a web server just
prior to running the integrity check and removing it afterwards. For example, change the
Anacron script to:

#!/bin/bash

# switch to the database directory as specified by the Tripwire configuration file

cd /var/lib/tripwire

# download the database from a password protected directory (.htaccess)

wget http://www.someserver.com/private/$HOSTNAME.twd --http-user=username --http-
passwd=password
27
# perform the integrity check
/usr/sbin/tripwire --check

# remove the database

rm -f $HOSTNAME.twd

You can use scp, rsync, etc in a similar fashion.

Further Resources:

A standard installation of Tripwire comes with many man pages which provide all the
information you should need:

• TRIPWIRE(8) - (i.e. execute man 8 tripwire to view this man page)

• TWINTRO(8) - an introduction to Tripwire
• TWADMIN(8)
• TWPRINT(8)
• SIGGEN(8)
• TWCONFIG(8) - information on the Tripwire configuration file
• TWPOLICY(8) - information on the Tripwire policy file
• TWFILES(8) - information on the various Tripwire files

28
 10. ADVANTAGES OF TRIPWIRE

Tripwire Integrity Management solutions give organizations visibility into service

affecting changes and, in the process, increase security, instill process accountability, and
improve system availability.

1. Increase security
Tripwire software immediately detects and pinpoints unauthorized change-whether
malicious or accidental, initiated externally or internally. Tripwire provides the only way
to know, with certainty, that systems remains uncompromised.

2. Instill Accountability
Tripwire identifies and reports the sources of change, enabling IT to “manage by fact.” It
also captures an audit trail of changes to servers and network devices.

3. Gain Visibility
Tripwire software provides a centralized view of changes across the enterprise
infrastructure and support multiple devices from multiple vendors.

4. Ensure Availability

29
 Tripwire software reduces troubleshooting time, enabling rapid discovery and recovery.
Immediate detection of change enables the fastest possible restoration back to a desired,
good state.

11.CONCLUSION

Tripwire is a reliable intrusion detection system. It is a software that can be installed

in any type of system where damaged files are to be detected. The main attractive feature of
this system is that the software generates a report about which file have been violated, when
the file have been violated and also what in the files have been changed. To some extend it
also helps to detect who made the changes. New versions of Tripwire is under research and
development. The latest version under research is the Tripwire for Open Source.

30