A friend of mine helps me to develop classified ad site hosted on GoDaddy. We started this project for fun, although it may become even somewhat profitable in future.
So I wanted to secure virtual (Linux Fedora) server we are renting and decided to implement tripwire (intrusion detection system). So here is what I did, quick installation and configuration.
Installation> yum install tripwire |
The main files in directory /etc/tripwire are twcfg.txt and twpol.txt
The twcfg.txt (general configuration) defines several variables, like location of the Tripwire database, etc.
The twpol.txt contains the policy that declares all the files (objects) that must be monitored and what to do when one of them is lost or altered.
Generate 2 passphrases.
The site passphrase is used to encrypt and sign the Tripwire system files.
The local passphrase is necessary to launch the Tripwire binaries.
# /usr/sbin/twadmin --generate-keys --site-keyfile site-keyfile (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: (type site passphrase) Verify the site keyfile passphrase: (type site passphrase) Generating key (this may take several minutes)...Key generation complete. |
# /usr/sbin/twadmin --generate-keys --local-keyfile local-keyfile (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: (type local passphrase) Verify the local keyfile passphrase: (type local passphrase) Generating key (this may take several minutes)...Key generation complete. |
Encrypt the configuration file (create binary version of it).
# /usr/sbin/twadmin --create-cfgfile --cfgfile twcfg.enc -S site-keyfile twcfg.txt Please enter your site passphrase: (type site passphrase) Wrote configuration file: /etc/tripwire/twcfg.enc |
To print (and check) encrypted configuration file, do as follow:
# /usr/sbin/twadmin --print-cfgfile -c twcfg.enc ROOT =/usr/sbin POLFILE =/etc/tripwire/twpol.txt DBFILE =/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site-keyfile LOCALKEYFILE =/etc/tripwire/local-keyfile EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t |
Encrypt the policy file (create binary version of it).
# /usr/sbin/twadmin --create-polfile --cfgfile twcfg.enc --polfile twpol.enc -S site-keyfile twpol.txt Please enter your site passphrase: (type site passphrase) Wrote policy file: /etc/tripwire/twpol.enc |
Now when config/policy files are encrypted, the tripwire more easily discovers if they are corrupted.
Database CreationLet's create database, like snapshot of current system (tripwire will compare any future system state with this date).
# /usr/sbin/tripwire --init --cfgfile twcfg.enc --polfile twpol.enc Please enter your local passphrase: (type local passphrase) Parsing policy file: /etc/tripwire/twpol.enc Generating the database... *** Processing Unix File System *** _ _ _ _ _ _ Etc, possibly some warnings, errors _ _ _ _ _ _ Wrote database file: /var/lib/tripwire/ip.secureserver.net.twd The database was successfully generated. |
Warning are usually files you don't have, so comment them out in twpol.txt file and encrypt policy file once again. Next database creation should go smoothly without any warnings.
# /usr/sbin/tripwire --init --cfgfile twcfg.enc --polfile twpol.enc Please enter your local passphrase: (type local passphrase) Parsing policy file: /etc/tripwire/twpol.enc Generating the database... *** Processing Unix File System *** Wrote database file: /var/lib/tripwire/ip.secureserver.net.twd The database was successfully generated. |
# /usr/sbin/tripwire -m c -v -c twcfg.enc -p twpol.enc Tripwire(R) 2.4.1.1 built for i686-pc-linux-gnu Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Opening configuration file: /etc/tripwire/twcfg.enc This file is encrypted. Opening key file: /etc/tripwire/site-keyfile Opening key file: /etc/tripwire/local-keyfile Opening database file: /var/lib/tripwire/ip.secureserver.net.twd This file is encrypted. Opening key file: /etc/tripwire/site-keyfile Opening policy file: /etc/tripwire/twpol.enc This file is encrypted. Parsing policy file: /etc/tripwire/twpol.enc *** Processing Unix File System *** Performing integrity check... _ _ _ Wrote report file: /var/lib/tripwire/report/ip.secureserver.net-20101121-175722.twr Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Sun Nov 21 17:57:22 2010 Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: ip.secureserver.net Host IP address: 127.0.0.1 Host ID: None Policy file used: /etc/tripwire/twpol.enc Configuration file used: /etc/tripwire/twcfg.enc Database file used: /var/lib/tripwire/ip.secureserver.net.twd Command line used: /usr/sbin/tripwire -m c -v -c twcfg.enc -p twpol.enc =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 Tripwire Data Files 100 0 0 0 Critical devices 100 0 0 0 User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 (/sbin/rtmon) Shell Related Programs 100 0 0 0 (/sbin/getkey) Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Critical configuration files 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 Critical system boot files 100 0 0 0 (/boot) Root config files 100 0 0 0 Total objects scanned: 10782 Total violations found: 0 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- No violations. =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. |
And that's it. Check man pages for more options.