Beyond Linux® From Scratch - Version 7.4

Chapter 4. Security

Tripwire-2.4.2.2

Introduction to Tripwire

The Tripwire package contains programs used to verify the integrity of the files on a given system.

This package is known to build and work properly using an LFS-7.4 platform.

Package Information

Tripwire Dependencies

Required

OpenSSL-1.0.1e

Optional

An MTA

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/tripwire

Installation of Tripwire

Compile Tripwire by running the following commands: 

sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg            &&
sed -i -e 's/!Equal/!this->Equal/' src/cryptlib/algebra.h                &&
sed -i -e '/stdtwadmin.h/i#include <unistd.h>' src/twadmin/twadmincl.cpp &&

./configure --prefix=/usr --sysconfdir=/etc/tripwire                     &&
make
[Note]

Note

The default configuration is to use a local MTA. If you don't have an MTA installed and have no wish to install one, modify install/install.cfg to use an SMTP server instead. Otherwise the install will fail.

This package does not come with a test suite.

Now, as the root user: 

make install &&
cp -v policy/*.txt /usr/doc/tripwire

Command Explanations

sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg: This command tells the package to install the program database and reports in /var/lib/tripwire.

sed ... src/cryptlib/algebra.h: Fix a compilation issue with gcc-4.7.

sed ... src/twadmin/twadmincl.cpp: Fix a compilation issue with gcc-4.7.

make install: This command creates the Tripwire security keys as well as installing the binaries. There are two keys: a site key and a local key which are stored in /etc/tripwire/.

cp -v policy/*.txt /usr/doc/tripwire: This command installs the tripwire sample policy files with the other tripwire documentation.

Configuring Tripwire

Config Files

/etc/tripwire/*

Configuration Information

Tripwire uses a policy file to determine which files are integrity checked. The default policy file (/etc/tripwire/twpol.txt) is for a default installation and will need to be updated for your system.

Policy files should be tailored to each individual distribution and/or installation. Some example policy files can be found in /usr/doc/tripwire/ (Note that /usr/doc/ is a symbolic link on LFS systems to /usr/share/doc/).

If desired, copy the policy file you'd like to try into /etc/tripwire/ instead of using the default policy file, twpol.txt. It is, however, recommended that you edit your policy file. Get ideas from the examples above and read /usr/doc/tripwire/policyguide.txt for additional information. twpol.txt is a good policy file for learning about Tripwire as it will note any changes to the file system and can even be used as an annoying way of keeping track of changes for uninstallation of software.

After your policy file has been edited to your satisfaction you may begin the configuration steps (perform as the root) user: 

twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
    /etc/tripwire/twpol.txt &&
tripwire --init

Depending on your system and the contents of the policy file, the initialization phase above can take a relatively long time.

Usage Information

Tripwire will identify file changes in the critical system files specified in the policy file. Using Tripwire while making frequent changes to these directories will flag all these changes. It is most useful after a system has reached a configuration that the user considers stable.

To use Tripwire after creating a policy file to run a report, use the following command: 

tripwire --check > /etc/tripwire/report.txt

View the output to check the integrity of your files. An automatic integrity report can be produced by using a cron facility to schedule the runs.

Reports are stored in binary and, if desired, encrypted. View reports, as the root user, with: 

twprint --print-report -r /var/lib/tripwire/report/<report-name.twr>

After you run an integrity check, you should examine the report (or email) and then modify the Tripwire database to reflect the changed files on your system. This is so that Tripwire will not continually notify you that files you intentionally changed are a security violation. To do this you must first ls -l /var/lib/tripwire/report/ and note the name of the newest file which starts with your system name as presented by the command uname -n and ends in .twr. These files were created during report creation and the most current one is needed to update the Tripwire database of your system. As the root user, type in the following command making the appropriate report name: 

tripwire --update --twrfile /var/lib/tripwire/report/<report-name.twr>

You will be placed into Vim with a copy of the report in front of you. If all the changes were good, then just type :wq and after entering your local key, the database will be updated. If there are files which you still want to be warned about, remove the 'x' before the filename in the report and type :wq.

A good summary of tripwire operations can be found at http://va-holladays.no-ip.info:2200/tools/security-docs/tripwire-v1.0.pdf.

Changing the Policy File

If you are unhappy with your policy file and would like to modify it or use a new one, modify the policy file and then execute the following commands as the root user: 

twadmin --create-polfile /etc/tripwire/twpol.txt &&
tripwire --init

Contents

Installed Programs: siggen, tripwire, twadmin, and twprint
Installed Libraries: None
Installed Directories: /etc/tripwire, /var/lib/tripwire, and /usr/share/doc/tripwire

Short Descriptions

siggen

is a signature gathering utility that displays the hash function values for the specified files.

tripwire

is the main file integrity checking program.

twadmin

administrative and utility tool used to perform certain administrative functions related to Tripwire files and configuration options.

twprint

prints Tripwire database and report files in clear text format.

Last updated on 2013-08-23 03:32:24 -0700