Tripwire
TripWire can monitor for system file changes
Installation
redhat
- redhat downloads
debian
- debian
apt install tripwire
- downloads
- debian 9 https://debian.pkgs.org/9/debian-main-amd64/tripwire_2.4.3.1-2+b4_amd64.deb.html
- debian 10 https://debian.pkgs.org/10/debian-main-amd64/tripwire_2.4.3.7-1+b10_amd64.deb.html
from source
- download
cd /home/workspace git clone https://github.com/Tripwire/tripwire-open-source
- configure the build
cd tripwire-open-source ./configure --prefix=$PREFIX_DIR
- make
make
- install (this will establish a default policy and database file, so you will need your local key-phrase and your site phrase).
make install
Installation will be in $PREFIX_DIR/:
- report lib/tripwire
- bin sbin/.
- sbin/tripwire
- sbin/twadmin
- sbin/twprint
- sbin/siggen
- configuration
- site key etc/site.key
- local key etc/<machine-name>-local.key
- policy
- etc/tw.pol
- etc/twpol.txt
- config
- etc/twcfg.txt
- etc/tw.cfg
Note that the $PREFIX_DIR/etc files should be moved to be more consistent with standard system installation (as done by Debian)
- the configuration base
$PREFIX_DIR/etc/tripwire
- edit twcfg.txt and ensure the paths are now pointing to the absolute value of the configuration directory $PREFIX_DIR/etc/tripwire - note that the environment variables must be expanded by you because tripwire does not expand environment variables!
vi $PREFIX_DIR/etc/tripwire/twcfg.txt
- make sure you fix the twpol.txt file as well and regenerate thge *.pol following the instructions in the next section
vi $PREFIX_DIR/etc/tripwire/twpol.txt
Basic Configuration
- (mandatory) generate keys
twadmin --generate-keys -L $PREFIX_DIR/etc/tripwire/${HOSTNAME}-local.key
twadmin --generate-keys -S $PREFIX_DIR/etc/tripwire/site.key
- (mandatory) create config file
twadmin --create-cfgfile -S $PREFIX_DIR/etc/tripwire/site.key $PREFIX_DIR/etc/tripwire/twcfg.txt
- create a policy file
Now it's time to configure which files & directories OST will monitor. The Tripwire policy language is documented in detail in the twpolicy(4) manual page, and default policies for most common operating systems are available in the OST project's policy subdirectory.
A few simple examples of policy rules:
/start/point -> $(IgnoreNone); # Get all attributes for this dir tree /another/start -> +pinugS; # Get selected attributes for this dir tree !/start/point/subdir/to/ignore; # Don't monitor this dir tree
- here is what I use on redhat media:twpol.txt
create the encrypted policy file
- (mandatory) update the .pol file from the human readible twpol.txt
twadmin --create-polfile -S $PREFIX_DIR/etc/tripwire/site.key $PREFIX_DIR/etc/tripwire/twpol.txt
- (mandatory) Creating a baseline. This step is necessary even if the previous steps are handled by a setup/install script.
initialise the database
tripwire --init --verbose
This creates a database file in the configured directory, typically a file with a .twd extension in /var/lib/tripwire. The optional --verbose argument to init mode lists files and directories as they're being scanned.
check file system against database
- (periodic) Running a check
tripwire --check
This runs a check, again with an optional --verbose option that displays what it's doing. Scan results are written to standard out, as well as a report file, which typically has a .twr extension and lives in $PREFIX_DIR or var /lib/tripwire/report. If email reporting is enabled, emails will be sent at the end of the check.
A common way to use tripwire (OST) is to set up a cron job to run checks periodically, emailing results to an administrative account. Note that the OST install script currently does not create any cron jobs, and this will need to be done by hand, and also altered if installing from a source build.
generating a report
- Printing a report
twprint -m r -t 4 -r /var/lib/tripwire/report/irods-rhel81-test-20200813-010707.twr twprint -m r -t 4 -r $PREFIX_DIR/var/lib/tripwire/report/*.twr
The -t argument specifies the level of report verbosity, where 0 is a single line summary of the report contents, and 4 displays all gathered attributes on all changed objects. The report level defaults to 3 if not specified on the command line or via the REPORTLEVEL config file option.
print the report
- The report can be printed with:
twprint -m d -d $PREFIX_DIR/lib/tripwire/irods-rhel81-test.twd
Updating a database
The simplest form of update updates the database with all the changes in a report file:
tripwire --update --accept-all
- While a
tripwire --update
brings up a text report in the user's preferred editor (as configured in the config file's EDITOR option), with a checkbox next to each detected change. After saving and exiting the editor, the database will only be updated for those objects that remain selected with an [x].
- Updating a policy using policy update mode modifies the current Tripwire policy without losing existing baselines.
Update a policy without destroying database
tripwire --update-policy updated-policy.txt
A check is run with the new policy as part of the update process. If this check detects changes, the default behavior is to display the changes and exit without updating the policy or database. To accept the changes and continue with the policy update, use the -Z low / --secure-mode low command line option.
test email
- To test email configuration:
tripwire --test --email user@domain.tld
reporting
Depending on installation from packages or source you need to select your report path
- summary
twprint -m r -t 0 -r $PREFIX_DIR/lib/tripwire/report/*.twr twprint -m r -t 0 -r /var/lib/tripwire/report/*.twr
- detailed
twprint -m r -t 4 -r $PREFIX_DIR/lib/tripwire/report/*.twr twprint -m r -t 4 -r /var/lib/tripwire/report/*.twr
agressive configuration to watch the file system
I wanted to watch pretty much for any change on the / file system. This obviously takes a little while to run, but that is what cron can be used for on unattended file-systems.
- my configuration is:
- on redhat trip-wire-redhat
- on debian trip-wire-debian
tripwire-check.sh
The following script is installed to be executed via crontab; note that this script determines the installation and binary directories by looking at the $PREFIX_DIR, which if set means you are running a "local" environment built from source code. This script detects if there is a variation in the printed results and make a -4.var file that can be transferred to centralised logging server, for analysis and intrusion detection.
vi $PREFIX_DIR/sbin/tripwire-check.sh vi /usr/sbin/tripwire-check.sh (with suitable path adjustments)
The contents of tripwire-check.sh:
#!/bin/bash
# establish directories
if [ -z "${PREFIX_DIR}" ]; then
DIR=/var/lib/tripwire/report
DBFile=/var/lib/tripwire/$HOST.twd
BINDIR=/usr/sbin
else
DIR=$PREFIX_DIR/lib/tripwire/report
DBFILE=$PREFIX_DIR/lib/tripwire/$HOST.twd
BINDIR=$PREFIX_DIR/sbin
fi
# check the machine for changes
$BINDIR/tripwire --check
HOST=`hostname`
# thus can find the last report and convert to summary
LAST_REPORT=`ls -r $DIR/$HOST-*.twr | head -1`
echo "The last report = $LAST_REPORT"
# generate a (transient) summary report and check if it has a variation
VARIATION=`$BINDIR/twprint -m r -t 0 -r $LAST_REPORT | grep TWReport | gawk '{ print $4 }' | gawk -F: '{print $2}'`
if [ $VARIATION -ne 0 ]
then
echo "we have a variation - generating a report $LAST_REPORT-4.var"
$BINDIR/twprint -m r -t 4 -r $LAST_REPORT > $LAST_REPORT-4.var
fi
$BINDIR/tripwire --init -P XXXXXX
crontab
- include crontab entry
crontab -e
# generate a tripwire report and re-initialise for the next day 0 9 * * * $PREFIX_DIR/etc/tripwire/tripwire-check.sh #after reboot @reboot sleep 120 && $PREFIX_DIR//etc/tripwire/tripwire-check.sh
Example tripwire times
| system | elapsed | user | system |
|---|---|---|---|
| c3po (check and update) (check only) |
5m33.203s 2m56.062s |
3m4.836s 1m34.776s |
0m21.889s 0m10.787s |
| jitsi | 3m3.3303s | 1m13.728s | 0m7.767s |
| padme (check and update) (check only) |
4m44.510s 2m8.332s |
2m53.324s 1m23.636s |
0m21.091s 0m9.699s |
| server (check and update) (check only) |
23m11.498s 12m37.4298s |
6m2.322s 3m45.048s |
0m56.984s 0m33.418s |
| ntp.arising.com.au (check and update) (update only) |
4m14.946s 2m6.542s |
1m16.468s 0m38.896s |
0m18.358s 0m8.649s |
| debian96-cloud (check and update) (check only) |
10m59.601s 5m50.063s |
9m32.048s 5m8.364s |
0m31.176s 0m18.468s |
| rhel74-dev VM tripwire-check.sh |
12m2.929s 11m40.723s |
7m37.446s 6m57.574s |
1m18.084s 1m22.874s |
references
- https://www.sbarjatiya.com/notes_wiki/index.php/Using_Tripwire
- https://www.cs.montana.edu/courses/309/topics/11-security/tripwire_discussion.html