Intrusion detection and file integrity check with Tripwire

In this article I am gonna show you how you can monitor your files on the installed system with a software called tripwire.You can get this software here .

As I said before that am running four different distros in my lappi and as well two different distros within virtualization technique.So the installation of that particular software will be handled different by their package manager.And if some choose to go the source compile option still they have to adjust the location of the files.

For the demonstration of this particular software I am going to stick with Fedora(precisely version 12). So my first job is to get the software from the repository ..here we go:

Step 1: Get the software

bhaskar@bhaskar-laptop_08:17:58_Sun Jul 25:~> sudo yum install tripwire
[sudo] password for bhaskar:
Loaded plugins: presto, refresh-packagekit
google-chrome                                                                                                                         |  951 B     00:00
openvz-kernel-rhel5                                                                                                                   |  951 B     00:00
openvz-utils                                                                                                                          |  951 B     00:00
rpmfusion-free-updates                                                                                                                | 2.8 kB     00:03
updates/metalink                                                                                                                      | 8.4 kB     00:02
updates-source/metalink                                                                                                               | 7.9 kB     00:00
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package tripwire.i686 0:2.4.1.2-11.fc12 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package                              Arch                             Version                                      Repository                          Size
=============================================================================================================================================================
Installing:
tripwire                             i686                             2.4.1.2-11.fc12                              fedora                             758 k

Transaction Summary
=============================================================================================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 758 k
Installed size: 4.0 M
Is this ok [y/N]: y

And yes I said “Y” to the prompt to get the software installed in my system.Now see it installed:Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 758 k
tripwire-2.4.1.2-11.fc12.i686.rpm                                                                                                     | 758 kB     01:42
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing     : tripwire-2.4.1.2-11.fc12.i686                                                                                                         1/1

Installed:
tripwire.i686 0:2.4.1.2-11.fc12

Complete!

Step 2: Verify the installation

bhaskar@bhaskar-laptop_08:54:38_Sun Jul 25:~> sudo rpm -qi tripwire
[sudo] password for bhaskar:
Name        : tripwire                     Relocations: (not relocatable)
Version     : 2.4.1.2                           Vendor: Fedora Project
Release     : 11.fc12                       Build Date: Fri 21 Aug 2009 10:24:49 PM IST
Install Date: Sun 25 Jul 2010 08:54:04 AM IST      Build Host: x86-2.fedora.phx.redhat.com
Group       : Applications/System           Source RPM: tripwire-2.4.1.2-11.fc12.src.rpm
Size        : 4192723                          License: GPLv2+
Signature   : RSA/8, Wed 30 Sep 2009 11:06:18 AM IST, Key ID 9d1cc34857bbccba
Packager    : Fedora Project
URL         : http://www.tripwire.org/
Summary     : IDS (Intrusion Detection System)
Description :
Tripwire is a very valuable security tool for Linux systems, if  it  is
installed to a clean system. Tripwire should be installed  right  after
the OS installation, and before you have connected  your  system  to  a
network (i.e., before any possibility exists that someone  could  alter
files on your system).

When Tripwire is initially set up, it creates a database  that  records
certain file information. Then when it is run, it compares a designated
set of files and directories to the information stored in the database.
Added or deleted files are flagged and reported, as are any files  that
have changed from their previously recorded state in the database. When
Tripwire is run against system files  on  a  regular  basis,  any  file
changes will be spotted when Tripwire is run. Tripwire will report  the
changes, which will give system administrators a clue that they need to
enact damage control measures immediately if certain  files  have  been
altered.

Right! so next to configure the software properly to scan out filesystem properly.

Step 3: Find out the files installed by tripwire

lets get the file installed in the system in different places a.k.a location in the filesystem

bhaskar@bhaskar-laptop_08:58:46_Sun Jul 25:~> sudo rpm -ql tripwire
/etc/cron.daily/tripwire-check
/etc/tripwire
/etc/tripwire/twcfg.txt
/etc/tripwire/twpol.txt
/usr/sbin/siggen
/usr/sbin/tripwire
/usr/sbin/tripwire-setup-keyfiles
/usr/sbin/twadmin
/usr/sbin/twprint
/usr/share/doc/tripwire-2.4.1.2
/usr/share/doc/tripwire-2.4.1.2/COMMERCIAL
/usr/share/doc/tripwire-2.4.1.2/COPYING
/usr/share/doc/tripwire-2.4.1.2/ChangeLog
/usr/share/doc/tripwire-2.4.1.2/License-Issues
/usr/share/doc/tripwire-2.4.1.2/README.Fedora
/usr/share/doc/tripwire-2.4.1.2/TRADEMARK
/usr/share/doc/tripwire-2.4.1.2/policyguide.txt
/usr/share/doc/tripwire-2.4.1.2/tripwire.gif
/usr/share/man/man4/twconfig.4.gz
/usr/share/man/man4/twpolicy.4.gz
/usr/share/man/man5/twfiles.5.gz
/usr/share/man/man8/siggen.8.gz
/usr/share/man/man8/tripwire.8.gz
/usr/share/man/man8/twadmin.8.gz
/usr/share/man/man8/twintro.8.gz
/usr/share/man/man8/twprint.8.gz
/var/lib/tripwire
/var/lib/tripwire/report

So from this information that it has distributed it’s file throughout the system.

Step 4: Configure and customize tripwire

For the sake of clarity I keep the default file as it is :

bhaskar@bhaskar-laptop_09:05:02_Sun Jul 25:~> sudo vim /etc/tripwire/twcfg.txt

ROOT                   =/usr/sbin
POLFILE                =/etc/tripwire/tw.pol
DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE            =/etc/tripwire/site.key
LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR                 =/bin/vi
LATEPROMPTING          =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS       =true
EMAILREPORTLEVEL       =3
REPORTLEVEL            =3
MAILMETHOD             =SENDMAIL
SYSLOGREPORTING        =false
MAILPROGRAM            =/usr/sbin/sendmail -oi -t

So the next file look upon is the policy file of it:

bhaskar@bhaskar-laptop_09:08:41_Sun Jul 25:~> sudo vim /etc/tripwire/twpol.txt

once again for the sake of clarity I keep the policy file as default.But one should change it according to his/her requirement.It’s a very simple file with just key=value pair in it.

Step 5: Generate the key pair to protect tripwire files

You need to run this script to get things done:

root@bhaskar-laptop_09:32:59_Sun Jul 25:/etc/tripwire # sudo /usr/sbin/tripwire-setup-keyfiles

The Tripwire site and local passphrases are used to sign a  variety  of
files, such as the configuration, policy, and database files.

Passphrases should be at least 8 characters in length and contain  both
letters and numbers.

See the Tripwire manual for more information.

———————————————-
Creating key files…

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase:

Verify the site keyfile passphrase:
Generating key (this may take several minutes)…Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)…Key generation complete.

———————————————-
Signing configuration file…
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection.  It  is  recommended  that  you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.

———————————————-
Signing policy file…
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for  your  inspection.  This  implements  a  minimal
policy, intended only to test  essential  Tripwire  functionality.  You
should edit the policy file to  describe  your  system,  and  then  use
twadmin to generate a new signed copy of the Tripwire policy.

Once you have a satisfactory Tripwire policy file, you should move  the
clear-text version to a secure location  and/or  encrypt  it  in  place
(using a tool such as GPG, for example).

Now run “tripwire –init” to enter Database Initialization  Mode.  This
reads the policy file, generates a database based on its contents,  and
then cryptographically signs the resulting  database.  Options  can  be
entered on the command line to specify which policy, configuration, and
key files are used  to  create  the  database.  The  filename  for  the
database can be specified as well. If no  options  are  specified,  the
default values from the current configuration file are used.

So it’s done with key files..now every time we need run tripwire you have to supply the correct site passphrase.

Step 6: Initialize the database

root@bhaskar-laptop_09:43:11_Sun Jul 25:/etc/tripwire # tripwire –init

Please enter your local passphrase:
Incorrect local passphrase.
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database…
*** Processing Unix File System ***
……………………

………………………
Wrote database file: /var/lib/tripwire/bhaskar-laptop.twd
The database was successfully generated.

So the first time I have entered the wrong passphrase so I was asked to enter it again. Now the database of the existing filesystem has been generated . Next thing to check the integrity.

Step 7: Checking integrity

root@bhaskar-laptop_09:46:55_Sun Jul 25:/etc/tripwire # tripwire –check

Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check…

……………………….

Wrote report file: /var/lib/tripwire/report/bhaskar-laptop-20100725-095014.twr

Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:          root
Report created on:            Sun 25 Jul 2010 09:50:14 AM IST
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    bhaskar-laptop
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/bhaskar-laptop.twd
Command line used:            tripwire –check

===============================================================================
Rule Summary:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

Rule Name                       Severity Level    Added    Removed  Modified
———                       ————–    —–    ——-  ——–
Invariant Directories           66                0        0        0
Temporary directories           33                0        0        0
* Tripwire Data Files             100               1        0        0
Critical devices                100               0        0        0
User binaries                   66                0        0        0
Tripwire Binaries               100               0        0        0
Critical configuration files    100               0        0        0
Libraries                       66                0        0        0
Operating System Utilities      100               0        0        0
Critical system boot files      100               0        0        0
File System and Disk Administraton Programs
100               0        0        0
Kernel Administration Programs  100               0        0        0
Networking Programs             100               0        0        0
System Administration Programs  100               0        0        0
Hardware and Device Control Programs
100               0        0        0
System Information Programs     100               0        0        0
Application Information Programs
100               0        0        0
Shell Related Programs          100               0        0        0
Critical Utility Sym-Links      100               0        0        0
Shell Binaries                  100               0        0        0
System boot changes             100               0        0        0
OS executables and libraries    100               0        0        0
Security Control                100               0        0        0
Login Scripts                   100               0        0        0
Root config files               100               0        0        0

Total objects scanned:  36197
Total violations found:  1

===============================================================================
Object Summary:
===============================================================================

——————————————————————————-
# Section: Unix File System
——————————————————————————-

——————————————————————————-
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
——————————————————————————-

Added:
“/var/lib/tripwire/bhaskar-laptop.twd”

===============================================================================
Error Report:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

1.   File system error.
Filename: /dev/kmem
No such file or directory
……………………
…………………..
Filename: /root/.Xauthority
No such file or directory

——————————————————————————-
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use –version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.

Now you can see lot of working because I haven’t made any change to the default files.So the binaries assumed lot of things and spit out the warning.Those warning can be chopped off if one modified(and should) the policy file according to the need.I prefer to go way with the default one to show the impact of it.

Now what that check does? it simply compare the database of our filesystem we created earlier with present state of the filesystem and spit out the result.And more importantly it generate a report of it and keep that file in the filesystem. Next we are going to see the report that the check prepared for us.

Step 8: Checking report

Now it stores the report in /var/lib/tripwire/report

Here is the report file just created:

root@bhaskar-laptop_09:52:53_Sun Jul 25:/etc/tripwire # ls -al /var/lib/tripwire/report/
total 20
drwx——. 2 root root  4096 2010-07-25 09:52 .
drwx——. 3 root root  4096 2010-07-25 09:46 ..
-rw-r–r–. 1 root root 11878 2010-07-25 09:52 bhaskar-laptop-20100725-095014.twr

So we going to examine that .twr file .And we will use a binary shipped with this software called “twprint”

root@bhaskar-laptop_10:04:20_Sun Jul 25:/etc/tripwire #twprint -m r –twrfile /var/lib/tripwire/report/bhaskar-laptop-20100725-095014.twr

Note: Report is not encrypted.
Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:          root
Report created on:            Sun 25 Jul 2010 09:50:14 AM IST
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    bhaskar-laptop
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/bhaskar-laptop.twd
Command line used:            tripwire –check

===============================================================================
Rule Summary:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

Rule Name                       Severity Level    Added    Removed  Modified
———                       ————–    —–    ——-  ——–
Invariant Directories           66                0        0        0
Temporary directories           33                0        0        0
* Tripwire Data Files             100               1        0        0
Critical devices                100               0        0        0
User binaries                   66                0        0        0
Tripwire Binaries               100               0        0        0
Critical configuration files    100               0        0        0
Libraries                       66                0        0        0
Operating System Utilities      100               0        0        0
Critical system boot files      100               0        0        0
File System and Disk Administraton Programs
100               0        0        0
Kernel Administration Programs  100               0        0        0
Networking Programs             100               0        0        0
System Administration Programs  100               0        0        0
Hardware and Device Control Programs
100               0        0        0
System Information Programs     100               0        0        0
Application Information Programs
100               0        0        0
Shell Related Programs          100               0        0        0
Critical Utility Sym-Links      100               0        0        0
Shell Binaries                  100               0        0        0
System boot changes             100               0        0        0
OS executables and libraries    100               0        0        0
Security Control                100               0        0        0
Login Scripts                   100               0        0        0
Root config files               100               0        0        0

Total objects scanned:  36197
Total violations found:  1

===============================================================================
Object Detail:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

——————————————————————————-
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
——————————————————————————-
—————————————-
Added Objects: 1
—————————————-

Added object name:  /var/lib/tripwire/bhaskar-laptop.twd

===============================================================================
Error Report:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

1.   File system error.
Filename: /dev/kmem
No such file or directory

…………………
……………

——————————————————————————-
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use –version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

Because it’s freshly installed so lot of information is missing from the reports.And of course lot of warnings can be eliminated from this report if I had modified the policy file..which I didn’t for sake of clarity.

Step 9: Track the tripwire database

Just to check how much information tripwire keep track for us.

root@bhaskar-laptop_10:12:34_Sun Jul 25:/etc/tripwire # twprint -m d –print-dbfile

Open Source Tripwire(R) 2.4.1 Database

Database generated by:        root
Database generated on:        Sun 25 Jul 2010 09:43:55 AM IST
Database last updated on:     Never

===============================================================================
Database Summary:
===============================================================================

Host name:                    bhaskar-laptop
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/bhaskar-laptop.twd
Command line used:            tripwire –init

Object Summary:
===============================================================================

——————————————————————————-
# Section: Unix File System
——————————————————————————-

Mode        UID                  Size       Modify Time
——      ———-           ———- ———-
/
dr-xr-xr-x  root (0)             XXX        XXXXXXXXXXXXXXXXX
/bin
dr-xr-xr-x  root (0)             4096       Sun 25 Jul 2010 09:40:32 AM IST
/bin/alsaunmute
-rwxr-xr-x  root (0)             123        Mon 28 Jun 2010 05:21:44 PM IST
/bin/arch
-rwxr-xr-x  root (0)             26828      Wed 28 Apr 2010 09:26:03 PM IST
/bin/awk
lrwxrwxrwx  root (0)             4          Mon 12 Jul 2010 08:44:23 PM IST
/bin/basename
-rwxr-xr-x  root (0)             25032      Wed 28 Apr 2010 09:26:03 PM IST
/bin/bash
-rwxr-xr-x  root (0)             861128     Fri 21 May 2010 10:54:37 PM IST
/bin/cat
-rwxr-xr-x  root (0)             48292      Wed 28 Apr 2010 09:26:03 PM IST
/bin/chgrp
-rwxr-xr-x  root (0)             56708      Wed 28 Apr 2010 09:26:03 PM IST
/bin/chmod
-rwxr-xr-x  root (0)             52304      Wed 28 Apr 2010 09:26:03 PM IST
/bin/chown
-rwxr-xr-x  root (0)             58932      Wed 28 Apr 2010 09:26:03 PM IST
/bin/cp
-rwxr-xr-x  root (0)             118896     Wed 28 Apr 2010 09:26:03 PM IST
/bin/cpio
-rwxr-xr-x  root (0)             133292     Wed 10 Mar 2010 07:55:16 PM IST
/bin/cut
-rwxr-xr-x  root (0)             44076      Wed 28 Apr 2010 09:26:03 PM IST
/bin/dash
-rwxr-xr-x  root (0)             102216     Sat 25 Jul 2009 11:46:41 AM IST
/bin/date
-rwxr-xr-x  root (0)             60140      Wed 28 Apr 2010 09:26:03 PM IST
/bin/dbus-cleanup-sockets
-rwxr-xr-x  root (0)             9628       Fri 18 Dec 2009 09:02:09 PM IST
/bin/dbus-daemon
-rwxr-xr-x  root (0)             362416     Fri 18 Dec 2009 09:02:09 PM IST
/bin/dbus-monitor
-rwxr-xr-x  root (0)             13804      Fri 18 Dec 2009 09:02:09 PM IST
/bin/dbus-send
-rwxr-xr-x  root (0)             17168      Fri 18 Dec 2009 09:02:09 PM IST
/bin/dbus-uuidgen
-rwxr-xr-x  root (0)             7972       Fri 18 Dec 2009 09:02:09 PM IST
/bin/dd
-rwxr-xr-x  root (0)             56188      Wed 28 Apr 2010 09:26:03 PM IST
/bin/df
-rwxr-xr-x  root (0)             69536      Wed 28 Apr 2010 09:26:03 PM IST
/bin/dmesg
-rwxr-xr-x  root (0)             7028       Tue 13 Apr 2010 12:34:31 AM IST
/bin/dnsdomainname
lrwxrwxrwx  root (0)             8          Tue 08 Jun 2010 11:39:42 AM IST
/bin/doexec

-rwxr-xr-x  root (0)             4912       Wed 28 Apr 2010 11:56:37 PM IST
/bin/domainname
lrwxrwxrwx  root (0)             8          Tue 08 Jun 2010 11:39:42 AM IST
/bin/dumpkeys
-rwxr-xr-x  root (0)             59824      Wed 26 Aug 2009 10:23:56 PM IST
/bin/echo
-rwxr-xr-x  root (0)             26224      Wed 28 Apr 2010 09:26:03 PM IST
/bin/ed
-rwxr-xr-x  root (0)             48036      Sat 25 Jul 2009 07:53:30 PM IST
/bin/egrep
-rwxr-xr-x  root (0)             98156      Thu 08 Apr 2010 03:10:19 AM IST
/bin/env
-rwxr-xr-x  root (0)             25084      Wed 28 Apr 2010 09:26:03 PM IST
/bin/ex
lrwxrwxrwx  root (0)             2          Mon 05 Apr 2010 06:03:08 PM IST
/bin/false
-rwxr-xr-x  root (0)             23324      Wed 28 Apr 2010 09:26:03 PM IST
/bin/fgrep
-rwxr-xr-x  root (0)             65168      Thu 08 Apr 2010 03:10:19 AM IST
/bin/find
-rwxr-xr-x  root (0)             172300     Tue 01 Jun 2010 04:21:17 PM IST
/bin/fusermount
-rwsr-xr-x  root (0)             29340      Tue 08 Jun 2010 10:45:17 AM IST
/bin/gawk
-rwxr-xr-x  root (0)             346704     Thu 01 Apr 2010 08:00:09 PM IST
/bin/gettext
-rwxr-xr-x  root (0)             27436      Tue 08 Dec 2009 01:40:34 PM IST
/bin/grep
-rwxr-xr-x  root (0)             102284     Thu 08 Apr 2010 03:10:19 AM IST
/bin/gtar
lrwxrwxrwx  root (0)             3          Sat 22 May 2010 09:30:52 AM IST
/bin/gunzip
-rwxr-xr-x  root (0)             61         Tue 23 Feb 2010 03:37:28 PM IST
/bin/gzip
-rwxr-xr-x  root (0)             67500      Tue 23 Feb 2010 03:37:28 PM IST
/bin/hostname
-rwxr-xr-x  root (0)             12728      Fri 19 Mar 2010 04:59:02 PM IST
/bin/ipcalc
-rwxr-xr-x  root (0)             11588      Wed 28 Apr 2010 11:56:37 PM IST
/bin/iptables-xml
lrwxrwxrwx  root (0)             20         Tue 10 Nov 2009 12:41:37 AM IST
/bin/kbd_mode
-rwxr-xr-x  root (0)             8420       Wed 26 Aug 2009 10:23:56 PM IST
/bin/kill
-rwxr-xr-x  root (0)             11484      Tue 13 Apr 2010 12:34:31 AM IST
/bin/link
-rwxr-xr-x  root (0)             25028      Wed 28 Apr 2010 09:26:03 PM IST
/bin/ln
-rwxr-xr-x  root (0)             46596      Wed 28 Apr 2010 09:26:03 PM IST
/bin/loadkeys
-rwxr-xr-x  root (0)             88720      Wed 26 Aug 2009 10:23:56 PM IST
/bin/login
-rwxr-xr-x  root (0)             26020      Tue 13 Apr 2010 12:34:31 AM IST
/bin/lowntfs-3g
-rwxr-xr-x  root (0)             56596      Tue 18 May 2010 11:05:21 PM IST
/bin/ls
-rwxr-xr-x  root (0)             116688     Wed 28 Apr 2010 09:26:03 PM IST
/bin/mail
lrwxrwxrwx  root (0)             5          Wed 26 May 2010 05:23:13 PM IST
/bin/mailx
-rwxr-xr-x  root (0)             374868     Mon 27 Jul 2009 06:12:34 AM IST
/bin/mkdir
-rwxr-xr-x  root (0)             46328      Wed 28 Apr 2010 09:26:03 PM IST
/bin/mknod
-rwxr-xr-x  root (0)             30916      Wed 28 Apr 2010 09:26:03 PM IST
/bin/mktemp
-rwxr-xr-x  root (0)             35296      Wed 28 Apr 2010 09:26:03 PM IST
/bin/more
-rwxr-xr-x  root (0)             35056      Tue 13 Apr 2010 12:34:31 AM IST
/bin/mount
-rwsr-xr-x  root (0)             70444      Tue 13 Apr 2010 12:34:25 AM IST
/bin/mountpoint
-rwxr-xr-x  root (0)             7212       Mon 26 Apr 2010 03:33:17 PM IST
/bin/mv
-rwxr-xr-x  root (0)             109976     Wed 28 Apr 2010 09:26:03 PM IST
/bin/netstat
-rwxr-xr-x  root (0)             122960     Fri 19 Mar 2010 04:59:02 PM IST
/bin/nice
-rwxr-xr-x  root (0)             27328      Wed 28 Apr 2010 09:26:03 PM IST
/bin/nisdomainname
lrwxrwxrwx  root (0)             8          Tue 08 Jun 2010 11:39:42 AM IST
/bin/ntfs-3g
-rwxr-xr-x  root (0)             51380      Tue 18 May 2010 11:05:21 PM IST
/bin/ntfs-3g.probe
-rwxr-xr-x  root (0)             8196       Tue 18 May 2010 11:05:21 PM IST
/bin/ntfs-3g.secaudit
-rwxr-xr-x  root (0)             60884      Tue 18 May 2010 11:05:21 PM IST
/bin/ntfs-3g.usermap
-rwxr-xr-x  root (0)             14920      Tue 18 May 2010 11:05:21 PM IST
/bin/ntfsmount
lrwxrwxrwx  root (0)             7          Tue 08 Jun 2010 11:39:44 AM IST
/bin/ping
-rwsr-xr-x  root (0)             41976      Tue 11 May 2010 07:33:13 PM IST
/bin/ping6
-rwsr-xr-x  root (0)             37228      Tue 11 May 2010 07:33:13 PM IST
/bin/plymouth
-rwxr-xr-x  root (0)             31048      Tue 26 Jan 2010 11:59:16 AM IST
/bin/ps
-rwxr-xr-x  root (0)             83624      Mon 16 Nov 2009 07:30:24 PM IST
/bin/pwd
-rwxr-xr-x  root (0)             30140      Wed 28 Apr 2010 09:26:03 PM IST
/bin/readlink
-rwxr-xr-x  root (0)             38732      Wed 28 Apr 2010 09:26:03 PM IST
/bin/red
-rwxr-xr-x  root (0)             48036      Sat 25 Jul 2009 07:53:30 PM IST
/bin/redhat_lsb_init
-rwxr-xr-x  root (0)             576        Wed 16 Apr 2008 11:20:14 PM IST
/bin/rm
-rwxr-xr-x  root (0)             56792      Wed 28 Apr 2010 09:26:03 PM IST
/bin/rmdir
-rwxr-xr-x  root (0)             38840      Wed 28 Apr 2010 09:26:03 PM IST
/bin/rpm
-rwxr-xr-x  root (0)             22528      Wed 30 Jun 2010 03:46:32 PM IST
/bin/rvi
lrwxrwxrwx  root (0)             2          Mon 05 Apr 2010 06:03:08 PM IST
/bin/rview
lrwxrwxrwx  root (0)             2          Mon 05 Apr 2010 06:03:08 PM IST
/bin/sed
-rwxr-xr-x  root (0)             66380      Mon 22 Mar 2010 06:41:35 PM IST
/bin/setfont
-rwxr-xr-x  root (0)             39008      Wed 26 Aug 2009 10:23:56 PM IST
/bin/setserial
-rwxr-xr-x  root (0)             20788      Wed 29 Jul 2009 02:03:22 AM IST
/bin/sh
lrwxrwxrwx  root (0)             4          Fri 23 Jul 2010 10:22:22 AM IST
/bin/sleep
-rwxr-xr-x  root (0)             26000      Wed 28 Apr 2010 09:26:03 PM IST
/bin/sort
-rwxr-xr-x  root (0)             98344      Wed 28 Apr 2010 09:26:03 PM IST
/bin/stty
-rwxr-xr-x  root (0)             63472      Wed 28 Apr 2010 09:26:03 PM IST
/bin/su
-rwsr-xr-x  root (0)             32744      Wed 28 Apr 2010 09:26:02 PM IST
/bin/sync
-rwxr-xr-x  root (0)             23844      Wed 28 Apr 2010 09:26:03 PM IST
/bin/tar
-rwxr-xr-x  root (0)             295904     Mon 03 May 2010 03:44:03 PM IST
/bin/taskset
-rwxr-xr-x  root (0)             11904      Tue 13 Apr 2010 12:34:31 AM IST
/bin/touch
-rwxr-xr-x  root (0)             47732      Wed 28 Apr 2010 09:26:03 PM IST
/bin/tracepath
-rwxr-xr-x  root (0)             10040      Tue 11 May 2010 07:33:13 PM IST
/bin/tracepath6
-rwxr-xr-x  root (0)             10732      Tue 11 May 2010 07:33:13 PM IST
/bin/traceroute
-rwxr-xr-x  root (0)             55600      Wed 14 Jul 2010 08:45:46 PM IST
/bin/traceroute6
lrwxrwxrwx  root (0)             10         Fri 23 Jul 2010 10:23:48 AM IST
/bin/true
-rwxr-xr-x  root (0)             23324      Wed 28 Apr 2010 09:26:03 PM IST
/bin/ulockmgr_server
-rwxr-xr-x  root (0)             11400      Tue 08 Jun 2010 10:45:17 AM IST
/bin/umount
-rwsr-xr-x  root (0)             47540      Tue 13 Apr 2010 12:34:26 AM IST
/bin/uname
-rwxr-xr-x  root (0)             26828      Wed 28 Apr 2010 09:26:03 PM IST
/bin/unicode_start
-rwxr-xr-x  root (0)             2555       Wed 26 Aug 2009 10:23:55 PM IST
/bin/unicode_stop
-rwxr-xr-x  root (0)             363        Wed 26 Aug 2009 10:23:53 PM IST
/bin/unlink
-rwxr-xr-x  root (0)             24068      Wed 28 Apr 2010 09:26:03 PM IST
/bin/usleep
-rwxr-xr-x  root (0)             7096       Wed 28 Apr 2010 11:56:37 PM IST
/bin/vi
-rwxr-xr-x  root (0)             722680     Thu 25 Mar 2010 11:43:17 PM IST
/bin/view
lrwxrwxrwx  root (0)             2          Mon 05 Apr 2010 06:03:09 PM IST
/bin/ypdomainname
lrwxrwxrwx  root (0)             8          Tue 08 Jun 2010 11:39:42 AM IST
/bin/zcat
-rwxr-xr-x  root (0)             62         Tue 23 Feb 2010 03:37:28 PM IST
/boot
dr-xr-xr-x  root (0)             1024       Fri 23 Jul 2010 10:25:29 AM IST
/boot/System.map-2.6.32.12-115.fc12.i686
-rw-r–r–  root (0)             1643223    Sat 01 May 2010 02:19:02 AM IST
/boot/System.map-2.6.32.14-127.fc12.i686
-rw-r–r–  root (0)             1643320    Fri 28 May 2010 10:47:55 AM IST
/boot/System.map-2.6.32.16-141.fc12.i686
-rw-r–r–  root (0)             1624179    Wed 07 Jul 2010 10:22:11 AM IST
/boot/config-2.6.32.12-115.fc12.i686
-rw-r–r–  root (0)             106890     Sat 01 May 2010 02:19:02 AM IST
/boot/config-2.6.32.14-127.fc12.i686
-rw-r–r–  root (0)             106890     Fri 28 May 2010 10:47:55 AM IST
/boot/config-2.6.32.16-141.fc12.i686
-rw-r–r–  root (0)             106915     Wed 07 Jul 2010 10:22:11 AM IST
/boot/efi
drwxr-xr-x  root (0)             1024       Tue 10 Nov 2009 12:43:21 AM IST

…….I have snipped the output …because it is huge and very informative.

Step 10: Update the tripwire database

Sometime it needs to update the database file for get rid of false warning and errors. So for that we need to update the database file for the tripwire.

root@bhaskar-laptop_10:28:35_Sun Jul 25:/home/bhaskar # tripwire –update –twrfile /var/lib/tripwire/report/bhaskar-laptop-20100725-095014.twr

It will put you to a temporary file editor to update the file check.If you really don’t want to informed about anything specific out of this file just remove the “X” beside that option and save the file.

Step 11: Update the policy file

We will use a binary ship with the tripwire software called “twadmin”.

First as the norm that once you finished with configured tripwire for your system should delete the clear text policy file .Now if need to view it once more then you can generate it like this:

root@bhaskar-laptop_10:28:35_Sun Jul 25:/home/bhaskar # twadmin –print-profile > /etc/tripwire/twpol.txt

So the next step is that I am gonna encrypt the file :

root@bhaskar-laptop_10:38:13_Sun Jul 25:/etc/tripwire #/usr/sbin/twadmin –create-polfile -S site.key /etc/tripwire/twpol.txt

Please enter your site passphrase:

Wrote policy file: /etc/tripwire/tw.pol

Now I am going update the database with new created encrypted policy file . For that I need to remove the existing database file:

root@bhaskar-laptop_10:38:13_Sun Jul 25:/etc/tripwire # rm /var/lib/tripwire/bhaskar-laptop.twd
rm: remove regular file `/var/lib/tripwire/bhaskar-laptop.twd’? y

And I said “yes ” to it ..so it removed.

So recreate the database once more:

root@bhaskar-laptop_10:42:14_Sun Jul 25:/etc/tripwire # tripwire –init

Please enter your local passphrase:

………

Wrote database file: /var/lib/tripwire/bhaskar-laptop.twd
The database was successfully generated.

Once it is done we will recheck it once more :

root@bhaskar-laptop_10:47:03_Sun Jul 25:/etc/tripwire # tripwire –check

Wrote report file: /var/lib/tripwire/report/bhaskar-laptop-20100725-104915.twr

Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:          root
Report created on:            Sun 25 Jul 2010 10:49:15 AM IST
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    bhaskar-laptop
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/bhaskar-laptop.twd
Command line used:            tripwire –check

===============================================================================
Rule Summary:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

Rule Name                       Severity Level    Added    Removed  Modified
———                       ————–    —–    ——-  ——–
Invariant Directories           66                0        0        0
Temporary directories           33                0        0        0
* Tripwire Data Files             100               1        0        0
Critical devices                100               0        0        0
User binaries                   66                0        0        0
Tripwire Binaries               100               0        0        0
Critical configuration files    100               0        0        0
Libraries                       66                0        0        0
Operating System Utilities      100               0        0        0
Critical system boot files      100               0        0        0
File System and Disk Administraton Programs
100               0        0        0
Kernel Administration Programs  100               0        0        0
Networking Programs             100               0        0        0
System Administration Programs  100               0        0        0
Hardware and Device Control Programs
100               0        0        0
System Information Programs     100               0        0        0
Application Information Programs
100               0        0        0
Shell Related Programs          100               0        0        0
Critical Utility Sym-Links      100               0        0        0
Shell Binaries                  100               0        0        0
System boot changes             100               0        0        0
OS executables and libraries    100               0        0        0
Security Control                100               0        0        0
Login Scripts                   100               0        0        0
Root config files               100               0        0        0

Total objects scanned:  36199
Total violations found:  1

===============================================================================
Object Summary:
===============================================================================

——————————————————————————-
# Section: Unix File System
——————————————————————————-

——————————————————————————-
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
——————————————————————————-

Added:
“/var/lib/tripwire/bhaskar-laptop.twd”

===============================================================================
Error Report:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

Integrity check complete.

Hope this will help.

Cheers!

Bhaskar

About unixbhaskar
GNU/Linux Consultant

One Response to Intrusion detection and file integrity check with Tripwire

  1. Pingback: Nova Check | For the Love of Wool

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: