Section 9.3. Tripwire | Run Your Own Web Server Using Linux & Apache

9.3. Tripwire

Tripwire is a tool that helps detect compromises. It stores the state of the system and all the programs stored on it, and then, at regular intervals, compares the current state with the stored state. If it detects any changes, Tripwire can indicate that the server has been compromised and that a cracker has installed some other program (for example, a Trojan horse that pretends to be the "login" program but actually stores entered usernames/passwords for later retrieval).

Tripwire should be installed and configured as soon as possible after you build the machine; you need to be sure that the machine has not already been compromised! To install it, use the yum install tripwire command, which requires access to the Internet in order to download the Tripwire package.

9.3.1. Initial Setup

Once you've installed Tripwire, you'll need to set it up. Tripwire works by building a database of the files installed on your system. At regular intervals, you can then check the system against the Tripwire database, and be alerted if anything has changed.

Note: It's important that you know that your system has not been compromised before you set up Tripwire! Tripwire only detects changes from your "initial setup," so, if your initial setup is already compromised, Tripwire can't help you. This is why it's important to install and configure Tripwire as soon as possible after you build the machine. If you're working on a machine that has been connected to the Internet for a while, you may want to consider backing up the data on it, erasing the data from the hard drive, reinstalling the operating system, restoring the data, then configuring Tripwire before you reconnect it to the 'net. Yes, that process is as tedious as it sounds, but security is about preventing potential issues and identifying problems; if crackers have already compromised your machine, and you don't take the necessary steps to remove their access before you install Tripwire, the software won't be able to do its job properly.

The first step involved in setting up Tripwire is to generate the public and private keys the software uses to encrypt its reports and policy (or configuration) files. To do this, we use the tripwire-setup-keyfiles tool:

[root@swinetrek kermit]# /usr/sbin/tripwire-setup-keyfiles ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files… (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase:

Here, you're asked to enter a site keyfile passphrase , which will be used to encrypt Tripwire's policy files. This passphrase should really be a sentencemaybe twoand, as it cannot be recovered, be careful not to forget it! This particular step may be onerous, but it's critical to your system's security.

Warning: If you decide to ignore this advice and just choose a word, do not choose your main password. Doing that will allow anyone who compromises the machine to compromise the Tripwire database, which would defeat the point of running Tripwire. Enter the passphrase at the prompt, and enter it again when you're asked to verify the passphrase.

Enter the site keyfile passphrase: Verify the site keyfile passphrase: Generating key (this may take several minutes)…Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase:

After you confirm the site keyfile passphrase, you will be prompted for a local keyfile passphrase, which will be used to encrypt the reports Tripwire generates. Tripwire uses two different passphrases, which allows you to give users the local passphrase, so they can read and work with the reports, without giving them the ability to change the way Tripwire works by altering its configuration . Be sure to pick another passphrase for the local keyfile passphrase; don't enter the one that you used for the site keyfile passphrase.

Enter the local keyfile passphrase: Verify the local keyfile passphrase: Generating key (this may take several minutes)…Key generation complete. ---------------------------------------------- Signing configuration file… Please enter your site passphrase:

Tripwire will generate a key to go with each passphrase, then use those keys to sign files. To do this, it will ask you for the passphrases once again:

Please enter your site passphrase: Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file… Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. Once you have a satisfactory Tripwire policy file, you should move the clear-text version to a secure location and/or encrypt it in place (using a tool such as GPG, for example). Now run "tripwire --init" to enter Database Initialization Mode. This reads the policy file, generates a database based on its contents, and then cryptographically signs the resulting database. Options can be entered on the command line to specify which policy, configuration, and key files are used to create the database. The filename for the database can be specified as well. If no options are specified, the default values from the current configuration file are used. [root@swinetrek kermit]#

As you can see, Tripwire has generated and encrypted the configuration file, /etc/tripwire/tw.cfg, and the policy file, /etc/tripwire/tw.pol, and has also saved plain text versions of these files. As suggested, move these files from /etc/tripwire to a more secure location, such as a floppy disk. Even if crackers do compromise your system, they'll have a very difficult time gaining access to files stored on a floppy disk that's sitting in your desk drawer.

[root@swinetrek kermit]# mount /media/floppy [root@swinetrek kermit]# mv /etc/tripwire/twcfg.txt \ > /media/floppy [root@swinetrek kermit]# mv /etc/tripwire/twpol.txt \ > /media/floppy [root@swinetrek kermit]# umount /media/floppy [root@swinetrek kermit]#

Now, as tripwire-setup-keyfiles suggests, run tripwire --init to build the database. This may take a while.

[root@swinetrek kermit]# /usr/sbin/tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database… *** Processing Unix File System *** ### Warning: File system error. ### Filename: /usr/sbin/fixrmtab ### No such file or directory ### Continuing… … ### Warning: File system error. ### Filename: /proc/scsi ### No such file or directory ### Continuing… Wrote database file: /var/lib/tripwire/swinetrek.twd The database was successfully generated. [root@swinetrek kermit]#

Tripwire is likely to complain about missing files with a series of "No such file or directory" errors. This isn't a problem; Tripwire's default configuration includes some files that aren't installed in a normal Fedora system. These errors can be ignored.

Now that Tripwire has created its database, you should perform your first Tripwire system check.

9.3.2. Using Tripwire

Use Tripwire to check your system on a regular basis (monthly should be sufficient, unless you have reason to suspect a compromise, which would make you check more frequently) and ensure that no part of the setup has changed without your knowledge. You can check your system using the tripwire --check command.

[root@swinetrek kermit]# /usr/sbin/tripwire --check Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check… ### Warning: File system error. ### Filename: /usr/sbin/fixrmtab ### No such file or directory ### Continuing…

Tripwire will whir for a little while (and possibly display missing file errors, as it did when it built the database), but eventually it will display a long report , like the one shown here:

### Warning: File system error. ### Filename: /proc/scsi ### No such file or directory ### Continuing… Wrote report file: /var/lib/tripwire/report/swinetrek-20051019-023039.twr Tripwire(R) 2.3.0 Integrity Check Report Report generated by:          root Report created on:            Wed 19 Oct 2005 02:30:39 AM EDT Database last updated on:     Never ================================================================== Report Summary: ================================================================== Host name:                    swinetrek Host IP address:              127.0.0.1 Host ID:                      None Policy file used:             /etc/tripwire/tw.pol Configuration file used:      /etc/tripwire/tw.cfg Database file used:           /var/lib/tripwire/swinetrek.twd Command line used:            /usr/sbin/tripwire --check

The important part of this report is the Rule Summary section , which shows whether any violations are apparent:

================================================================== Rule Summary: ================================================================== ------------------------------------------------------------------   Section: Unix File System ------------------------------------------------------------------   Rule Name           Severity Level    Added    Removed  Modified   ---------           --------------    -----    -------  --------   User binaries       66                0        0        0   Tripwire Binaries   100               0        0        0   Critical configuration files                       100               0        0        0   Libraries           66                0        0        0   Operating System Utilities                       100               0        0        0   Critical system boot files                       100               0        0        0   File System and Disk Administraton Programs                       100               0        0        0   Kernel Administration Programs                       100               0        0        0   Networking Programs 100               0        0        0   System Administration Programs                       100               0        0        0   Hardware and Device Control Programs                       100               0        0        0   System Information Programs                       100               0        0        0   Application Information Programs                       100               0        0        0   Shell Related Programs                       100               0        0        0   Critical Utility Sym-Links                       100               0        0        0   Shell Binaries      100               0        0        0 * Tripwire Data Files 100               1        0        0   System boot changes 100               0        0        0   OS executables and libraries                       100               0        0        0   Security Control    100               0        0        0   Login Scripts       100               0        0        0   Root config files   100               0        0        0   Invariant Directories                       66                0        0        0   Temporary directories                       33                0        0        0   Critical devices    100               0        0        0 Total objects scanned:  21750 Total violations found:  1

The last line of this section shows that one violation has been found: a file was added to the Tripwire Data Files section. If the Tripwire check shows a violation, you need to identify why that violation arose, and whether it indicates a compromise. The details of any violations are listed in the Object Summary section:

==================================================================Object Summary: ================================================================== ------------------------------------------------------------------ # Section: Unix File System ------------------------------------------------------------------ ------------------------------------------------------------------ Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------ Added: "/var/lib/tripwire/swinetrek.twd"

The first time you run tripwire --check, you should find that one file has been added to the Tripwire Data Files section: /var/lib/tripwire/swinetrek.twd is the database file created by Tripwire as part of its initialization. You can be confident that it is a safe addition.

Tip: The change depicted in the above output is indicated as "Severity Level: 100." Higher numbers reflect the increasing seriousness of the errors; 100 is as high as the scale goes. The above error was flagged as potentially being very severe because it identified a change to one of Tripwire's own files, which is considered possible evidence of tampering. You should assess all potential violations and satisfy yourself as to the reasons for them, though: do not ignore those with lower severity levels! The severity level exists primarily for system administrators who run very large networks, allowing them to generate reports of potential compromises at different levels of severity.

After the Object Summary section, Tripwire lists all of the errors it encountered. The first time around, this report should only include the Unix File System errors displayed while Tripwire was running, as well as its copyright notice:

================================================================== Error Report: ================================================================== ------------------------------------------------------------------   Section: Unix File System ------------------------------------------------------------------ 1.   File system error.      Filename: /usr/sbin/fixrmtab      No such file or directory … 72.  File system error.      Filename: /proc/scsi      No such file or directory ------------------------------------------------------------------ *** End of report *** Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. [root@swinetrek kermit]#

If a file changed, and that change did not show up in the last Tripwire check, you need to work out why the change occurred, and whether that change could be evidence of a compromise.

Once a file has changed, Tripwire will warn you about that change in every subsequent report until you update the database. To update the Tripwire database , and stop those violations being reported, use the tripwire --update --accept-all --twrfile reportfile command:

[root@swinetrek kermit]# /usr/sbin/tripwire --update \ > --accept-all --twrfile \ > /var/lib/tripwire/report/swinetrek-20051019-221705.twr Please enter your local passphrase: Wrote database file: /var/lib/tripwire/swinetrek.twd [root@swinetrek kermit]#

Warning: When you update the database, any violations that were listed in the report will no longer be considered violations. Be sure that you're satisfied with the reasons why those violations occurred before you update the database to incorporate them.

Note: Updating the database will produce a backup of the old database as /var/lib/tripwire/report/servername.twd.bak. The addition of this file will cause yet another violation, just as the addition of the database file itself did.

Generally speaking, your day-to-day usage of the machine will not cause violations. However, if you install new versions of software packages, the files within those packages will, obviously, change. Tripwire can't tell whether those files were changed by you, or by a cracker, so it will alert you to a violation. It's a good policy to run a Tripwire check before you run yum upgrade or yum install, and before you install any other RPM packages. Resolve any indicated violations to your own satisfaction before upgrading. You can then be reasonably confident that any changes came about because of the upgrade, and as you're happy with the state of the machine, you can go ahead and recompute the Tripwire database.