TRIPWIRE

Running install.sh

The install.sh script is used to set up Tripwire and must be run with root privileges. When you run it, you'll be prompted to read and accept the license agreement and choose an install location (the default is usually fine). In addition to these standard operations, you'll be asked to provide a site and local passphrase. These are used to encrypt the Tripwire policies, databases, and configuration files to keep them from being tampered with. Once you've entered the passphrases, the script generates keys to use for encrypting your files. You will be prompted for the site passphrase to encrypt your configuration and policy files. It will keep clear-text versions for you to review, just in case you want to change anything.

Examining the Policy and Configuration Files

The Tripwire policy file tells Tripwire what files to examine, what types of information to look for, and when to alert you that something has changed. The default installed policy file, twpol.txt, consists of variable and rule definitions. This is covered in more detail in the "Understanding Tripwire Policy Files" section a little later in this chapter. The Tripwire configuration file, twcfg.txt, indicates the locations of files and other preferences that the Tripwire application should use. You normally don't need to change the Tripwire configuration from the default.

Both of these files are encrypted by Tripwire using your site passphrase during install. The actual policy and configuration files that are used by Tripwire are called tw.pol and tw.cfg. They are binary, encrypted files and are installed in the /etc/tripwire directory by default. Tripwire also installs clear-text copies of the policy and configuration files (twpol.txt and twcfg.txt) in case you want to view or modify them. It is recommended that you delete any clear-text copies of the files after you have reviewed their contents. If at a later time you need to modify either of these files in clear-text format, you can use the tools discussed in the "Other Tripwire Utilities" section to accomplish this.

Running Tripwire

Tripwire includes four main operating modes: database initialization, integrity checking, database update, and policy update.

Database Initialization Mode Before you can compare the files on your system with correct signatures, you must establish a baseline for those signatures. Database initialization mode uses the policy file to go through and collect signatures. It uses default values from the config file unless you specify other values on the command line. The following command line launches the database initialization mode:

 # tripwire -m i -v 

The -m option is used to specify the mode ( -m i indicates database initialization mode). You are asked to enter your local passphrase to access the database, and then Tripwire will take several minutes to examine your files, constructing a database of file signatures. The -v option is used to show progress. Once the database has been created, it is saved in a binary Tripwire Database (.twd) file, writable only by root (usually in /var/lib/tripwire) and encrypted with your local key. The file can be read only by using the twprint command, which is executable only by root. You'll want to make sure that the file and directory permissions on the Tripwire data directories (/etc/tripwire and /var/lib/tripwire by default) prevent other users on your system from viewing or modifying your Tripwire files.

Integrity Checking Mode This is the normal mode of operation for Tripwire. It scans the files on the system looking for any policy violations. Violation reports are stored in the location defined by the REPORTFILE variable in tw.cfg, which is /var/lib/tripwire/report/ by default.

Several options can accompany this command. You can specify alternative file locations for policies, configurations, databases, and reports. You can turn on interactive mode ( -I ), which opens a plain-text version of the report using the default editor after scanning has completed. To keep your reports encrypted, specify the -E option to prompt you for your local passphrase. You can also deviate from the policy by ignoring certain properties ( -i ), checking only certain severity levels ( -l ), checking only for a specific rule by its name ( -R ), or checking only specific files. For example, if we were concerned only with the integrity of the ls command, we could issue this command:

 # tripwire -m c -v /bin/ls 

Here we're specifying integrity check mode ( -m c ) with verbosity turned on ( -v ). If we don't specify a file at the end of the command, Tripwire checks all files in the database, which is the default. Here it checks only the file /bin/ls.

The following command has Tripwire check only files with a high severity level (above 100):

 # tripwire -m c -v -l 100 

Severity levels and rule names can be defined in the Tripwire policy file. The i , -l , and R options will make more sense after reading the "Understanding Tripwire Policy Files" section.

After your database has been set up and you're ready to start running regular integrity checks, you can set up a cron job to run Tripwire nightly, weekly, or whenever you like.

Database Update Mode If a file changes and that change is legitimate, you'll need to update the database to keep that change from being continually reported as a violation. To use this mode ( -m u ), you need to find your most recent report file and specify it on the command line using the -r option:

 # tripwire -m u -r /var/lib/tripwire/report/host-20030820-235028.twr 

This will bring up a text file of the report in your default text editor, which contains a great deal of information about the scan. It will show you each rule name from your policy, the severity, and how many affected rules detected changes.

If you scroll down to the Object Summary section of the report, you'll see what are called ballot boxes for any changes that occurred between the last database update and the last integrity check:

 ---------Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ---------Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/var/lib/tripwire/originix.twd" 

If you leave the x intact, the database will be updated with the change and this will not be reported in future integrity checks. If you remove the x , you're indicating that this is an undesired change and that the database should remain unchanged.

After you've exited the editor, Tripwire will ask for your local passphrase to allow it to update the database if any database changes have been made. You may also choose to accept all changes without previewing them first by specifying the -a option at the end of the command.

Policy Update Mode As you learn more about Tripwire and receive more and more violations that should be considered false positives, you'll want to toy around with your policy. The following command tells Tripwire to update the default policy file to become the new policy outlined by newpolicy.txt:

 # tripwire -m p newpolicy.txt 

After updating the policy, the database will be updated against the new policy. Again, you'll need your site and local passphrases to be able to access and modify the policy file and database.

We will discuss creating Tripwire policies shortly in "Understanding Tripwire Policy Files."

Other Tripwire Utilities

Tripwire comes with a few other utilities: twprint, twadmin, and siggen.

Twprint As mentioned, twprint has two operating modes: it can be used to print either report files ( -m r ) or database files ( -m d ) in plain text.

Twadmin Twadmin is an administrative front end for creating and viewing configuration files, creating and viewing policy files, adding and removing encryption to files, and generating new encryption keys.

Siggen The siggen utility can be used to display the hash signatures of any file. These hashes are the signatures used by Tripwire for file content comparison and analysis. The hash formats that are supported by Tripwire are Haval, SHA/SHS, MD5, and CRC32.

Understanding Tripwire Policy Files

The policy file tells Tripwire what it should and shouldn't look for. It is usually encrypted and in binary format, but you can run the command twadmin m p > current-policy.txt to save Tripwire's current binary policy file to a clear-text policy file that you can edit. The syntax of a clear-text policy file can be extremely difficult to understand. It contains variable definitions and rule definitions. Each rule consists of two main parts : a filename or directory name and a property mask. Here is part of an example policy file:

 /bin/login                            -> $(SEC_CRIT) ; /bin/ls                               -> $(SEC_CRIT) ; /bin/mail                             -> $(SEC_CRIT) ; /bin/more                             -> $(SEC_CRIT) ; /bin/mt                               -> $(SEC_CRIT) ; /bin/mv                               -> $(SEC_CRIT) ; 

Notice how the filename or object name is separated from the property mask by a -> token. SEC_CRIT is a variable defined in the beginning of the file that refers to a valid property mask. Also note that each rule ends with a semicolon ( ; ).

Valid Property Masks Tripwire masks control which properties are watched on each file. Properties preceded by a plus sign ( + ) are watched, while properties preceded by a minus sign ( - ) are ignored. Properties that have no preceding sign are assumed to be watched, in which case all properties that aren't included on the command line are ignored. Table 12-3 shows a description of each of the properties.

If all you cared about watching was the MD5 hash, file size, permissions, and user/group owners of a file, you would define a rule like this:

 /home/myfile     ->     Mspug 

This could also be written like this:

 /home/myfile     ->     +Mspug-abcdilmnrtCHS 

To make life easier, Tripwire comes with a few predefined variables that can be used for property masks. These are shown in Table 12-4.

You can also define your own property mask variables in the policy file. Remember the SEC_CRIT variable we mentioned at the beginning of this section? SEC_CRIT represents a property mask and is defined as follows :

 SEC_CRIT = $(IgnoreNone)-SHa 

Any rules that use the SEC_CRIT property mask will watch every property except for SHA hash, Haval hash, and last access time.

Some sensible rule definitions using property mask variables might look like this:

 /var/log/messages       ->    $(Growing); /dev/fd0                ->    $(Device); /home/jdoe/.netscape    ->    $(IgnoreAll); /etc/inetd.conf         ->    $(ReadOnly); 

Rule Attributes Rule attributes can be provided to individual rules or groups of rules, as defined in Table 12-5.

Individual rules can be given attributes by appending them in parentheses at the end of the line, before the semicolon. Groups of rules can be given attributes by including the attributes in parentheses first , followed by the rules to be affected by these attributes in brackets. Following are some sample rules from a policy file:

 /var/log/messages       ->    $(Growing) (rulename = Log, severity = 10); /etc                    ->    $(ReadOnly)(rulename = Etc, recurse = 2); (rulename = Bin, severity = 100, recurse = false, emailto="root;gabriel@home") {   /bin/cat                              -> $(IgnoreNone)-SHa ;   /bin/date                             -> $(IgnoreNone)-SHa ;   /bin/dd                               -> $(IgnoreNone)-SHa ;   /bin/df                               -> $(IgnoreNone)-SHa ; } 

We've set up a rule called "Log" with a severity level of 10 for the file /var/log/messages. It uses a property mask of Growing, which indicates that Tripwire is checking such things as ownership, permission, and size for changes. The "Etc" rule uses the recurse attribute to tell Tripwire to go only two directories deep when running integrity checks on files and to use the ReadOnly property mask. Finally, the "Bin" rule groups several checks together with a severity of 100. The rule checks four important Unix applications for all property changes except SHA hash, Haval hash, and last access time. If any of these checks discover a property change, both root on the localhost and gabriel@home are e-mailed.

Special Rules: Stop Points If you want to scan a directory but skip over certain files, you can use special rules called stop points to ignore those files. Stop points are simply file or directory names preceded by an exclamation point:

 /etc -> $(ReadOnly); !/etc/dhcpd.leases; !/etc/motd; 

This rule says to make sure everything in the /etc directory is read-only except for the files /etc/dhcpd.leases and /etc/motd.

Directives Finally, the policy file may contain directives that allow you to print diagnostic messages when certain parts in the policy are reached as well as test for certain host conditions. The idea is to allow a single policy file to be used on multiple different Tripwire platforms and OSs. This becomes useful when you consider some of the advantages of the commercial Tripwire version, which are discussed shortly in the "Implementation: The Commercial Edition" section. The available directives are listed here.

• @@section Begin a new section of the file. This directive can be followed by an argument: FS, NTFS, or NTREG. For the Open Source version, we only care about FS (for Unix file system) sections. NTFS and NTREG sections of the file are used by the commercial Tripwire for watching specific NTFS (NT File System) or Windows registry properties (using different property masks, which will be covered later in the "Editing Policy Files to Support Multiple OSs" section). This allows you to use a single policy file for your entire network. If no argument is specified after the section directive, FS is assumed. There is no need to end a section, as Tripwire will just look for the next section directive and interpret it as the end of the previous section.

• @@ifhost, @@else, @@endif These directives can be used for host-specific sections of a file. Unlike section directives, @@ifhost directives need to be ended with @@endif directives. This allows you to run a ruleset against only a single host or group of hosts by using something similar to the following: @@ifhost originix badman # define rules for only hosts originix and badman here @@endif

• @@print, @@error These directives are used to print debugging messages from within the policy file. @@print simply prints to standard output, but @@error will print as well as cause Tripwire to exit abnormally. The following example tells Tripwire to complain if we try to check host cauliflower because we haven't defined any rules for cauliflower yet.

   @@ifhost cauliflower @@error "We haven't written any policy rules for host cauliflower yet" @@endif 

• @@end This directive signifies the end of the policy file. Tripwire stops reading the file when it reaches this point.

Using a New Policy File After you've modified or built a new policy file (let's call it newpolicy.txt), use the command tripwire -m p newpolicy.txt to make Tripwire use your new policy and update its signature database accordingly .

 "Agent1","Default Group/Demo","192.168.1.105","1169","Memo","s_pwd","l_pwd" 

 @@@section NTFS WINDOWS="C:\WINNT\"; EVAL_EMAIL_TARGET="root@hostname"; (rulename = Windows, severity = 100, recurse = 1, emailto=$(EVAL_EMAIL_TARGET)) { $(WINDOWS)           -> $(ReadOnly)-&write; !$(WINDOWS)SchedLgU.txt; } 

 HKLM="HKEY_LOCAL_MACHINE"; @@section FS # Alert if the last modification/write time (m) on /etc/passwd has changed  /etc/passwd         -> +m;  @@section NTFS # Alert if the last write time (&write) on c:\winnt\win.ini has changed  C:\WINNT\WIN.INI     -> +&write;  @@section NTREG # Alert if the last access time (&write) on # \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce # has changed  $(HKLM)\Software\Microsoft\Windows\CurrentVersion\RunOnce -> +&write;