Lesson 13

Date: 7/3/2017
Application security and Intrusion detection
Linux System Administration

Tripwire filesystem integrity checking
  • Install Tripwire on testub:
    apt-get install tripwire
    Skip Tripwire initialization during the installation.
  • To initialize Tripwire, you need to setup
      - local key and site key
      - configuration file, twcfg.txt
      - policy file, twpol.txt
      - encrypt them with the site key --> tw.cfg, tw.pol
  • Generate the site and local keys:
    twadmin --generate-keys --site-keyfile $SITE_KEY
    twadmin --generate-keys --local-keyfile $LOCAL_KEY
    Remember the passphrase.
    Two new files, site.key and desktop...-local.key, appear in directory /etc/tripwire.

    The default configuration file, /etc/tripwire/twcfg.txt, is okay to use as it is. It sets the paths and some env. variables.
    The policy file contains rule names, severity levels, and the file systems list.
  • Modify the policy file, /etc/tripwire/twpol.txt as follows:
      - remove /root (the whole section)
      - remove /etc/rc.boot
      - remove /proc
      - after /dev, add
        !/dev/pts ;
        !/dev/shm ;
  • The site key encrypts/signs the configuration and policy files, tw.cfg, tw.pol; the local key encrypts/signs the database. Sign the configuration and policy files:
    twadmin --create-cfgfile --cfgfile $DIR/tw.cfg  --site-keyfile $SITE_KEY $DIR/twcfg.txt
    twadmin --create-polfile --cfgfile $DIR/tw.cfg  --site-keyfile $SITE_KEY $DIR/twpol.txt
    The new files tw.cfg and tw.pol are encrypted with site.key and not human readable.

  • Build the Tripwire database and sign it with the local key:
    tripwire --init

    Remove the text configuration and policy files for better protection:
    rm twcfg.txt twpol.txt

    Note, in case you need to modify them, they can be extracted from tw.cfg and tw.pol:
    twadmin --print-cfgfile > twcfg.txt
    twadmin --print-polfile > twpol.txt

  • Run system integrity check:
    tripwire --check

  • Create a new file, /etc/newfile.txt and run the integrity check again.
  • Print the last tripwire report:
    LAST_REPORT=$(ls -1t /var/lib/tripwire/report/* | head -1)
    twprint  --print-report  --twrfile  $LAST_REPORT

  • Take me to the Course Website