http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system/ Tripwire Tutorial: Linux Host Based Intrusion Detection System by Ramesh Natarajan on December 8, 2008 Tripwire is a host based Intrusion detection system for Linux. Tripwire monitors Linux system to detect and report any unauthorized changes to the files and directories. Once a baseline is created, tripwire monitors and detects, which file is added, which file is changed, what is changed, who changed it, and when it was changed. If the changes are legitimate, you can update the tripwire database to accept these changes. Also, for monitoring solution, please refer to all our previous articles on Nagios This step by step instruction guide explains how to install and configure open source version of tripwire. 1. Download Tripwire Download the latest tripwire open source version from tripwire sourceforget project website. Extract the tripwire source code to the /usr/src directory as shown below. # cd /usr/src # wget http://internap.dl.sourceforge.net/sourceforge/tripwire/tripwire2.4.1.2-src.tar.bz2 # bzip2 -d tripwire-2.4.1.2-src.tar.bz2 # tar xvf tripwire-2.4.1.2-src.tar 2. Install Tripwire Use the prefix option as shown below to specify the installation directory. In this example, I’ve installed tripwire under /opt/tripwire. During make install, it will prompt you for various user inputs, that are highlighted in red below. # cd tripwire-2.4.1.2-src # ./configure --prefix=/opt/tripwire # make # make install make[3]: Entering directory `/usr/src/tripwire-2.4.1.2-src' prefix="/opt/tripwire" sysconfdir="/opt/tripwire/etc" \ ) Enter the site keyfile passphrase: Verify the site keyfile passphrase: [Note: Assign a passphrase for site keyfile.] Generating key (this may take several minutes). and are at least 8 characters in length. and are at least 8 characters in length.4 Open Source Please read the following license agreement. (When selecting a passphrase.4 Open Source LICENSE AGREEMENT for Tripwire(R) 2.] Creating signed policy file. policy. Continue with installation? [y/n] y [Note: Press y to continue the installation] The Tripwire site and local passphrases are used to sign a variety of files. digits and punctuation marks.) Enter the local keyfile passphrase: Verify the local keyfile passphrase: [Note: Assign a passphrase for local keyfile. [Note: Press enter key as instructed to view the license] Please type "accept" to indicate your acceptance of this license agreement.. . [do not accept] accept [Note: Type accept to accept the license] This program will copy Tripwire files to the following directories: TWBIN: /opt/tripwire/sbin TWMAN: /opt/tripwire/man TWPOLICY: /opt/tripwire/etc TWREPORT: /opt/tripwire/lib/tripwire/report TWDB: /opt/tripwire/lib/tripwire TWSITEKEYDIR: /opt/tripwire/etc TWLOCALKEYDIR: /opt/tripwire/etc CLOBBER is false. Press ENTER to view the License Agreement.. digits and punctuation marks. and database files.. Please enter your site passphrase: Wrote policy file: /opt/tripwire/etc/tw.sh Installer program for: Tripwire(R) 2./install/install.. (When selecting a passphrase..cfg [Note: Enter the site passphrase.path_to_vi="/bin/vi" path_to_sendmail="/usr/sbin/sendmail" \ . keep in mind that good passphrases typically have upper and lower case letters.Key generation complete. keep in mind that good passphrases typically have upper and lower case letters. You must accept the agreement to continue installing Tripwire.pol [Note: Enter the site passphrase] The installation succeeded.. Please enter your site passphrase: Wrote configuration file: /opt/tripwire/etc/tw. such as the configuration.] Creating signed configuration file. -> $(Dynamic) . during the tripwire database initialization.pol tripwire policy file.. -> $(Dynamic) .pol Generating the database.. You have to assign a site passphrase even for a single instance tripwire. you should initialize the tripwire database as shown below. ./tripwire --init Please enter your local passphrase: Parsing policy file: /opt/tripwire/etc/tw. ### Warning: File system error. Modify Tripwire Policy File As shown above. ### Warning: File system error. ( ) { # # rulename = "OS Boot Files and Mount Points". *** Processing Unix File System *** The object: "/sys" is on a different file system. If your system don’t have those files.• • Site passphrase will secure the tw. # cd /opt/tripwire/sbin/ # ... edit the policy file and comment those entries.ignoring. ### Filename: /floppy ### No such file or directory ### Continuing. Initialize Tripwire Database For the first time use.. ### Warning: File system error.txt tripwire policy file and comment out /cdrom and /floppy as shown below.twd The database was successfully generated. 3.. 4. ### Filename: /initrd ### No such file or directory ### Continuing.. For example.. it may display “No such file or directory” error message for some of the default files mentioned in the tripwire policy file.. Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.cfg tripwire configuration file and tw. ### Filename: /cdrom ### No such file or directory ### Continuing. modify the /opt/tripwire/etc/twpol. Local passphrase will protect tripwire database and report files. ### Warning: File system error. /boot /cdrom /floppy -> $(ReadOnly) .. • • • • • • • File addition. Wrote policy file: /opt/tripwire/etc/tw. The object: "/sys" is on a different file system.2 compliant 32-bit Cyclic Redundancy Check. the RSA Security Message Digest Algorithm.pol Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv. # . ======== Step 2: Updating the database with new objects. ### An object has been changed since the database was last updated. POSIX 1003./tripwire --update-policy --secure-mode low . ### Object name: Conflicting properties for object ### /u01/app/oracle/oradata/dbfiles/prod01.txt Parsing policy file: /opt/tripwire/etc/twpol.ignoring. deletion and modification File permissions and properties Access timestamp Modification timestamp File type and file size User id of owner and group id of owner Hash checking: CRC-32. ### Warning: Policy Update Changed Object. HAVAL.. Update Tripwire Policy File Once you’ve modified the policy file.txt Please enter your local passphrase: Please enter your site passphrase: ======== Policy Update: Processing section Unix File System. You can also be more granular and specify the file attributes that should be either monitored or ignored.. SHA.twd Note: if any files has been modified from the time you’ve done the tripwire initialization until the tripwire update policy. ======== Step 1: Gathering information for the new policy./etc/twpol..dbf ### > Modify Time .} /mnt -> $(Dynamic) . ======== Step 3: Pruning unneeded objects from the database. Following are some of the UNIX system properties that are monitored by tripwire. they will be listed under the “Step 1: Gathering information for the new policy” output of the above command. MD5. part of the SHS/SHA algorithm. Using the tripwire policy files you can define the directories and files that needs to be monitored for the changes. a strong 128-bit signature algorithm 5. it needs to be updated as shown below. . Wrote report file: /opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336. Check for any changes to the files and update tripwire database./tripwire --check --interactive Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. the “Added” and “Modified” files will have a check mark in front of them. Added: [x] "/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376. where you can review all the files that has been added or modified to the system. ======================================================================= ======== Report Summary: ======================================================================= ======== Host name: prod-db-srv Host IP address: 192.twd Command line used: . # . You can perform this check interactively from command line as shown below. As shown below.cfg Database file used: /opt/tripwire/lib/tripwire/prod-db-srv.trm" Modified: [x] "/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_CONFIG./tripwire --check --interactive Parsing policy file: /opt/tripwire/etc/tw.pol Configuration file used: /opt/tripwire/etc/tw.twr This will automatically open the following tripwire report file in the vi. indicating that you are accepting these changes to be updated to the tripwire database.pol *** Processing Unix File System *** Performing integrity check.168.10 Host ID: None Policy file used: /opt/tripwire/etc/tw..### > CRC32 ### > MD5 6.1. Once the tripwire setup is completed.ams" . you should regularly perform checks to find out what files where added or modified from the last time the tripwire database was updated.ams" [x] "/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_INFO.trc" [x] "/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376. trc Property: ------------* Object Type * Device Number * Inode Number * Mode * Num Links * UID * GID * Size * Modify Time 10:01:51 AM PST * Blocks * CRC32 * MD5 AXSkOul8R/np0fQP4q3QLv Expected ----------------------------------Observed ----------Regular File 2049 12026017 -rw-r----1 oracle (1082) oinstall (1083) 837 Sat 06 Dec 2008 8 AYxMeo Modified object name: /u01/app/oracle/diag/tnslsnr/proddb/listener/trace/listener.Added object name: /u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376. tripwire report file *.twd 7.twr is not a text file.twr extension are stored under /opt/tripwire/lib/tripwire/report directory. Please enter your local passphrase: Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv. which you can view directly. In order to view the report. # . use twprint and convert the *. How to view the twr report file? All the tripwire report files with *.twr file to a readable text format as shown below.log Property: ------------Object Type Device Number Inode Number Mode Num Links UID GID * Size * Modify Time Expected ----------Regular File 2049 2295281 -rw-r----1 oracle (1082) oinstall (1083) 5851880 Sat 06 Dec 2008 09:58:53 AM Observed ----------Regular File 2049 2295281 -rw-r----1 oracle (1082) oinstall (1083) 5858608 PST Sat 06 Dec 2008 11472 CK+bWM 11:39:56 AM PST * Blocks 11456 * CRC32 ANdM8R * MD5 DCW84lCuD2YJOhQd/EuVsn CV8BMvZNJB9KQBXAf5yRDY Please enter your local passphrase: Incorrect local passphrase.twr > \ ./twprint --print-report --twrfile \ /opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336. twd REPORTFILE =/opt/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE). HOSTNAME=prod-db-srv.twr SITEKEYFILE =/opt/tripwire/etc/site. TWBIN="/opt/tripwire/sbin". TWDB="/opt/tripwire/lib/tripwire"./twadmin --print-cfgfile ROOT =/opt/tripwire/sbin POLFILE =/opt/tripwire/etc/tw. Monitor Linux System Integrity Regularly Add tripwire checking as a cron job to monitor and report any changes on an on-going basis./twadmin --print-polfile @@section GLOBAL TWDOCS="/opt/tripwire/doc/tripwire". # .key EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t . Use twadmin to get information about all the tripwire configuration files as shown below. TWSKEY="/opt/tripwire/etc"./tmp/readable-output.key LOCALKEYFILE =/opt/tripwire/etc/prod-db-srv-local. #.m. TWPOL="/opt/tripwire/etc". For example.txt 8. add the following line to your crontab to execute tripwire check daily at 4:00 a. Only partial output is shown below. TWLKEY="/opt/tripwire/etc".pol DBFILE =/opt/tripwire/lib/tripwire/$(HOSTNAME). TWREPORT="/opt/tripwire/lib/tripwire/report". Tripwire Configuration and Policy File Locations Use twadmin to view the current tripwire policy files. # Tripwire Monitor process 00 4 * * * /opt/tripwire/sbin/tripwire --check 9.