8/13/2019 Establish Your Linux Filesystem Integrity Auditing System With the Tripwire Utility

http://slidepdf.com/reader/full/establish-your-linux-filesystem-integrity-auditing-system-with-the-tripwire 1/5

Page 1

Copyright ©2006 CNET Networks, Inc. All rights reserved.

For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html

Version 1.0February 2, 2006

Establish your Linux filesystem integrityauditing system with the Tripwire utility

By Chad Perrin

TakeawayFilesystem integrity auditing is an important part of any system administrator's security program.

TripwireWhen most system administrators think of system security, they think of firewalls, network configuration, servicesmanagement, and user policy. Rarely, they might even think of reactive defenses like rootkit checking. However,a task of great importance to the really security conscious system administrator is filesystem integrity auditing.This integrity auditing involves keeping track of the state of your system's filesystem, and checking it periodicallyfor unauthorized changes. When a suspicious change is detected, it's time to determine whether this was causedby an intruder and, if necessary, do damage control. While the damage control might be time-consuming, andeven expensive, it's far better than letting the security compromise to go unaddressed.By far the best-known filesystem integrity auditing tool in a Linux or UNIX environment is Tripwire. There is acommercial version of Tripwire available, but I will be addressing how you use the open source version (oftenreferenced as "tripwire", without the capital "T"). The open source tripwire utility is a highly functional, verycapable tool, and is a critical part of secure system administration. It is rare that a Linux system connected to theInternet should not have Tripwire installed: when in doubt, use it.The tripwire tool is actually very simple in concept. It maintains a database that contains a "snapshot" of thefilesystem, created by way of a policy defining what parts of your filesystem should be examined for unauthorizedchanges. The tripwire policy in general not only defines the snapshot, but also provides a set of rules for whatconstitutes an unauthorized or suspicious change in the state of the filesystem. When tripwire audits yourfilesystem, it uses the policy to examine the current state of the filesystem and compare it against the snapshot,and then it produces a report based on what it finds. Typical configurations have tripwire run once every day,usually late at night when nobody is likely to be using the system in question.

Your first tripwire snapshot should be created when you first install the operating system, before you ever connectit to the network or otherwise make it available to users and to other less trustworthy data sources. If you areretrofitting your system with tripwire, you might consider a plan to recreate your system configuration from scratchwith tripwire in place from day one to ensure that there are not already some system compromises in place beforetripwire is ever introduced to your system security practice.

8/13/2019 Establish Your Linux Filesystem Integrity Auditing System With the Tripwire Utility

http://slidepdf.com/reader/full/establish-your-linux-filesystem-integrity-auditing-system-with-the-tripwire 2/5

Establish your Linux filesystem integrity auditing system with the Tripwire utility

CaveatsTripwire does have some problems that you should be aware of. These problems are divisible into two headings:convenience (also known as "administrative overhead") and weakness. The convenience issue centers on thefact that tripwire reports can be long and tedious to view and analyze, and the fact that you will have to update thetripwire database regularly if you make frequent changes to files audited by your tripwire policy. You will have to

work out how best to mitigate these problems for yourself, based on the specific needs of your circumstances.The weakness issue is mostly concerned with the fact that filesystem integrity auditing must necessarily be doneon a periodic basis, rather than in real time. The reason for this is that real-time filesystem auditing would requireprohibitive system resources, grinding your system's performance to a virtual halt so that it cannot do the job it'smeant to do. The problem with periodic checks is that, for instance, if you make a change to a file after one audit,and a cracker modifies it again before the next audit, tripwire (or whatever auditing tool you use) will report achange that you will then attribute to your own activities and you may not be aware that anything untoward hashappened. You should also be aware that, like any other security measure, Tripwire is not infallible. It is howevera marked improvement, if used well, over its absence.Despite these problems, tripwire is an excellent tool for increasing system security, and it is far better to use itthan not. Other excellent filesystem integrity auditing tools exist such as Samhain and Aide . Because tripwire is theindustry standard, and the most common such tool, it's the tool that I will be addressing here. I encourage you toinvestigate your options, however, and choose the tool that best suits your needs or the tools if you choose morethan one. While it is unlikely that multiple filesystem integrity auditing tools will provide reasonable additionalbenefit, that too is a choice you should make yourself based on available information.

Setting up tripwireHow tripwire gets installed on your system in the first place is dependent on you. Major Linux distributionstypically include tripwire in their software repositories so that you can use your distribution's package manager todownload and install the software. For instance, on Debian, you might type apt-get install tripwire . Youmight also choose to get tripwire from its Open

Source Tripwire project page on SourceForge.Depending on how it's installed, some of the process of setting it up might be accomplished automatically as partof the installation procedure. Some Linux distributions provide a system configuration utility front end to tripwire'ssetup scripts that can make things easier. If that's not the case, or if you opt out of using the system-specific frontend, you'll have to set up tripwire yourself.First, you'll need to sign in as the root user and navigate to the /etc/tripwire directory. Once there, run thetwinstall.sh script, followed by starting tripwire itself in database initialization mode using the --init switch. Finally,remove the twcfg.txt and twpol.txt located in the /etc/tripwire directory. The series of commands, with a # promptindicating you are the root user, should look something like this:# cd / et c/ t r i pwi r e# . / t wi ns tal l . sh# t r i pwi r e - - i ni t# r m t wcf g. t xt# r m t wpol . t xt

Page 2Copyright ©2006 CNET Networks, Inc. All rights reserved.

For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html

8/13/2019 Establish Your Linux Filesystem Integrity Auditing System With the Tripwire Utility

http://slidepdf.com/reader/full/establish-your-linux-filesystem-integrity-auditing-system-with-the-tripwire 3/5

Establish your Linux filesystem integrity auditing system with the Tripwire utility

It is possible you may not have the twinstall.sh script. If this is the case, the things twinstall.sh is designed to domust be done by you. This includes creating site and local keys for ensuring the integrity of the policy andconfiguration files for tripwire. Start out by generating site and local keys, still from within the /etc/tripwire directory. Then, sign the configuration and policy files with the site key, and finally change file permissions. In thefollowing, "host" should be replaced with the hostname of the local system on which tripwire is being installed andconfigured:

# t wadmi n - - gener at e- keys - - si t e- keyf i l e si t e. key# t wadmi n - - gener at e- keys - - l ocal - keyf i l e host - l ocal . key# t wadmi n - - creat e- cf gf i l e - - cf gf i l e t w. cfg - - s i t e- keyf i l e s i t e. key t wcfg. t xt# t wadmi n - - creat e- pol f i l e - - cf gf i l e t w. cfg - - s i t e- keyf i l e s i t e. key t wpol . t xt# chown r oot : r oot si t e. key host - l ocal . key t w. cf g tw. pol# chmod 600 si t e. key host - l ocal . key t w. cf g t w. polOnce this is done, perform the next three steps as your would after using twinstall.sh :# t r i pwi re –i ni t# r m t wcf g. t xt# r m t wpol . t xtThe final removal of the twcfg.txt and twpol.txt files is a security measure. The tw.cfg and tw.pol files provide theactual functionality, and the two .txt files are simply plain-text versions of the same things from which the working

copies are generated. Before going through the above steps, you should edit twcfg.txt and twpol.txt to suit yourneeds.

Using tripwireOnce it is set up, of course, you need to be able to make use of tripwire. The best approach to that is the verysimple command:# t r i pwi r e - - check

Aside from manpages, you can get a brief help message about the uses of tripwire with --check by entering itwith the --help switch:# tripwire --check --help

To automate the process of doing an integrity check with tripwire, you can create a cron job entry for a regularly

scheduled system check. This involves editing your system's crontab file in the /etc directory, or add anappropriate execution script to the /etc/cron.daily directory, as appropriate for your distribution and systemconfiguration policy. To edit the crontab file, open the /etc/crontab file in the text editor of your choice, and add aline for tripwire check execution. For example, to perform a check at 2:00 AM every day, you would enter thefollowing line:0 2 * * * / usr/ sbi n/ t r i pwi r e - - check

A better way to handle this would be to run it from another machine on the network, however, so that an intruderwon't compromise the cron job that runs your tripwire integrity check on the local system. On that machine, then,you might add the following line to the crontab file, where "target-host" is the hostname of the target system:0 2 * * * ssh - n - l r oot t ar get - host / usr/ sbi n/ t r i pwi r e –checkIn both cases, you run the risk of using a compromised tripwire program, however. It is best to burn copies of yourtripwire binary and key files to a CD-R, and run the program from that. You will have to configure tripwire to work

in this manner by editing the twcfg.txt file before signing it. Assuming that your CDROM mounts at /mnt/cdrom youshould make the following changes to your /etc/twcfg.txt file:ROOT=/ mnt / cdr omSI TEKEYFI LE=/ mnt / cdr om/ si t e. keyLOCALKEYFI LE=/ mnt / cdrom/ host - l ocal . keyYou will have to sign the modified file, then generate your tripwire database, and unmount the CD-R when you'redone. The only difference when doing it this way will be where you specify the site key to be stored (the followingcommands assume you're currently in /etc/tripwire ):# t wadmi n - - creat e- cf gf i l e - - cf gf i l e t w. cf g - - si t e- keyf i l e / mnt / cdr om/ si t e. keyt wcfg. t xt

Page 3Copyright ©2006 CNET Networks, Inc. All rights reserved.

For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html

8/13/2019 Establish Your Linux Filesystem Integrity Auditing System With the Tripwire Utility

http://slidepdf.com/reader/full/establish-your-linux-filesystem-integrity-auditing-system-with-the-tripwire 4/5

Establish your Linux filesystem integrity auditing system with the Tripwire utility

When this has been done, you will run tripwire checks by mounting the CD-R that contains the tripwire binary,executing it from there, and unmounting the CD-R when you are done so that it can be removed and stored. Youcould leave the CD-R mounted and run checks from a cron job, as above, and specify in the crontab file/mnt/cdrom/tripwire as the program's location rather than /usr/sbin/tripwire .Only the key files (the site key and local key) and the binary executable itself need to be stored on a non-writablemedia to protect them. This is because modifications to your configuration and policy files will be detected since

they will not have been signed using your site and local keys, safely stored on the CD-R.

Updating the tripwire database

Files will change in your filesystem, and tripwire will detect these changes. Some changes are expected anddesired. If you make a change to a file, tripwire will report that just as diligently as if some security cracker hadchanged it. The key is to know what changes should be there and what should not, and to keep the databaseupdated so that it will not continuously report changes that are supposed to be there. After authorized changeshave been made, and tripwire has been used to ensure those are the only changes that have been made, youcan then update the database so that the next time it runs it will not continue to indicate the authorized changes.The following commands will provide a database update to tripwire:# LASTREPORT=̀ l s - 1t / var / l i b/ t r i pwi r e/ r epor t / host - *. t wr | head - 1`# t r i pwi r e - - updat e - - t wr f i l e "LASTREPORT"

Scratching the surfaceThe tripwire configuration can be adjusted to target only specific parts of the filesystem, to assign differing scanpriorities to various parts of the filesystem, and individually add files to the tripwire database or exclude them fromit. Such configuration options are likely to prove valuable if you begin using tripwire in production deployments orotherwise find a need to leverage its functionality in a more than casual manner. They are, however, beyond thescope of this article.

All of this only scratches the surface of what tripwire can do. Increasing levels of strict security can be employedwith the use of tripwire. It can be run as a centralized filesystem integrity auditing tool for an entire network, and itcan even be used to audit filesystem integrity on Windows VFAT file systems (FAT16 and FAT32 file systems). Atminimum, however, you should probably employ integrity auditing with a tool like tripwire on your local system,except in extreme cases of quickly changing file systems, to help ensure that you will not be caught unawares bymalicious intruders.

Page 4Copyright ©2006 CNET Networks, Inc. All rights reserved.

For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html

8/13/2019 Establish Your Linux Filesystem Integrity Auditing System With the Tripwire Utility

http://slidepdf.com/reader/full/establish-your-linux-filesystem-integrity-auditing-system-with-the-tripwire 5/5

Establish your Linux filesystem integrity auditing system with the Tripwire utility

Additional resources• TechRepublic's Downloads RSS Feed • Sign up for TechRepublic's Downloads Weekly Update newsletter• Sign up for TechRepublic's Linux NetNote newsletter• Check out all of TechRepublic's free newsletters • Linux 101: Best practice techniques for security integrity auditing and recovery • Linux 101: A comprehensive list of Linux services available for all distributions

Version historyVersion : 1.0 Published : February 2, 2006

Tell us what you think

TechRepublic downloads are designed to help you get your job done as painlessly and effectively as possible.Because we're continually looking for ways to improve the usefulness of these tools, we need your feedback.Please take a minute to drop us a line and tell us how well this download worked for you and offer yoursuggestions for improvement.

Thanks!

—The TechRepublic Downloads Team

Page 5Copyright ©2006 CNET Networks, Inc. All rights reserved.

For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html