Understanding and Installing Tripwire

Understanding and Installing Tripwire
08.15.00

by Russ Rogers

Tripwire is a security tool that runs under most flavors of UNIX. The goal of using Tripwire is to determine when sensitive system files on the hard disk have been altered. System files; such as the kernel, library files, OS binaries, and configuration files; are prime targets for attackers. By altering one of these types of files, an attacker has the ability to create a 'secret' backdoor into your system or to even crash the system permanently, requiring a re-load of the operating system.

When the system administrator initially runs Tripwire, the software creates a database of all important system files, as determined through a configuration file that the administrator can edit. The database that is created and any of the configuration files are all encrypted on the file system to keep out prying eyes. Opening or editing these files requires the user to know the 'key' or the 'password'.

The following comes directly from the software README file: "By scanning the current system and comparing that information with the data stored in the database, Tripwire detects and reports any additions, deletions, or changes to the system outside of the specified boundaries. If these changes are valid, the administrator can update the baseline database with the new information. If malicious changes are found, the system administrator will instantly know which parts of which components of the network have been affected."

Newer versions of Tripwire have even more flexibility and options available to users. A SYSLOG option has been added which allows the application to send details about the software operation to the system logs. SMTP email can also be configured so administrators will receive notice once a scan has been completed. Details of those scans can also be transmitted via email, although in most instances, we question the security of sending these files via clear text email.

For a more detailed look at what Tripwire has the ability to do, we suggest you visit the homepage at http://www.tripwire.com or simply check out the README file when installing the software.

The latest version of Tripwire, as of the date of this article, is Tripwire 2.2.1. A tar file containing all the software components can be downloaded from the website listed above.

NOTE: You *MUST* be root to install the Tripwire software.

1. Untar the file into an install directory of your choice.

tar -xvf Tripwire_221_for_Linux_x86.tar

2. Edit the install.cfg file. Inside this file you will set the directories to be used for installation, the email reporting options, and the syslog reporting functions.

vi ./install.cfg

3. Once you've configured the system as you want it installed, run the install script to begin installation.

./install.sh

After running this script, a new text version of the config file will exist. The filename is typically twcfg.txt and is NOT encrypted. Please double check the contents of this file after the install is completed and delete the file. This file was created just so you could check the configuration and is not required for proper operation of Tripwire.

By default, the Tripwire software will be installed into the /usr/TSS directory. Under this path you should find 6 more sub- directories; bin, db, key, man, policy, and report. Initially, we'll deal strictly with the /usr/TSS/bin/tripwire executable to get the database up and running.

4. We're going to run Tripwire in "Initialization" mode to create the file system baseline database. The file will go out, check the current policy file, generates the database file based on the entries in the policy file, and encrypts the resulting database file.

5. The next step is to run the Tripwire software in "Integrity Checking Mode". This will run tripwire against the files in the newly created database and report any changes. It also saves a copy of the report in /usr/TSS/report.

At this point, your Tripwire installation is complete. A new database file has been created and you should have at least one report generated. There are two other tripwire executables that will be used by the system administrator on a regular basis. The first one is twadmin. Twadmin exists in the /usr/TSS/bin path and is used to encode and decode configuration and policy files for editing. The second file is twprint and it resides in the same directory as twadmin. The purpose of twprint is to print out the report in ASCII mode for viewing. A typical twprint command would look like this:

twprint --print-report russr-20000809-180519.twr

The report files end in the .twr extension and the filename includes the date and time, to the nearest second.

The system administrator has the flexibility to use cron jobs to run Tripwire automatically in recurring fashion. By running the software twice daily (assuming a 'not-so-large' file system), the system administrator will have relatively quick notification when files are altered. These changes include ones made by the system administrator. The tripwire command can be used to update the database to reflect intentional changes to the file system.

tripwire --update

This concludes this article. This file was meant to be an introduction to Tripwire and a guide to get it installed. The reader should check out the appropriate MAN pages to get more detailed descriptions of command context.