In Fedora:
libstdc++.so.6(GLIBCXX_3.4)
libcrypto.so.6
libc.so.6(GLIBC_2.0)
libstdc++.so.6(CXXABI_1.3.1)
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
config(tripwire) = 2.4.1.1-1.fc5
libgcc_s.so.1(GLIBC_2.0)
libm.so.6(GLIBC_2.0)
libm.so.6
rpmlib(CompressedFileNames) <= 3.0.4-1
libstdc++.so.6
libc.so.6(GLIBC_2.1)
libgcc_s.so.1
sed
libc.so.6(GLIBC_2.1.3)
libgcc_s.so.1(GCC_3.0)
libstdc++.so.6(CXXABI_1.3)
libc.so.6
and in Redhat AS4:
libstdc++.so.6(GLIBCXX_3.4)
config(tripwire) = 2.3.1-22
libc.so.6(GLIBC_2.0)
gawk
/bin/sh
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
libgcc_s.so.1(GLIBC_2.0)
libcrypto.so.4
grep
libm.so.6(GLIBC_2.0)
libm.so.6
tar
gzip
rpmlib(CompressedFileNames) <= 3.0.4-1
libstdc++.so.6
libc.so.6(GLIBC_2.1)
libgcc_s.so.1
sed
libc.so.6(GLIBC_2.1.3)
libgcc_s.so.1(GCC_3.0)
libstdc++.so.6(CXXABI_1.3)
libc.so.6
Now to install it use this command:
# rpm -Uvh tripwire-2.3.1-20.fdr.1.2.i386.rpm
TIP :: So, when do you install and initialize Tripwire? Well, I recommend you to install and initialize Tripwire after you have installed your operating system and applications and have applied any updates or patches but before you have connected your system to a production network. This ensures Tripwire can be configured with all the required files and binaries being monitored and reduces the risk that an attacker could penetrate your system before you enable Tripwire.
Configuring Tripwire
In this section, you will see the base Tripwire configuration, and then I will show you how to initialize and run Tripwire. As you are going to configure Tripwire using the Red Hat Fedora RPM, some of the configuration options, especially their naming conventions, may differ from other versions of Tripwire. This is especially true of the source tarball version where many configuration options differ.
After installing Tripwire, the configuration for the tool will be installed into the
/etc/tripwire directory in the form of two files: twcfg.txt and twpol.txt. The twcfg.txt file contains the default configuration for Tripwire, including the location of the Tripwire binaries and policies. The twpol.txt file contains the Tripwire policy that tells Tripwire what to monitor.
Tripwire twcfg.txt
ROOT = /usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE = /var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE = /etc/tripwire/site.key
Explaining Tripwire Policy
The twpol.txt file is the input file for the Tripwire policy for your host. This file will be used to create a proprietary file called a policy file. The policy determines what files and objects Tripwire will monitor for changes. It also specifies exactly what changes to those files and objects it will monitor. The RPM you have installed comes with a default policy. This policy is designed to monitor Red Hat Fedora systems. If you are running Tripwire on a different distribution, it may have come with a sample policy of its own. Either way you will need to change the policy to reflect exactly what objects you want to monitor on your system. I recommend you at least monitor important operating system files and directories, logging files, and the configuration files and binaries of your applications. Let’s look at the twpol.txt file. The file contains two types of items. It contains the directives and the rules that identify the individual files, and it contains the objects Tripwire is monitoring.
Tripwire Rules
A Tripwire rule is defined as a file or directory name and a property mask separated by the symbols ->. Additionally, it can have some optional rule attributes.
Tripwire Rule Structure
filename -> property mask (rule attribute = value);
Let’s look at each part of the Tripwire rule. The first portion of the rule is the file or object you want to monitor. This could be a single file or an entire directory. If you specify a directory,then Tripwire will monitor the properties of that directory and the entire contents of that directory.You can have only one rule per object or file. If an object has more than one rule,Tripwire will fail with an error message and not conduct any scanning.
The file or object is then separated from the property mask by a space or tab and the -> symbols, followed by another space or tab. The property mask tells Tripwire exactly what change about the file or object you want to monitor. For example, you could monitor for a change to the user who owns the file, the size of the file, or the file’s permissions. Each property is indicated by a letter prefixed with either a plus (+) sign or aminus (-) sign. For example, the following line monitors the ownership of the /etc/passwd file:
/etc/passwd -> +u;
The u is the Tripwire property for object ownership, and the plus (+) sign indicates you want to monitor this property. You can add further properties to be monitored by adding property letters to your Tripwire rule. On the next line you add the property,s, which indicates file size:
/etc/passwd -> +su;
Now Tripwire will monitor for any changes to the /etc/passwd file’s ownership and its size.
Tripwire Property Masks
Property--------Description
a------------------Access time stamp.
b------------------Number of blocks.
c------------------Inode time stamp.
d------------------ID of the device on which the inode resides.
g------------------Owning group.
i------------------Inode number.
l------------------File increases in size.
m------------------Modification time stamp.
n------------------Number of links to the object.
p------------------Permissions.
r------------------ID of the device pointed to by inode. Valid only for device type objects.
s------------------File size.
t------------------File type.
u------------------Object owner.
C------------------CRC-32 hash value.
H------------------Haval hash value.
M------------------MD5 hash value.
S------------------SHA hash value.
The minus (-) sign prefixing a property indicates that you do not want to monitor for that property. In the next line I am monitoring the /etc/passwd file for its ownership and size, but I have explicitly told Tripwire that I do not care about its last modification time stamp.
/etc/passwd -> +su-m;
In addition to the individual properties you can monitor for, you can also use property summaries. These property summaries are variables that represent particular combinations of properties. For example, Tripwire has a built-in property summary called $(Device), which contains the recommended properties for devices (or other types of files that Tripwire should not try to open). On the next line you can see the $(Device) property summary in a rule:
/dev/mapper/safe -> $(Device);
As I have described, each property summary represents different combinations of properties.The $(Device) property summary is equivalent to setting the properties in the following rule:
/dev/mapper/safe -> +pugsdr-intlbamcCMSH;
The previous line indicates that any rule that uses the $(Device) property summary will monitor files and objects for changes to their permissions, ownership, group owner, size and device, and inode ID monitored, but all other changes will be ignored.
Initializing and Running Tripwire
After you have configured Tripwire and created a suitable policy for your system, you need to set up and initialize Tripwire. Tripwire comes with a command,tripwire-setup-keyfiles, that you can use to perform this initial setup. The command is usually located in the directory /usr/sbin.
This command will create two keyfiles: the site key that signs your configuration and policy and the local key that protects your database and reports. You will be prompted to enter passphrases for both.
# /usr/sbin/tripwire-setup-keyfiles
------------------------------------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.See the Tripwire manual for more information.
------------------------------------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
The tripwire-setup-keyfiles command will also create encrypted versions of your twcfg.txt and twpol.txt files, called tw.cfg and tw.pol, respectively. These files will be signed with your new site key and are located in the /etc/tripwire directory.
Initializing the Tripwire Database
# /usr/sbin/tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/yourosname.yourdomain.com.twd
The database was successfully generated.
The --init option initializes your Tripwire database, and you will be prompted to enter your local key passphrase to continue. The tripwire binary then parses the /etc/tripwire/tw.pol file and creates a baseline state for all the objects on your system you want to monitor.
Tripwire Integrity Check
# /usr/sbin/tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
...
Wrote report file: /var/lib/tripwire/report/yourosname.yourdomain.com-20040926-172711.twr
The Tripwire integrity check will display the results of the check to the screen and save it as a Tripwire report file.
Printing Reports with twprint
# twprint --print-report --twrfile /var/lib/tripwire/report/yourosname.yourdomain.com20040926-172711.twr
Note: Report is not encrypted.
Tripwire(R) 2.3.0 Integrity Check Report
Report Summary:
Host name: yourosname.yourdomain.com
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/yourosname.yourdomain.com.twd
Command line used: /usr/sbin/tripwire --check
Total objects scanned: 45606
Total violations found: 1
...
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
...
Modified Objects: 1
Modified object name: /var/lib/tripwire/yourosname.yourdomain.com.twd
Property: Expected Observed
* Mode -rw-r--r-- -rwxr-xr-x
Printing Tripwire Database Entry
# twprint --print-dbfile /etc/passwd
Object name: /etc/passwd
Property: Value:
------------- -----------
Object Type Regular File
Device Number 770
Inode Number 607017
Mode -rw-r--r--
Num Links 1
UID root (0)
GID root (0)
I have displayed the database entry for the file /etc/passwd using the --print-dbfile
option. If you use twprint --print-dbfile without an individual file specified, it will output the entire contents of the Tripwire database.
If you find violations in your report, you should first check if these are normal occurrences.During normal operations some files may change, be added to, or be removed from your system. You can adjust your Tripwire policy to reflect these normal changes using the tripwire command with the -update option. This option allows you to read in a report file,indicate which violations are in fact normal operational changes, and update the Tripwire policy to prevent it being triggered by these again.
Updating Tripwire Policy
# /usr/sbin/tripwire --update \ --twrfile /var/lib/tripwire/report/yourosname.yourdomain.com20040926-172711.twr
Tripwire Database Updates
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/var/lib/tripwire/yourosname.yourdomain.com.twd"
In finally I should say that I tested all of this commands and all are OK.
Best Regards
Meghdad Shamsaei
Meghdadshamsaei@yahoo.com
