Tripwire
From charlesreid1
Contents
Overview
What is it?
Tripwire is an open-source program that monitors file integrity. It performs a check of the filesystem state against a known baseline state, and alerts on changes that are detected.
Tripwire can monitor file contents, but also permissions, ownership, or directories.
Setup
Installing
Tripwire is a bit of a pain to install in an automated way, because it wants to try and walk you through a few initial setup steps.
We cover automated installation below.
Manual Installation
Install Tripwire using aptitude, since it is present in the official Debian repositories:
sudo apt-get -y update sudo apt-get -y install tripwire
This will present several interactive prompts for the mulit-step setup process.
The steps are described on the Tripwire Readme: https://github.com/Tripwire/tripwire-open-source
Automated Installation
This SO answer gives some help, but this Unix SE answer is also needed. Here's the final incantation:
sudo DEBIAN_FRONTEND=noninteractive apt-get -y install tripwire
This should install tripwire with zero user intervention required.
Getting Help
both tripwire and twadmin offer top level help
tripwire --help twadmin --help
These will give you the top-level command flags, like --init or --check.
If you want to get help on how to use a command flag, pass the name of the flag (without dashes) with the help command, like this:
# to get help on tripwire --scan tripwire --help scan # to get help on twadmin --create-polfile twadmin --help create-polfile
These commands will tell you the flags you can pass when performing that action.
Automated Setup Details
Some details about what happens and where things go when setup is automated...
Automated Key Creation
The Tripwire setup process sets up two different keys:
- site key - the key used to secure the configuration file (if the configuration file is compromised, all findings from tripwire are suspect); this can be used across multiple servers just as config files can be
- local key - the key used on each machine to run the binary (ensures binary does not run without owner's consent)
These keys can be protected with a passphrase if Tripwire is being set up manually, but the automated installation process will not put any passphrase in place.
Automated installation will put the keys here:
/etc/tripwire/HOSTNAME-local.key- this is the automatically generated local key/etc/tripwire/site.key- this is the automatically generated site key
Policy and Config Files
Note that the policy and configuration files that are created have two versions: the actual policy/config file (which is encrypted using the site key), and the plain text version.
The automated installation has the default encrypted policy file at /etc/tripwire/tw.pol and the plain text version at:
/etc/tripwire/twpol.txt
The automated installation has the default encrypted config file at /etc/tripwire/tw.cfg and the plain text version at:
/etc/tripwire/twcfg.txt
Initializing the Database
There is yet another manual step that must be run to scan the filesystem and prepare the database (I guess this is creating the baseline??)
To initialize the database:
sudo tripwire --init
This interactively prompts the user for the local key passphrase (these Tripwire people are REALLY trying to make life harder for automation-centric folks, huh?)
Use the -P my_passphrase or --local-passphrase my_passphrase flag to specify these on the CLI - they should be empty strings if using automated setup
sudo tripwire --init -P ""
Perform Initial Scan, Review Policy File, Eliminate False Positives
The procedure to make your policy file useful is to go through this process once, manually, on your operating system of choice, with the machine configured the way it will look in the final state.
Run a scan using tripwire, generate findings, and remove rules that generate false positives. Iterate until no false positives are generated:
- perform a a scan
- review the findings from the scan
- update the plain text policy file to remove rules that generate false positives
- generate a new encrypted policy file form the plain text policy file
- (repeat until no false positives)
Once you are done, there is one last step:
- Use the new and improved policy to create a new baseline
Perform a Scan
To run a scan and generate findings (note that we are only looking for "Filename" here because this is just the initial scan where we're trying to eliminate false positive findings!):
sudo sh -c 'tripwire --check | grep Filename > test_results'
Review Findings from Scan
Now review the findings in test_results and figure out which ones are false positives.
Some findings are reported because the files are changed, but some findings are because the files are not present.
The default policy file looks for some files that aren't present on all operating systems, so now update the policy file to remove those rules.
Updating the Plain Text Policy File
Update the policy file to adjust the rules:
vim /etc/tripwire/twpol.txt
Generate Encrypted Policy File from Plain Text Policy File
Once you are finished, generate a new encrypted policy file from the unencrypted plain text policy file:
sudo twadmin --create-polfile /etc/tripwire/twpol.txt
Use the -Q or --site-passphrase to pass the site key passphrase on the command line:
sudo twadmin --create-polfile -Q "" /etc/tripwire/twpol.txt
Create New Baseline
The final step, once your policy file is ship shape, is to make a new baseline using the same command we used before, tripwire --init:
sudo tripwire --init -P ""
Now you're finally done with the manual, one-time setup process, and tripwire is ready to rock!
Cleaning Up
Tripwire has the ability to generate a plain text policy/config file from the encrypted version, just as it can create an encrypted version from a plain text version:
sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'
So, if we are finally happy with the config and policy files, we can remove the plain text versions:
sudo rm /etc/tripwire/twpol.txt
Rules We Removed
- We removed files in the /root directory not present on our system, in the "Root config files" rule
- We removed the rule for /etc/rc.boot since that file was not present on our system
- We removed the /proc file from the list of directories being monitored (there were no particular processes we wanted to monitor)
How Long Do Scans Take
On an older laptop with 2 x 2.5 GHz cores and a fresh Debian install, the process of running tripwire --check took about 5 minutes.
CPU usage during the scan was mostly between 10% and 50%, with a few near-100% spikes.
(Once we removed the rules for /root and /proc, the scans went much faster.)
Running
Once you've gone through the pain of setting it up, tripwire is pretty easy to run:
sudo tripwire --check
This will generate a text report. This output can be redirected to a file to create a report file that can be managed with a log file manager or something.
Sample Report
Here is an example report:
$ sudo tripwire --check [sudo] password for basilisk: Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... The object: "/dev/hugepages" is on a different file system...ignoring. The object: "/dev/mqueue" is on a different file system...ignoring. The object: "/dev/pts" is on a different file system...ignoring. The object: "/dev/shm" is on a different file system...ignoring. Wrote report file: /var/lib/tripwire/report/ANDROID-20220305-170624.twr Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Sat 05 Mar 2022 05:06:24 PM PST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: basilisk Host IP address: 127.0.1.1 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/basilisk.twd Command line used: tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Other binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Other libraries 66 0 0 0 Root file-system executables 100 0 0 0 Tripwire Data Files 100 0 0 0 System boot changes 100 0 0 0 Root file-system libraries 100 0 0 0 (/lib) Critical system boot files 100 0 0 0 Other configuration files 66 0 0 0 (/etc) Boot Scripts 100 0 0 0 Security Control 66 0 0 0 Devices & Kernel information 100 0 0 0 (/dev) Invariant Directories 66 0 0 0 Total objects scanned: 91409 Total violations found: 0 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- No violations. =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete.
Links
excellent digital ocean guide: https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps
automated installation of tripwire with puppet: https://github.com/autostructure/tripwire
Flags
