As several recent high profile compromises have reminded us, Linux isn't immune to security vulnerabilities. While you should always do everything you can to secure your Linux systems, you can also put measures in place to quickly detect a break-in. One useful "alarm" system is Tripwire.
As several recent high profile compromises have reminded us, Linux isn’t immune to security vulnerabilities. While you should always do everything you can to secure your Linux systems, you can also put measures in place to quickly detect a break-in. One useful “alarm” system is Tripwire.
Tripwire helps you verify the integrity of critical system files and directories. It compares the current filesystem against a known, stable baseline, which you establish after installing Tripwire. Once installed and initialized, Tripwire monitors key attributes of files that shouldn’t change, including each file’s binary signature and size, while taking into account changes you expect, such as the growth of a log file. If anything’s modified, added, or deleted, Tripwire notifies you of the differences.
Tripwire is written in C++ and is licensed under the GPL. Free RPMs are available from http://www.tripwire.org, and source code is available from http://sourceforge.net/projects/tripwire. (A commercial version of the product is available from Tripwire, Inc. at http://www.tripwire.com.)
After you download the latest tarball, verify that the MD5 checksum of the download matches the MD5 checksum on the download page. (While a mismatch could occur with a bad download, it could also mean that the file’s been tampered with. Checking for tampering is critical for security software.) You can get the MD5 checksum of a file by typing md5sum file.
If the checksum is valid, unpack the tarball and cd into the resulting directory. Before running the install script, take a look at both the config file (install.cfg) and the policy file (policy/twpol.txt) and edit them to suit your environment. The file policyguide.txt contains examples and explanations for editing the policy file. After that, simply type ./install.sh as root.
The installation script guides you through the process of setting passphrases and encrypting the policy and configuration files. After running the install script, accept the license and choose the target install directories. Finally, provide a site keyfile passphrase and a local keyfile passphrase, at which point the install is complete. As the installer reminds you, picking a strong password is tantamount to good security.
After completing the installation, you’ll find both plain text and encrypted/signed versions of the policy and configuration files in /etc/tripwire/. Once you’re satisfied with the installation, store a copy of the plain text files in a safe place and then remove them from the Tripwire directory, as they’re not needed for daily operation and contain sensitive information.
You can now create your baseline snapshot.
To begin, type /usr/sbin/tripwire –init, again as root. After being prompted for your site password, a cryptographically-signed baseline database is created and you’re ready to use Tripwire.
To perform an integrity check, type /usr/sbin/tripwire –check. Tripwire compares the state of the current filesystem against the initial baseline database you created, using the rules defined in the policy file.
An integrity report is printed to stdout and saved in encrypted format in the location specified by the REPORTFILE setting in your Tripwire configuration (by default /var/lib/tripwire/report/). To print a saved encrypted report, type /usr/sbin/twprint -m r -r /path/to/encrypted/report.twr.
Once your setup is working properly, run an integrity check via cron on a regular basis.
Keep in mind that during the course of normal usage, files on a system do change, due to a security update, for instance (you do keep up on security updates, right?). So, don’t automatically be alarmed when something’s been modified.
First, carefully review the changes to make sure they’re legitimate and expected, then reconcile them. To reconcile the changes between a specific report and the baseline, run /usr/sbin/tripwire -m u -r /path/to/encrypted/report.twr. This gives you a rundown of the differences and allows you to individually add them to the baseline. You can use -a to automatically accept all changes, but should do so with caution.
If you know you’ve made a change to the filesystem, you can also run a –check with the -I flag to perform a baseline database update after the check is completed.
After you’re comfortable with Tripwire, you may want to make some changes to the policy file. Retrieve the text version of the policy file that you previously stashed away, make your changes, and create an updated policy via /usr/sbin/tripwire -m p policyfile.txt. Both your local and site password are required to update the policy.
As with most powerful applications, Tripwire has many options. Read the man pages and documentation to explore some of the advanced options and included utilities, such as twadmin.
As is often the case with open source, you do have other options, including AIDE, FCheck, and Osiris, if Tripwire doesn’t suit your needs.
Jeremy Garcia is the founder and admin of LinuxQuestions.org, a free, friendly and active Linux Community. He can be reached at firstname.lastname@example.org.