How do I use tripwire?

On Fri, 02 Sep 2005 18:18:31 +1000, Peter D. wrote:
....
> Read the documentation, most of what you need is here;
>
> ,----[ /home/psd/tripwire.sh ]
> |
> | if [ "localhost" == $(hostname) ] ;then
> | echo fix host name
> | return 1
> | fi
....
....

Can I buy a vowel?

Proteus wrote:

> On Fri, 02 Sep 2005 18:49:22 +1200, Thor wrote:
> ...
>> Did you run tripwire-setup-keyfiles.
>> This sets up your database and passwords etc
>
> [root@localhost ]# tripwire-setup-keyfiles
> bash: tripwire-setup-keyfiles: command not found
> [root@localhost ]#

Ok works and it is how tripwire under Fedora sets up, have you tried man
tripwire ?



--
*~~~~~~~~~~Thor

On Fri, 02 Sep 2005 06:42:24 -0500, Proteus wrote:
> On Fri, 02 Sep 2005 18:49:22 +1200, Thor wrote:
> ...
>> Did you run tripwire-setup-keyfiles.
>> This sets up your database and passwords etc
>
> [root@localhost ]# tripwire-setup-keyfiles

Snippet from my admin diary of what I did when I played with tripwire
awhile back. I suggest you keep a diary of what you do how with what. :)

# tripwire setup
cd /etc/tripwire
twadmin --generate-keys --site-keyfile ./site.key
twadmin --generate-keys --local-keyfile ./$HOSTNAME-local.key
twadmin --create-cfgfile --cfgfile ./tw.cfg --site-keyfile ./site.key twcfg.txt
twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt
chmod 600 *
chnod 700 twinstall.sh
tripwire --init --cfgfile ./tw.cfg --polfile ./tw.pol \
--site-keyfile ./site.key --local-keyfile ./$HOSTNAME-local.key

Ok I read some documentation on tripwire (some docs are far better than
others!) and it was actually quite easy to install and configure once you
are told how in a clear how-to.
http://www.redhat.com/docs/manuals/l...-tripwire.html

So for those interested, here is what I did.

(STEP 1)
I installed tripwire (intrusion detection system) using urpmi as
root:
[root@localhost ]# urpmi tripwire

(STEP 2)
I ran the tripwire installation script that generates the encryption keys
and creates a default configuration file and a default policy file. Here
is the command and the terminal output:
[root@localhost ]# /etc/tripwire/twinstall.sh

(STEP 3)
I ran the tripwire database initialization which initializes the tripwire
database (hash of system files to monitor any changes by a hacker, etc:
[root@localhost ]# /etc/tripwire/tripwire --init


During the above STEP 3 I got terminal output form the 'tripwire -init'
showing lots of files and directories errors "No such file or directory",
as it seemed that tripwire was looking for RedHat Linux files/dirs. So my
problem now is what to do about that; I am guessing somehow I have to edit
the config and policy files to tell tripwire to ignore looking for those
RedHat files/dirs; or should I look for a Mandrake/Mandriva rpm package
instead of using the package I installed using urpmi? (urpmi should have
installed the correct package for my Mandriva LE2005 distro though, right?)

On Thu, 01 Sep 2005 21:09:35 -0500, Proteus wrote:

> Can anybody guide me on getting started with using tripwire? I installed
> it using uprmi. Not sure what to do now....

Ok I read some documentation on tripwire (some docs are far better than
others!) and it was actually quite easy to install and configure once you
are told how in a clear how-to.
http://www.redhat.com/docs/manuals/l...-tripwire.html
However, I still have some issues to resolve (see end of this message)
that I could use some help on-- I know enough to be dangerous, so if
someone can kindly guide me through getting tripwire to work correctly I
would be most appreciative. I have it installed now, config and policy
files have been created, but I need to tune tripwire somehow as it seems
to think my system is a Redhat system even though I installed tripwire
using urpmi onto my Mandrive LE2005 distro (mandrake).

Here is what I did.

(STEP 1)
I installed tripwire (intrusion detection system) using urpmi as root:
[root@localhost ]# urpmi tripwire

(STEP 2)
I ran the tripwire installation script that generates the encryption keys
and creates a default configuration file and a default policy file.
[root@localhost ]# /etc/tripwire/twinstall.sh

(STEP 3)
I ran the tripwire database initialization which initializes the tripwire
database (hash of system files to monitor any changes by a hacker, etc:
[root@localhost ]# /etc/tripwire/tripwire --init

During the above STEP 3 I got terminal output form the 'tripwire -init'
showing lots of files and directories errors "No such file or directory",
as it seemed that tripwire was looking for RedHat Linux files/dirs. So my
problem now is what to do about that; I am guessing somehow I have to edit
the config and policy files to tell tripwire to ignore looking for those
RedHat files/dirs; or should I look for a Mandrake/Mandriva rpm package
instead of using the package I installed using urpmi? (urpmi should have
installed the correct package for my Mandriva LE2005 distro though,
right?)

On Fri, 02 Sep 2005 10:03:41 -0500, Proteus wrote:
>
> I got terminal output form the 'tripwire -init'
> showing lots of files and directories errors "No such file or directory",
> as it seemed that tripwire was looking for RedHat Linux files/dirs. So my
> problem now is what to do about that; I am guessing somehow I have to edit
> the config and policy files to tell tripwire to ignore looking for those
> RedHat files/dirs; or should I look for a Mandrake/Mandriva rpm package
> instead of using the package I installed using urpmi? (urpmi should have
> installed the correct package for my Mandriva LE2005 distro though, right?)

Guessing the tripwire rpm came from the _contrib_ directory and not _main_.
If it came from main, it would be a bug you could open with Mandriva
about the redhat files.

If contrib, you would have to contact whoever is maingaing the package.

Quick fix, make the changes yourself.

Proteus wrote in alt.os.linux.mandriva:

> Ok I read some documentation on tripwire (some docs are far better
> than others!) and it was actually quite easy to install and configure
> once you are told how in a clear how-to.
> http://www.redhat.com/docs/manuals/l...-tripwire.html
>
> So for those interested, here is what I did.
>
> (STEP 1)
[snip]
You are well on the way.

> (STEP 3)
> I ran the tripwire database initialization which initializes the
> tripwire database (hash of system files to monitor any changes by a
> hacker, etc:
> [root@localhost ]# /etc/tripwire/tripwire --init

Step four is "tripwire --check".

> During the above STEP 3 I got terminal output form the 'tripwire
> -init' showing lots of files and directories errors "No such file or
> directory", as it seemed that tripwire was looking for RedHat Linux
> files/dirs. So my problem now is what to do about that; I am guessing
> somehow I have to edit the config and policy files to tell tripwire to
> ignore looking for those RedHat files/dirs; or should I look for a
> Mandrake/Mandriva rpm package instead of using the package I installed
> using urpmi? (urpmi should have installed the correct package for my
> Mandriva LE2005 distro though, right?)

You probably urpmi-ed the most Mandriva-ish rpm that is available.
Sorry about only giving part answers. I'm posting from an old version,
but this should be a useful start for MLE2005.

Watch the line wraps.

,----[ /mnt/hda3/mle/config/done/twpol.9.txt ]
| # /etc/tripwire/twpol9.txt
| # things that change often
| # Peter, Sat Apr 5 18:07:00 EST 2003
|
| # Characters used in property masks, with descriptions:
| #
| # - Ignore the following properties
| # + Record and check the following properties
| # a Access timestamp
| # b Number of blocks allocated
| # c Inode timestamp (create/modify/"change")
| # d ID of device on which inode resides
| # g File owner's group ID
| # i Inode number
| # l File is increasing in size (a "growing file")
| # m Modification timestamp
| # n Number of links (inode reference count)
| # p Permissions and file mode bits
| # r ID of device pointed to by inode
| # (valid only for device objects)
| # s File size
| # t File type
| # u File owner's user ID
| # C CRC-32 hash value
| # H Haval hash value
| # M MD5 hash value
| # S SHA hash value
| #
| # Set LOOSEDIRECTORYCHECKING=true in twcfg.txt
| # equivelant to -snacmblCMSH on directory inodes.
|
| @@section GLOBAL
| TWROOT=/usr/sbin;
| TWBIN=/usr/sbin;
| TWPOL="/etc/tripwire";
| TWDB="/var/lib/tripwire";
| TWSKEY="/etc/tripwire";
| TWLKEY="/etc/tripwire";
| TWREPORT="/var/lib/tripwire/report";
| HOSTNAME=localhost;
|
| @@section FS
| BOOT = dgnptu ; # Files that change with every boot, but are important
| CHEAP = bcdgimnpstuC ;
| CHEAP-i = bcdgmnpstuC ; # bug workaround?
| CHEAP-mc = bdginpstuC ; # bug workaround
|
| SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
| SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
| SEC_BIN = $(ReadOnly) ; # Binaries that should not change
| SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
| SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
| SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
|
| SIG_B = 40 ; # BOOT, things that get changed on reboot
| SIG_N = 45 ; # NET, things that get changed on network up/down
| SIG_U = 50 ; # UPDATE, things that get changed when an RPM is installed
|
| SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
| SIG_MED = 66 ; # Non-critical files that are of significant security impact
| SIG_HI = 100 ; # Critical files that are significant points of vulnerability
|
| # list all partitions seperately
| # If the *only* command on a partition is "ignore it" then error?
|
| (
| rulename = "devices",
| severity = $(SIG_HI),
| recurse = false,
| emailto = root
| )
| {
| /dev -> $(Device)-m ;
| }
|
| (
| rulename = "list everything",
| severity = $(SIG_LOW),
| emailto = root
| )
|
| {
| / -> $(CHEAP) ; # partition
| /.autofsck -> $(CHEAP-mc) ;
| # /boot -> $(CHEAP-mc) ;
| /boot/config -> $(CHEAP-mc)-i ;
| /boot/kernel.h -> $(CHEAP-mc)-i ;
| # /dev # see seperate rule
| /etc/adjtime -> $(CHEAP-mc)-C ;
| /etc/asound.state -> $(CHEAP-mc)-C ;
| /etc/cups/certs/0 -> $(CHEAP-mc)-C ; # changes while running
| /etc/cups/classes.conf -> $(CHEAP)-c ;
| /etc/cups/cupsd.conf -> $(CHEAP)-c ;
| /etc/cups/printers.conf -> $(CHEAP)-c ;
| /etc/fstab -> $(CHEAP-mc)-isC ;
| /etc/hotplug/blacklist -> $(CHEAP-mc)-isC ;
| /etc/issue -> $(CHEAP-mc) ;
| /etc/issue.net.msec -> $(CHEAP-mc)-i ;
| /etc/lvm/.cache -> $(CHEAP-mc) ;
| /etc/mtab -> $(CHEAP-mc)-isC ;
| /etc/postfix/prng_exch -> $(BOOT)-mcC ; # changes while running
| /etc/resolv.conf -> $(CHEAP-mc) ;
| /etc/sysconfig/harddrake2/kernel -> $(BOOT)-mc ;
| /etc/sysconfig/harddrake2/previous_hw -> $(BOOT)-mc ;
| # /etc/X11 -> $(CHEAP-mc) ; # bug in xorg, relinks on boot
| /etc/X11/XF86Config -> $(CHEAP-mc)-i ; # bug in xorg, relinks on boot
| /home -> $(CHEAP) ; # partition
| !/home/psd;
| /lib/iptables -> $(CHEAP-mc) ; # bug, relinks on boot
| /mnt -> $(CHEAP-mc)-n ;
| /mnt/hda3 -> $(CHEAP) ; # partition
| /root/.bash_history -> $(CHEAP-mc)-ismcCb ;
| /root/path_list -> $(CHEAP-mc)-sC ;
| /root/.viminfo -> $(BOOT)-ismcCb ;
| /root/Xpath_list -> $(CHEAP-mc)-sC ;
| !/tmp ; # partition
| /var -> $(CHEAP) ; # partition
| !/var/cache;
| /var/catman -> $(CHEAP-mc) ;
| /var/lib/alsa/dev/snd -> $(CHEAP-mc) ;
| /var/lib/dhcp/dhclient-eth0.leases -> $(CHEAP-mc)-C ;
| /var/lib/dhcp/dhclient-eth1.leases -> $(CHEAP-mc)-C ;
| /var/lib/mysql -> $(CHEAP-mc) ;
| /var/lib/mysql/ib_logfile0 -> $(CHEAP-mc)-C ;
| /var/lib/nfs/state -> $(CHEAP-mc)-C ;
| /var/lib/random-seed -> $(CHEAP-mc)-C ;
| /var/lib/random_seed -> $(CHEAP-mc)-C ;
| /var/lib/shorewall -> $(CHEAP-mc) ;
| /var/lib/shorewall/restarted -> $(BOOT)-C ;
| /var/lib/shorewall/restore-base -> $(BOOT)-C ;
| /var/lib/shorewall/restore-tail -> $(BOOT)-C ;
| /var/lib/tripwire -> $(CHEAP-mc) ;
| /var/lib/xkbd -> $(CHEAP-mc) ;
| /var/lock/subsys -> $(CHEAP-mc)-C ;
| /var/log -> $(SEC_LOG)-il ; # can shrink
| /var/log/cups/error_log -> $(SEC_LOG)-ilm ;
| /var/log/messages -> $(SEC_LOG) ; # changes while running
| /var/log/wtmp -> $(SEC_LOG)-ilm ;
| /var/log/Xorg.0.log -> $(SEC_LOG)-ilm ;
| /var/run -> $(CHEAP-mc)-iC ; # changes while running
| !/var/spool;
| !/var/tmp;
| }
|
`----


,----[ /mnt/hda3/mle/config/done/twcfg.txt ]
| # /etc/tripwire/twcfg.txt
| # Peter, Fri Jun 18 10:02:37 EST 2004
|
| # POLFILE =/etc/tripwire/tw.pol
| # DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
| # REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
| # LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
| # EDITOR =/bin/vi
| # LOOSEDIRECTORYCHECKING =false
|
| ROOT =/usr/sbin
| POLFILE =/etc/tripwire/tw.pol
| DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
| REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
| SITEKEYFILE =/etc/tripwire/site.key
| LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
| EDITOR =/bin/vi +set\ nobackup +set\ nowritebackup
| LATEPROMPTING =false
| # Loos... true is like -snacmblCMSH on directory inodes
| LOOSEDIRECTORYCHECKING =true
| MAILNOVIOLATIONS =true
| EMAILREPORTLEVEL =3
| REPORTLEVEL =3
| MAILMETHOD =SENDMAIL
| SYSLOGREPORTING =false
| MAILPROGRAM =/usr/sbin/sendmail -oi -t
`----




--
Peter D.
Sig goes here...