|
Project: Linux  Howtos
Intrusion Detection Systems: Part II - Installing Tripwire
By Trevor Warren <trevor@freeos.com>
Posted: ( 2001-01-30 00:08:08 EST by )
The second part of our IDS series is a simple guide to installing, configuring and using Tripwire
Most persons would succeed in small things if they were not troubled with great ambitions- H.W. Longfellow. In the first part of this series we had a laid the ground work that took us a step further towards understanding the necessity of a full fledged Intrusion Detection system (IDS). A good policy is to mix and match the best to form a security grid that should be difficult enough even for the expert cracker to penetrate. The various IDS systems of interest to us throughout this series will be purely Tripwire and Snort. Before even installing Tripwire let me walk you through the whole logical process of Installing, Configuring and using Tripwire.
To understand the whole logical process lets have a look at the points given below. These points given below are courtesy the Red Hat Installation guide. It gives us a clear picture as to how should one go about installing and using Tripwire very briefly. (1) Install Tripwire and tweak the POLICY file for your respective system.
(2) Initialize the Tripwire database.
(3) Run the Tripwire Integrity check as and when needed.
(4) Examine the Tripwire Report file.
(5) Check for changes in File System and take appropriate action.
(6) Has your existing configuration been able to help you conduct a proper postmortem according to your existing POLICY file. If not, you need to edit your POLICY file and update the file signature database to reflect the changes that you have made in your POLICY file. Installation and configuration of Tripwire
Tripwire works by checking for the integrity of the existing File System against an existing baseline. Thus, it compares the existing state of the File system against a baseline that has been created and digitally signed by you using a Passphrase that you mention during installation of the product. This digitally signed database consists of encrypted information regarding the various system files, system binaries and various other important files and directories that you wanted to protect. You would normally create the baseline consisting of the information of the various components of your file system when you are sure that the security status of the system has not been breached. E.g. Just after OS installation. This baseline in general terms is a snapshot as taken by Tripwire depending on the rules you have mentioned in your POLICY file. As we mentioned earlier this happens in a simple two step procedure. First, you install the binaries on your machine and then get on to creating the snapshot.
As usual there are many methods of installing Tripwire depending on the distribution and source of your package. But here in this article we will deal only with the *.tar.gz s and the RPMs. You could always obtain the latest version of Tripwire (2.3) from www.tripwire.org. At the site you would find the latest version for download in the form of a tarred and gzipped file ( tripwire-*.tar.gz). Using Tarred and gzipped files ( *.tar.gz )
Copy the file to a location of your choice and unpack the tarred file using the following command.
bash# tar -xvzf tripwire-*.tar.gz
Having untarred the package, go through the complete INSTALL files and README.* files so as to make sure that there aren't any incompatibility issues with your system. Before installing any of the binaries you should go through the file ninstall.cfg . This file contains the configuration information for your install and tweaks it if necessary. Tripwire' s download package is made to run out of the box for a Red Hat machine. If you using a distribution apart from Red Hat, don t worry, things should work out fine if you are planning on running things just out of the box. Just run the script:
bash# ./install.sh
This should begin the installation process for you. These are a few points to be noted. At the start of the installation process, the installer will open a GNU GPL license in the VI text editor. Therefore, for whose of you who would prefer otherwise forget it unless you want to tweak the install.cfg script. When the GNU GPL has been displayed, you have to follow these steps. 1.It will ask you to hit "Enter to view the License Agreement. Do it.
2.Having viewed the License agreement hit, :q in succession. This should exit you from the VI text editor and get you to a prompt asking you to key in accept or do not accept. Thus make your decision and continue. Rest of the install of just a piece of cake. But one point to be remembered is, Tripwire will ask you for a PASSPHRASE which it will make use of in encryption of the file system snapshot that it will generate on your machine. Make sure to enter at least an 8-character passphrase consisting of both numbers and alphabets. This is just to make things difficult for the wannabe cracker. Thus, the script walks you through the processes of installation, setting passphrases and signing the Tripwire policy and configuration files.
If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file. Using RPM s
1. Locate the Red Hat / RPMS directory on the Red Hat Linux 7.0 CD-ROM.
2. Locate the Tripwire binary RPM.
3. Type rpm -ivh (where is the name of the Tripwire RPM found in step 2)
4. After installing the Tripwire binary RPM, follow the post-installation instructions outlined below. Post-Installation Instructions
The Tripwire binary RPM installs the basic program files needed to run the software. However, this installation does not complete custom configurations that Tripwire 2.3 needs to perform correctly. After you unpack the RPM, you must:
1. Run the configuration script /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files. Once encoded and signed, the configuration file should not be renamed or moved.
If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file.
If you are low on the time factor, you could always make use of the steps (2-5) that we have mentioned in short below. Else, read on.
2. Initialize the Tripwire database file. (/usr/sbin/tripwire--init)
3. Run the first integrity check. (/usr/sbin/tripwire--check)
4. Edit the configuration file (twcfg.txt) with a text editor, if desired.
5. Edit the policy file (twpol.txt) with a text editor, if desired. Modifying the POLICY file
Toughening up on the intruders depends on the harshness of the stand that you take. Thus for most systems the existing POLICY file (/etc/tripwire/ twpol.txt) will work fine for just out of the box installations. However, to enhance security measures on your part we would personally suggest that you go through the sample POLICY file. A sample POLICY file will be placed in the directory that you unpacked the binaries (i.e. if you were using *.tar.gz s ) else in /usr/doc/tripwire-* ( i.e. if you were using RPM.s). Read the sample policy file and the comments in the sample policy file to learn the policy language.
After you modify the policy file, follow the post-installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software Selecting Passphrases
Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply:
1. Use at least eight alphanumeric and symbolic characters for each passphrase.
2. The maximum length of a passphrase is 1023 characters.
3. Quotes should not be used as passphrase characters.
4. Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also. Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case, you must reinitialize the baseline database. Initializing the database
In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is:
bash# tripwire --init Running an Integrity Check
This is what you have been waiting for. Having initialized the database and having signed it with your passphrase, you can now check the system for file consistency checks. Under normal circumstances, you would do this daily and especially when you are in doubt that the security checks you have in place have been compromised. The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to standard output. The report file is saved and can later be accessed by the Tripwire utility " twprint. An email option enables you to send email. The syntax for Integrity Check mode is:
bash# tripwire --check
The Tripwire RPM adds a file to the /etc/cron.daily directory that will automatically run an integrity check once every day. Printing Reports - twprint Print Report Mode
The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used.
Example: On a machine named FREEOS.com.FW , the command would be:
./twprint -m r --twrfile FREEOS.com.FW-20000122-021212.twr Updating the Database after an Integrity Check
Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is:
bash# tripwire --update Updating the Policy File
Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is:
bash# tripwire --update-policy Testing Email functions
Test mode tests the software's email notification system, using the settings currently specified in the configuration file during the installation (your install.cfg file). The syntax for Email Test Reporting mode is:
bash# tripwire --test HELP
All Tripwire commands support the --help option. Example: To get help withCreate Configuration File mode, type:
bash# twadmin --help --create-cfgfile
The following options illustrate the types of help available in the Tripwire software:
-?
Display usage and version information --help
Display all command modes --help all
Display help for all command modes --help
Display help for current command mode--version
Display version information So pals, this is all for now. Hope you had a feast on the internals of an IDS, We at FreeOS.com have tried our best to give you a simplest tutorial, that should get you up and running with an IDS on your system in the shortest time span. We assure you that time spent fortifying your network is time well spent. Coming up is next week is a cool tutorial on the usage and implementation of SNORT- another interesting IDS. The road to success is dotted with the most tempting parking spaces.
- Anonymous
Intrusion Detection Systems for your network: Part I
Other articles by Trevor Warren
Current Rating: [ 6.44 / 10 ]
Number of Times Rated: [ 41 ]
|
