Monday, January 17, 2005

Configuring Tripwire - Just Another Host-Based IDS

Although Intrusion Detection Systems (IDSs) are becoming less popular in the media with the emergence of Intrusion Prevention Systems (IPSs), they are still widely used in the IT Security industry and any network or security administrator would benefit from knowing how to configure and use them. In this article, I will explain how to configure Tripwire on Linux.

Tripwire is a valuable tool because it can generate a database full of Md5 check sums of all important and system files on your system (specified by the administrator). Tripwire can then scan your system periodically or on-demand to verify the integrity of system files -- therefore Tripwire is an integrity checker.

For this article, I am using a Dell Inspiron 5100 Laptop, with Gentoo Linux installed and updated with all of the latest packages for the system. I am going to perform a fresh re-install of tripwire through the portage system.

tertiary_linux ~ # emerge tripwire -vp

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild N ] app-admin/tripwire- -debug +ssl 2,201 kB

Total size of downloads: 2,201 kB
tertiary_linux ~ #

tertiary_linux ~ # emerge tripwire -v
Calculating dependencies ...done!
>>> emerge (1 of 1) app-admin/tripwire- to /
>>> Downloading
=> `/usr/portage/distfiles/tripwire-2.3.1-2-pherman-portability-0.9.diff.bz2'
Connecting to[]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 739,663 [text/plain]


Now, tripwire has been installed and requires configuration. The configuration files are located in the /etc/tripwire directory, as would be expected. An overview of the configuration files follows:

twpol.txt: a file which holds all of the files that Tripwire will check, as well as their criticality levels

twcfg.txt: miscellaneous configuration settings related to key locations and mail setup installation script which creates site keys

One configuration file takes quite a bit of attention to generate properly, this is the twpol.txt file. It is necessary to go through this file (which was designed for Red Hat Linux) and comment out the files that you do not have or want to protect, as well as adding in the files which you do want to protect. The next step is to configure twcfg.txt to your liking. Once you have completed these steps, run the script. It is critical that you remember the two pass-phrases that you typed in so that you can access or modify the system configuration at a later time.

After the script has been run, you should move or delete the configuration files twpol.txt and twcfg.txt, which would provide information to anyone who may have compromised your system, these files will have been replaced by encrypted versions. The twadmin tool included with Tripwire will provide a means to modify or re-generate text versions of these files for future reference (pass-phrase required). The configuration of Tripwire is nearly done.

The last step in the configuration is to generate the database which houses the md5 check sum of all of the critical files listed in the twpol.txt configuration file (now stored in tw.pol). This database will serve as a baseline to check your files against when monitoring for suspicious behavior. This database is generated with the following command:

tripwire --init

You will then be prompted for your local passphrase. Tripwire will then generate the baseline database. Once this database has been generated, you can check your system's integrity with the following command:

tripwire --check

The output from this command will be similar to the following, and will also be in a report stored in /var/lib/tripwire/reports, or wherever you specify in the twcfg.txt file before you run the script:

Rule Summary:

Section: Unix File System

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
*Tripwire Data Files 100 1 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Critical system boot files 100 0 0 0
*System boot changes 100 1 1 29
*OS executables and libraries 100 0 0 2
Security Control 100 0 0 0
Login Scripts 100 0 0 0
*Critical configuration files 100 0 0 1
Shell Binaries 100 0 0 0
*Root config files 100 1 1 1

Total objects scanned: 236798
Total violations found: 38
There will be more information present, but the summary is displayed above. You can see that Tripwire will check all of your specified files and directories and tell you when they have changed.

When you have installed Tripwire, it will create a cron job that will run daily and email the resulting report to root. This will allow you to review the reports without having to run the filesystem check or print the report from the command line. Another option would be to have the cron job also send the report to the printer.

An important part of the Tripwire IDS is that the baseline database be untouched by any attacker, this requires that it be on a read-only medium. One way to achieve this is to have the database burned to a CD-ROM and have Tripwire run in that configuration daily. Be sure to create a backup and secure this CD-ROM so that it may not be tampered with.

There are alternatives to Tripwire for performing integrity checks to your filesystem. One of those alternatives is Aide, which is being developed and not yet in a 1.0 version release. Some people have used the rpm program with the Red Hat systems as an integrity checker, and there is always the option of creating your own application to perform an MD5 of all of your important files and verifying them periodically.

Tripwire is a very valuable tool which can be used in a variety of scenarios. The experienced System Administrator will be able to leverage the existing power to find out what has been tampered with or altered on a system that is of questionable integrity. In a follow-up post I will provide a Perl script which I have created to ease the configuration of the tripwire configuration file twpol.txt and save a substantial amount of time.

No comments: