HOWTO Setup Tripwire: Difference between revisions
Jump to navigation
Jump to search
| (23 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=== Setting Up a Tripwire Installation === | === Setting Up a Tripwire Installation === | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge tripwire''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge tripwire mktwpol''' | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''cd /etc/tripwire''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''cd /etc/tripwire''' | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/tripwire/twpol-GENERIC.txt''' ''(change '''HOSTNAME=''' to the proper hostname; no domain/no FQDN) | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/tripwire/twcfg.txt''' ''(change /bin/nano to /usr/bin/vi for use during updating, for example)'' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/tripwire/twpol.txt''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/tripwire/twcfg.txt''' ''(change nano to vi)'' | |||
Create the keys, and sign the policy and configuration files: | Create the keys, and sign the policy and configuration files: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''cd /etc/tripwire ; /bin/bash twsetup.sh''' ''(supply site- and local-key multiple times to setup, site-key another couple of times to sign tw.pol and tw.cfg)'' | |||
Now initialize everything (creates the database file /var/lib/tripwire/$hostname.twd) | Now initialize everything (creates the database file /var/lib/tripwire/$hostname.twd) | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --init''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --init''' | ||
Create the list of files we want to fingerprint and monitor: | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''/usr/local/bin/mktwpol.sh > /etc/tripwire/twpol.txt''' | |||
(If you don't have this on your system, grab it [[MEDIA:mktwpol.sh|'''HERE''']], name it '''/usr/local/bin/mktwpol.sh''', and make it executable with '''chmod u+x /usr/local/bin/mktwpol.sh''' | |||
=== Generate a Report === | === Generate a Report === | ||
| Line 19: | Line 18: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check''' | ||
The first time you do this, there | The first time you do this, there may be a few files not found. Go through these, one by one, and either find the proper location of the file, or comment them out in the twpol.txt. Sometimes files are re-located from what's in the original twpol.txt - like, a binary moved from /bin/ to /usr/bin/ or maybe from /sbin/ to /usr/sbin/. | ||
<br><br> | |||
=== File System Error Messages === | === File System Error Messages === | ||
| Line 26: | Line 26: | ||
<br> | <br> | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/tripwire/twpol.txt''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/tripwire/twpol.txt''' | ||
'''A BETTER WAY''': | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''/usr/sbin/mktwpol.sh /etc/tripwire/mktwpol-default.rules > /etc/tripwire/twpol.txt''' | |||
Check the resulting /etc/tripwire/twpol.txt file for sanity... for example, if the ruleset was incorrect or unspecified during invocation of mktwpol.sh, you may see a very-short twpol.txt file that only references the tripwire files :-( | |||
Then, update the policy file, delete and re-init the db: | Then, update the policy file, delete and re-init the db: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt''' | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''rm /var/lib/tripwire/$hostname.twd''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''rm /var/lib/tripwire/$hostname.twd*''' | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --init''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --init''' | ||
Now, run a check, followed by an update. This shifts files around | Now, run a check, followed by an update. This shifts files around (mainly creates /var/lib/tripwire/$hostname.twd.bak) which will be flagged as "changed" on the next run, so re-run the check/update: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check''' | ||
| Line 48: | Line 53: | ||
=== Tidying Up === | === Tidying Up === | ||
After a while, the '''/var/ | After a while, the '''/var/lib/tripwire/report/''' directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old. | ||
=== Troubleshooting === | === Troubleshooting === | ||
An error of: '''Fatal Exception st9exception''' indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the steps under File System Error Messages. | An error of: '''Fatal Exception st9exception''' indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the steps under File System Error Messages. | ||
Latest revision as of 22:51, 4 January 2018
Setting Up a Tripwire Installation
hostname ~ # emerge tripwire mktwpol hostname ~ # cd /etc/tripwire hostname ~ # emacs -nw /etc/tripwire/twpol-GENERIC.txt (change HOSTNAME= to the proper hostname; no domain/no FQDN) hostname ~ # emacs -nw /etc/tripwire/twcfg.txt (change /bin/nano to /usr/bin/vi for use during updating, for example)
Create the keys, and sign the policy and configuration files:
hostname ~ # cd /etc/tripwire ; /bin/bash twsetup.sh (supply site- and local-key multiple times to setup, site-key another couple of times to sign tw.pol and tw.cfg)
Now initialize everything (creates the database file /var/lib/tripwire/$hostname.twd)
hostname ~ # tripwire --init
Create the list of files we want to fingerprint and monitor:
hostname ~ # /usr/local/bin/mktwpol.sh > /etc/tripwire/twpol.txt
(If you don't have this on your system, grab it HERE, name it /usr/local/bin/mktwpol.sh, and make it executable with chmod u+x /usr/local/bin/mktwpol.sh
Generate a Report
hostname ~ # tripwire --check
The first time you do this, there may be a few files not found. Go through these, one by one, and either find the proper location of the file, or comment them out in the twpol.txt. Sometimes files are re-located from what's in the original twpol.txt - like, a binary moved from /bin/ to /usr/bin/ or maybe from /sbin/ to /usr/sbin/.
File System Error Messages
To get rid of "File system error." messages where the file or folder does not exist, first check to see if the file has been re-located (somewhat common when updating packages), or comment out the culprits from /etc/tripwire/twpol.txt if it's truly disappeared.
hostname ~ # emacs -nw /etc/tripwire/twpol.txt
A BETTER WAY:
hostname ~ # /usr/sbin/mktwpol.sh /etc/tripwire/mktwpol-default.rules > /etc/tripwire/twpol.txt
Check the resulting /etc/tripwire/twpol.txt file for sanity... for example, if the ruleset was incorrect or unspecified during invocation of mktwpol.sh, you may see a very-short twpol.txt file that only references the tripwire files :-(
Then, update the policy file, delete and re-init the db:
hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt hostname ~ # rm /var/lib/tripwire/$hostname.twd* hostname ~ # tripwire --init
Now, run a check, followed by an update. This shifts files around (mainly creates /var/lib/tripwire/$hostname.twd.bak) which will be flagged as "changed" on the next run, so re-run the check/update:
hostname ~ # tripwire --check hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr hostname ~ # tripwire --check hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr
After System Changes
After you emerge packages or change config files:
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<a_previous_integrity_report>.twr
Tidying Up
After a while, the /var/lib/tripwire/report/ directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old.
Troubleshooting
An error of: Fatal Exception st9exception indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the steps under File System Error Messages.