September 21, 2021

Tripwire howto

tripwire monitors files so you can tell if they get changed without you knowing it. You can install it on Debian pretty easy like:

apt install tripwire
  Create new 'site-key' for Tripwire - choose 'Yes' and press Enter to continue.
  Create new 'local-key', choose 'Yes' and press Enter again.
  Rebuild Tripwire Configuration option, choose 'Yes'.
  Rebuild Tripwire Policy option - choose 'Yes'.
  Prompt for 'site-key' passphrase. Type a password and choose 'OK'.
  Prompt for 'local-key' passphrase, type a password and choose 'OK'.

It’s setup, but now you have to initialize it, so it establishes a baseline for you files like:

tripwire --init
please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix file system ***
...
### Continuing...
### Warning: File system error.
### Filename: /proc/3838/task/3838/fdinfo/4
### No such file or directory
...
### Continuing...
The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.
Wrote database file: /var/lib/tripwire/www.twd
The database was successfully generated.

Now we weed out the errors:

sh -c "tripwire --check | grep Filename > no-directory.txt"
...
### Warning: File system error.
### Filename: /etc/rc.boot
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/mail
### No such file or directory
### Continuing...
...

So you should have a file with a bunch of stuff in it like this:

cat no-directory.txt
     Filename: /etc/rc.boot
     Filename: /root/mail
     Filename: /root/Mail
     Filename: /root/.xsession-errors
     Filename: /root/.xauth
     Filename: /root/.tcshrc
     Filename: /root/.sawfish
     Filename: /root/.pinerc
     Filename: /root/.mc
     Filename: /root/.gnome_private
     Filename: /root/.gnome-desktop
     Filename: /root/.gnome
     Filename: /root/.esd_auth
     Filename: /root/.elm
     Filename: /root/.cshrc
     Filename: /root/.bash_profile
     Filename: /root/.bash_logout
     Filename: /root/.amandahosts
     Filename: /root/.addressbook.lu
     Filename: /root/.addressbook
     Filename: /root/.Xresources
     Filename: /root/.Xauthority
     Filename: /root/.ICEauthority
     Filename: /proc/4002/fd/3
     Filename: /proc/4002/fdinfo/3
     Filename: /proc/4002/task/4002/fd/3
     Filename: /proc/4002/task/4002/fdinfo/3

Now edit the config file and tell it ignore those:

cd /etc/tripwire
vi tw.pol
  #/etc/rc.boot   -> $(SEC_BIN) ; <--comment out line
  #/var/lock      -> $(SEC_CONFIG) ; <-- comment out line
  #/var/run       -> $(SEC_CONFIG) ; # daemon PIDs <-- comment out line
comment next lines like:
  /root                           -> $(SEC_CRIT) ; # Catch all additions to /root
        #/root/mail                     -> $(SEC_CONFIG) ;
        #/root/Mail                     -> $(SEC_CONFIG) ;
        #/root/.xsession-errors         -> $(SEC_CONFIG) ;
        #/root/.xauth                   -> $(SEC_CONFIG) ;
        #/root/.tcshrc                  -> $(SEC_CONFIG) ;
        #/root/.sawfish                 -> $(SEC_CONFIG) ;
        #/root/.pinerc                  -> $(SEC_CONFIG) ;
        #/root/.mc                      -> $(SEC_CONFIG) ;
        #/root/.gnome_private           -> $(SEC_CONFIG) ;
        #/root/.gnome-desktop           -> $(SEC_CONFIG) ;
        #/root/.gnome                   -> $(SEC_CONFIG) ;
        #/root/.esd_auth                        -> $(SEC_CONFIG) ;
        #/root/.elm                     -> $(SEC_CONFIG) ;
        #/root/.cshrc                   -> $(SEC_CONFIG) ;
        /root/.bashrc                   -> $(SEC_CONFIG) ;
        #/root/.bash_profile            -> $(SEC_CONFIG) ;
        #/root/.bash_logout             -> $(SEC_CONFIG) ;
        /root/.bash_history             -> $(SEC_CONFIG) ;
        #/root/.amandahosts             -> $(SEC_CONFIG) ;
        #/root/.addressbook.lu          -> $(SEC_CONFIG) ;
        #/root/.addressbook             -> $(SEC_CONFIG) ;
        #/root/.Xresources              -> $(SEC_CONFIG) ;
        #/root/.Xauthority              -> $(SEC_CONFIG) -i ; 
        #/root/.ICEauthority            -> $(SEC_CONFIG) ;
 
        #/dev           -> $(Device) ;
        #/proc          -> $(Device) ;
        /dev/block              -> $(Device) ;
        /dev/bsg                -> $(Device) ;
        /dev/bus                -> $(Device) ;
        /dev/char               -> $(Device) ;
        /dev/disk               -> $(Device) ;
        /dev/mapper             -> $(Device) ;
        /dev/net                -> $(Device) ;
        /dev/snd                -> $(Device) ;
        /dev/vfio               -> $(Device) ;
        /dev/virtio-ports       -> $(Device) ;
        /proc/devices           -> $(Device) ;
        /proc/net               -> $(Device) ;
        /proc/tty               -> $(Device) ;
        /proc/cpuinfo           -> $(Device) ;
        /proc/modules           -> $(Device) ;
        /proc/mounts            -> $(Device) ;
        /proc/dma               -> $(Device) ;
        /proc/filesystems       -> $(Device) ;
        /proc/interrupts        -> $(Device) ;
        /proc/ioports           -> $(Device) ;
        /proc/kcore             -> $(Device) ;
        /proc/self              -> $(Device) ;
        /proc/kmsg              -> $(Device) ;
        /proc/stat              -> $(Device) ;
        /proc/loadavg           -> $(Device) ;
        /proc/uptime            -> $(Device) ;
        /proc/locks             -> $(Device) ;
        /proc/meminfo           -> $(Device) ;
        /proc/misc              -> $(Device) ;

Now re-create the encrypted policy file like:

twadmin -m P /etc/tripwire/twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

Now re-run the database initialization, you *shouldn’t* see errors anymore:

tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/www.twd
The database was successfully generated.

Now run a check of your system like:

tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/www-20190813-153915.twr
 
 
Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
 
Report generated by:          root
Report created on:            Tue 13 Aug 2019 03:39:15 PM PDT
Database last updated on:     Never
 
===============================================================================
Report Summary:
===============================================================================
 
Host name:                    whatever
Host IP address:              1.2.3.4
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/www.twd
Command line used:            tripwire --check
 
===============================================================================
Rule Summary:
===============================================================================
 
-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------
 
  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  Other binaries                  66                0        0        0
  Tripwire Binaries               100               0        0        0
  Other libraries                 66                0        0        0
  Root file-system executables    100               0        0        0
  Tripwire Data Files             100               0        0        0
  System boot changes             100               0        0        0
  (/var/log)
  Root file-system libraries      100               0        0        0
  (/lib)
  Critical system boot files      100               0        0        0
* Other configuration files       66                0        0        1
  (/etc)
  Boot Scripts                    100               0        0        0
  Security Control                66                0        0        0
* Root config files               100               0        0        2
  Devices & Kernel information    100               0        0        0
  Invariant Directories           66                0        0        0
 
Total objects scanned:  21610
Total violations found:  3
 
===============================================================================
Object Summary:
===============================================================================
 
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Rule Name: Other configuration files (/etc)
Severity Level: 66
-------------------------------------------------------------------------------
 
Modified:
"/etc/tripwire"
 
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
 
Modified:
"/root"
"/root/.viminfo"
 
===============================================================================
Error Report:
===============================================================================
 
No Errors
 
-------------------------------------------------------------------------------
*** End of report ***
 
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.

Which tells us we modified something in the folder /etc/tripwire, and also there was activity on the vim log in root since we were using vi (aliased to vim).

Now let’s delete the temp file and add a new file and see if it triggers:

cd /root
rm .viminfo
touch somefile.txt
tripwire --init
tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/www-20190813-154856.twr
 
 
Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
 
Report generated by:          root
Report created on:            Tue 13 Aug 2019 03:48:56 PM PDT
Database last updated on:     Never
 
===============================================================================
Report Summary:
===============================================================================
 
Host name:                    whatever
Host IP address:              1.2.3.4
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/www.twd
Command line used:            tripwire --check
 
===============================================================================
Rule Summary:
===============================================================================
 
-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------
 
  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  Other binaries                  66                0        0        0
  Tripwire Binaries               100               0        0        0
  Other libraries                 66                0        0        0
  Root file-system executables    100               0        0        0
  Tripwire Data Files             100               0        0        0
  System boot changes             100               0        0        0
  (/var/log)
  Root file-system libraries      100               0        0        0
  (/lib)
  Critical system boot files      100               0        0        0
  Other configuration files       66                0        0        0
  (/etc)
  Boot Scripts                    100               0        0        0
  Security Control                66                0        0        0
* Root config files               100               1        0        1
  Devices & Kernel information    100               0        0        0
  Invariant Directories           66                0        0        0
 
Total objects scanned:  20797
Total violations found:  2
 
===============================================================================
Object Summary:
===============================================================================
 
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
 
Added:
"/root/somefile.txt"
 
Modified:
"/root"
 
===============================================================================
Error Report:
===============================================================================
 
No Errors
 
-------------------------------------------------------------------------------
*** End of report ***
 
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.

So it flags that we were in the /root folder and created somefile.txt, which means it works!

If you want to know more details about either event, do:

tripwire --check --interactive
...
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
  ----------------------------------------
  Added Objects: 1
  ----------------------------------------
 
Added object name:  /root/somefile.txt
 
  Property:            Expected                    Observed
  -------------        -----------                 -----------
* Object Type          ---                         Regular File
* Device Number        ---                         65025
* File Device Number   ---                         0
* Inode Number         ---                         131075
* Mode                 ---                         -rw-r--r--
* Num Links            ---                         1
* UID                  ---                         root (0)
* GID                  ---                         root (0)
* Size                 ---                         0
* Modify Time          ---                         Tue 13 Aug 2019 03:48:50 PM PDT
* Change Time          ---                         Tue 13 Aug 2019 03:48:50 PM PDT
* Blocks               ---                         0
* CRC32                ---                         D/////
* MD5                  ---                         DUHYzZjwCyBOmACZjs+EJ+

If you want to add other directories to check, you can just add something at the end. In this case, I added an email address so I’ll get an email report if it finds anything when I automate the process. To see if your email setup is working, try this first:

tripwire --test --email your@emailaddress.com
Sending a test message to: your@emailaddress.com

Make sure you got the email, then add it into the config file like:

vi /etc/tripwire/twpol.txt
  ## Added later to check wordpress directories
  (
    rulename = "Wordpress",
    severity = $(SIG_MED)
  )
  {
          /var/www                -> $(SEC_BIN) ;
          emailto = your@emailaddress.com
  }
twadmin -m P /etc/tripwire/twpol.txt
tripwire --init
tripwire --check
...
-------------------------------------------------------------------------------
Rule Name: Wordpress (/var/www)
Severity Level: 66
-------------------------------------------------------------------------------
 
Added:
"/var/www/whoops"
 
Modified:
"/var/www"

Now automate the testing so you can get notification emails. Add this next line to crontab. This particular line will email every other day at 2 a.m., so change to whatever you actually want.

crontab -e
0 2 */2 * * tripwire --check --email-report