tripwire
Contents
1. Note Only one string is allowed as a parameter to these directives so quoting may be necessary to achieve the desired result The scope of a variable begins at the point where it is defined to the end of the file It is an error to use a variable before it has been defined Examples of variable definition are Examples print string okay print Two strings okay print two strings ERROR The print directive merely prints its arguments to stderr while the error directive prints its arguments to stderr and then causes the calling program to exit with a status of 1 4 16 TRIPWIRE 2 0 for Unix path usr local lib bigproject mask1 pinugC a TRIPWIRE 2 0 for Unix 4 17 4 POLICY REFERENCE Variable substitution is legal anyplace that a string could appear The syntax for variable substitution is varname Variables may be used on the lefthand side of rules Set the variable path usr local lib bigproject j and now use it S path sre gt t pug path exe gt pugntmce Variables may also be used on the righthand side of rules Set the variable maskl pinugC a H and now use it home projectA gt mask1 home projectB gt mask1 MSH db Variables may be used in directives Define a machine server jupiter ifhost server etc endif Note however that tokens cannot2. ReadOnly rulename Web files emailto Brian This process will sign the specified clear text file twpol txt using the site key and install it in the directory specified in the configuration file For security reasons you may want to delete the clear text version of the policy file at this time You can confirm that your policy changes have taken effect by running tripwire in Integrity Checking mode Security Issue Once the initial policy file has been generated any changes should be made with the tripwire update policy command rather than by simply overwriting the policy file with the twadmin create polfile command When a new policy file is created the Tripwire database must be re initialized If an intruder has modified files since the last integrity check these changes will not be detected and will be included as part of the new baseline database 2 6 TRIPWIRE 2 0 for Unix These rules specify that any violation to the OS executables rule are reported to Susan via email Violations in the Web files rule will cause a report to be sent to Brian To activate this feature email reporting must be specified in the policy file and the email report option must be used 2 tripwire check email report This will generate a Tripwire report to stdout and also send email to the persons specified in the policy file using the program specified by the MAILPROGRAM setting in the configuration
3. Specify passphrase for local key when signing the secure report Also used to write the database file in interactive mode Only valid with E or I 5 TRIPWIRE COMMAND REFERENCE table continued Argument Meaning Scope of operation 1 level name severity level name Check only policy rules equal to or greater than the given severity level The level may be specified as a number or as a name Severity names are defined as follows Low 33 Medium 66 High 100 Note Rules which do not explicitly have a severity level set in the policy file have an implicit severity level of zero Mutually exclusive with R R rule Run only the specified policy rule rule name rule Mutually exclusive with 1 i Do not compute or compare the properties ignore list specified in list Any of the letter codes abcdgimnpstulCHMS specified in property masks can be excluded Use of this option overrides information from the policy file filel file2 List of files and directories that should be integrity checked Default is all files Overrides l and R Output n no tty output Suppress the report from being printed at the console r report twrfile report Specifies that the binary output twr file be written to the specified file M email report Specifies that reports be emailed to the recipients designated in the policy file
4. remove encryption tw cfg policy twadmin generate keys site keyfile key site key twadmin encrypt tw cfg policy Usage Update policy file to change files monitored by Tripwire Run tripwire in Policy Update mode twadmin m p gt policy pol txt vi policy pol txt tripwire update policy policy pol txt Get tripwire usage message Print tripwire help tripwire help Get twprint usage message Print twprint help twprint help Get twadmin usage message Print twadmin help twadmin help 6 10 TRIPWIRE 2 0 for Unix Get siggen usage message Print siggen help siggen help TRIPWIRE 2 0 for Unix 6 11
5. In cases of duplicate or contradictory symbols only the last symbol is acted upon For example p compare permissions p p ignore permissions p ptp compare permissions pt p ignore permissions p compare permissions P ignore permissions Properties not specified are ignored so not specifying a property in the mask and explicitly turning it off with a minus sign are equivalent operations The minus sign becomes most useful when variables see below are used to specify part of the mask For example 4 6 TRIPWIRE 2 0 for Unix It is an error to specify an empty selection mask Specifying a selection mask that consists only of plus and minus characters is also an error However it is legal to specify a mask in which no properties are turned on This is equivalent to specifying IgnoreA11 and is useful for monitoring only deletion or addition of files temp gt p p This is legal but is equivalent to IgnoreAll tmp gt No property mask specified This is not legal TRIPWIRE 2 0 for Unix 4 7 4 POLICY REFERENCE Characters which may be used to construct property masks Symbol Description Ignore the following properties Record and check the following properties P Permission and file mode bits i Inode number n Number of links i e inode reference count u User id of owner g Group id of owner t File type s File size 1
6. Rule attributes are associated with individual normal rules according to the following syntax object gt property mask attribute list Example usr lib gt ReadOnly emailto admin foo com Rule attributes can also be specified for a group of rules attribute list rule list Example emailto admin foo com usr lib gt ReadOnly usr sbin gt IgnoreNone The following two sets of rules single and scoped respectively are equivalent usr lib gt t pinug emailto admin foo com usr bin gt pinug emailto admin foo com emailto admin foo com usr lib pin g usr bin gt pinug TRIPWIRE 2 0 for Unix 4 11 4 POLICY REFERENCE rulename The rulename attribute is used to associate a symbolic name with one or more rules This ability can be used to provide additional information in the report file For example hnome login gt ReadOnly rulename rcfiles home cshre gt ReadOnly rulename rcfiles home logout gt ReadOnly rulename rcfiles The effect of these three lines is to associate the symbolic name rcfiles with the three objects named in the rules In a report file the results for these three rules would be flagged as originating from rules named rcfiles This feature is useful if you wish to track certain objects within a large Tripwire database For example im
7. This is a comment bin gt ReadOnly A comment can go here too Rules Policy rules determine whether and to what extent Tripwire will check the integrity of particular files and directories There are two kinds of policy rules recognized by Tripwire 1 normal rules define which properties of a particular file or directory tree Tripwire should scan 2 stop points tell Tripwire not to scan a particular file or directory Each of these policy rules is described in detail below The meaning of a set of policy rules is unaffected by the order in which the rules appear Normal rules A normal rule associates a system object with a property mask The syntax for a normal rule is Defines tripwire behavior for the entire bin directory tree bin gt ReadOnly Defines tripwire behavior for a single file In this case Tripwire watches all properties of hostname hme0 etc hostname hme0 gt IgnoreNone Scan the entire etc directory tree using maskl except the file etc passwd which should be scanned using mask2 etc gt mask1 etc passwd gt mask2 Only one rule may be associated with any given object If an object has more than one rule in a policy file tripwire will print an error message and exit without scanning any files WARNING this is an example of an illegal construct It is an error to specify more than one rule for a given object objectname aS propert
8. 4 POLICY REFERENCE table continued m Modification timestamp c Inode creation modification timestamp c CRC 32 POSIX 1003 2 compliant 32 bit Cyclic Redundancy Check M MDS the RSA Data Security Inc Message Algorithm S SHA the NIST Secure Hash Algorithm NIST FIPS 180 H Haval a strong 128 bit signature algorithm To specify that certain directories or files not be Stop points scanned stop points are used The syntax is l objectname As with normal rules the objectname is the fully qualified pathname for a directory or file and a semicolon must terminate the stop point rule Consider the case where a policy rule has been specified for etc The entire etc directory tree will be scanned recursively Using stop points it is possible to have Tripwire ignore particular files in the etc hierarchy Scan all of etc recursively but do not scan two particular files present in the etc hierarchy Jetc gt ReadOnly etc re d ignore startup files etc mnttab ignore dynamic listing of mounted filesystems As described above only one rule may be associated with any given object This includes all types of rules not just simple rules The following illustrates this point WARNING this is an example of an illegal construct It is an error to specify more than one rule for a given object usr bin gt mask3 usr bin TRIPWIRE 2 0 for Unix
9. TRIPWIRE 2 0 for Unix TRIPWIRE Section contents TRIPWIRE 2 0 for Unix 5 TRIPWIRE COMMAND REFERENCE Introduction 0aee e 5 4 Initializing the database 3 5 Checking integrity 0 0000 5 6 Updating the database 5 9 Updating the policy file 5 11 5 3 5 TRIPWIRE COMMAND REFERENCE Introduction The tripwire command runs in one of four modes Database Initialization Integrity Checking Database Update or Policy Update In Database Initialization mode Tripwire builds a database of system objects as described in the policy file This database will serve as the baseline for later integrity checks The Integrity Checking mode generates a report of additions deletions or changes for each object described in the policy file By comparing the actual files residing on the system with information stored in the database Tripwire maintains system security After running an integrity check Database Update mode allows the Tripwire database to be updated with changes from an integrity check report This process allows new information to be added to the database without having to regenerate the entire database Policy Update mode provides a way to synchronize the database and policy files after changes are made to the policy file This command enables the user to change the way that Tripwire scans the system without having to do a complete re initializ
10. 4 9 4 POLICY REFERENCE Rule attributes Rule attributes provide additional information or modify Tripwire behavior and are associated with normal rules For example if a policy rule is broken rule attributes can specify an email address to which notification should be sent Rule attributes use the following format attribute_name attribute_value attribute_name attribute_value Rule attributes can take only one argument To specify more than one address with the emailto rule attribute the entire space delimited list of addresses must be quoted emailto one machine com two machine com Correct emailto one machine com two machine com Incorrect emailto one machine com two machine com Incorrect Attribute names are case insensitive It is an error to specify attributes for a stop point rule or to set an attribute that is not associated with any rule Attributes are hard coded in Tripwire the following are currently supported Attribute Description rulename Name associated with rule Default is the object name to which the rule applies severity Numeric severity level associated with rule Default is 0 Range is 0 to MAXINT operating system dependent emailto Email address es to which notification of any violations is sent Default is none recurse Recursively scan the contents of a directory Default is true 4 10 TRIPWIRE 2 0 for Unix 4 POLICY REFERENCE
11. Argument Mode of operation Meaning m c Selects integrity checking mode check 1 At the end of integrity checking the resulting interactive report is opened in an editor where database updates can be easily specified using the ballot boxes included in the report Updating the database in this fashion requires the local passphase Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet table continued next page TRIPWIRE 2 0 for Unix 5 7 5 TRIPWIRE COMMAND REFERENCE Argument Configuration file overrides input table continued Meaning p polfile polfile polfile Use the specified policy file d database dbfile database se the specified database file c cfgfile cfgfile cfgfile c se the specified configuration file S sitekey site keyfile sitekey Use the specified site key file to read the configuration and policy files L localkey local keyfile localkey Use the specified local key file to read the database and write the report file Also used to write the database file when interactive is used V editor visual editor Use the specified editor to edit the report ballot box Only applies in interactive mode Unattended operation P passphrase local passphrase passphrase
12. Indicates that the file is expected to grow If the file is smaller than the last recorded size it is reported Useful for log files where Tripwire can check to make sure that files do not shrink Note If a file grows from size A to size B where B gt A no violation is reported and the TW database is not updated The most recent information in the TW database is that the file has size A Tf the file then shrinks in size from B to C where A lt C lt B again no violation is reported because C is still larger than A Without explicitly updating the database these violations cannot be reported despite specifying this property d Device number of the disk on which the inode associated with the file is stored b Number of blocks allocated a Access timestamp Note The a property is incompatible with the signature function properties CMSH In order to calculate the hash the file must be opened and read which changes the access timestamp Specifying any of CMSH will always cause a violation of the a property Because enumerating a directory s contents changes that access timestamp specifying a in a directory rule will always cause a violation for the a property during the next integrity check To avoid this behavior use recurse false in the rule attribute set LOOSEDIRECTORYCHECKING true in the configuration file or add a to the rule table continued next page 4 8 TRIPWIRE 2 0 for Unix
13. Second Floor Portland OR 97205 USA tel 503 223 0280 fax 503 223 0182 www tripwiresecurity com Email tripwire tripwiresecurity com TRIPWIRE 2 0 for Unix l INTRODUCTION QUICK START We recommend that you read and follow the steps below regardless of your previous Tripwire experience This document will help you to quickly and properly configure install and use Tripwire Installing Tripwire 1 Read the README and Release Notes for the latest Tripwire information 2 Read the Installation chapter of the User s Manual 3 Copy the Tripwire install configuration file install cfg from the distribution CD to the hard disk of the machine on which you wish to install the product 4 Modify install cfg to specify appropriate installation paths for your system 5 Run install sh path install cfg Configuring Tripwire 6 Read the Running Tripwire chapter of the User s Manual for an overview of Tripwire fundamentals 7 Read the Tripwire Policy File chapter of the User s Manual 8 Modify the default policy file or create your own 9 Read the Tripwire Configuration File chapter of the User s Manual 10 Modify the Tripwire configuration file Running Tripwire The next steps assume you are working from Tripwire s bin directory Change paths and filenames as appropriate 11 Install your customized configuration file twadmin create cfgfile site keyfile key site key twcfg txt 12 Install y
14. The MAILPROGRAM variable must be set in the Tripwire configuration file Email is sent to all persons specified by the emailto attribute in the policy file One of two email reports is sent according to the following rules If the person is not in the set of rules that have violations a no violations found email is sent Otherwise the entire violation report is sent E signed report Specifies that the Tripwire report will be signed If no passphrase is specified on the command line tripwire will prompt for the local passphrase 5 8 table continued next page TRIPWIRE 2 0 for Unix The Integrity Checking mode looks for differences Updating the between the database and the system and creates a database report of those changes Database Update mode displays the report to the Tripwire administrator who chooses which if any records in the database should be updated Rule violations from the report specified on the command line will be listed with a series of ballot boxes If no report is specified tripwire will read in the report file defined by the REPORTFILE variable in the Tripwire configuration file In the report every rule violation will have a ballot box Modified x usr local tw drwxr xr x root 0 512 Tue Nov 17 13 36 50 1998 TRIPWIRE 2 0 for Unix 5 9 5 TRIPWIRE COMMAND REFERENCE The entries to be updated are specified by leav
15. Unix 5 21 5 TWADMIN COMMAND REFERENCE Creating a policy file Argument Mode of operation This command mode designates an existing clear text file as the new policy file for Tripwire The clear text policy file must be specified on the command line Using the site key the new policy file is encoded and saved Although you can modify a policy file and save the new version using this command mode it is strongly recommended that you use tripwire in Update Policy mode instead Using twadmin create polfile forces a database re initialization because the records in the old database will no longer match the rules specified in the policy file This gives tacit and possibly incorrect approval that the current state of the filesystem is an appropriate baseline for future integrity checks Unless you are certain that your system has not been compromised since your last integrity check you should run tripwire update policy instead This command mode updates the policy and the database simultaneously checking for possible policy violations as it goes See the tripwire section of the Tripwire Command Reference for more details Meaning m P create polfile Takes the specified clear text file see Input below and stores it as a binary encoded Tripwire policy file Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive
16. a cryptographic signing from configuration policy file database or report files Multiple files may be specified on the command line The user will need to enter the appropriate local or site keyfile or both if a combination of files is to be verified With the K or keyfile flag the user can force the use of a specific keyfile regardless of the file types to be verified Even with cryptographic signing removed these files will be in a binary encoded form which is unreadable to humans see table next page 5 24 TRIPWIRE 2 0 for Unix L localkey local keyfile localkey Specify the local keyfile to use to remove cryptographic signing for database files and reports S sitekey site keyfile sitekey Specify the site keyfile to use to remove cryptographic signing for configuration and policy files Unattended operation P passphrase local passphrase passphrase Specify passphrase to use with the local keyfile when removing cryptographic signing from database files and reports Q passphrase site passphrase passphrase Specify passphrase to use with the site keyfile when removing cryptographic signing from the configuration and policy files File conversion filel file2 List of files from which cryptographic signing is to be removed TRIPWIRE 2 0 for Unix 5 25 5 TWADMIN COMMAND REFERENCE This command mode allows the user cryptogr
17. always printed to stderr but if security is set to high no files are changed if any errors occur Default is low Input policyfile txt Specifies the clear text policy file that will become the new encoded and signed policy file 5 14 TRIPWIRE 2 0 for Unix TWPRINT Section contents TRIPWIRE 2 0 for Unix 5 TWPRINT COMMAND REFERENCE Running twprint 0 0 0 0 5 16 Printing a database file 5 16 Printing a report file 5 17 5 15 5 TWPRINT COMMAND REFEREN CE Running twprint Printing a database file Argument Mode of operation Tripwire database files are binary encoded and signed Tripwire report files are encoded and may optionally be signed The twprint application provides a way to view these files in clear text form Valid command line arguments for each mode are shown The following conventions are used f filename Optional arguments are in square brackets All other arguments are required m I D P Z Arguments that must be chosen from a set are in curly braces The tripwire application can create and update database files but it cannot print them This mode prints the contents of a Tripwire database Note If no database is specified under the dbfile command line option the default database will be used The default database is specified by the DBFILE variable in the configuration file either tw cfg or the con
18. be included in variable substitutions and therefore the following would not work the Il construct is a token Define a variable listing all machines in sales sales_department jupiter mars pluto mercury j ifhost sales_department ERROR etc endif 4 18 TRIPWIRE 2 0 for Unix 4 POLICY REFERENCE Variables that are not predefined by Tripwire may be overridden by the user However it is not legal to override variables predefined by Tripwire see below This is fine mask p fileA gt mask mask ptu fileB gt mask The following are all examples of improper use WARNING these are examples of illegal constructs It is an error to replace a literal token with a variable arrow gt j file arrow tpug 7 It is an error to replace a directive with a variable ifhostnameis ifhost ifhostnameis kirk It is an error to override a pre defined variable ReadOnly pinugsmCMSH ac j Predefined variables Symbol Description ReadOnly File is read only Expands to pinugsmtdbCM acSH Dynamic File changes Expands to pinugtd sacmbCMSH Growing File is log file which can grow but not shrink Expands to pinugtdl sacmbCMSH IgnoreAll Ignore all attributes Expands to pinusgslamctdbCMSH IgnoreNone Ignore no attributes Expands to pinusgsamctdbCMSH 1 Device Device file Expands to
19. file TRIPWIRE 2 0 for Unix 2 7 2 RUNNING TRIPWIRE 3 CONFIGURATION REFERENCE CONFIGURATION REFERENCE Introduction Chapter contents 2 8 TRIPWIRE 2 0 for Unix TRIPWIRE 2 0 for Unix The Tripwire configuration file contains information describing a variety of adjustable parameters that affect Tripwire operation Although some parameters are generated by the installation script others may need to be set by the Tripwire administrator This chapter describes the format of the configuration file and consists of the following sections OVERVIEW onsena icap Rip 3 2 Components of the configuration file 3 2 CCOMMETIES ioeie 3 2 Variables oeer onn enone e iis 3 3 Minimum configuration file 0 00 3 6 Installing on multiple systems 3 6 3 1 3 CONFIGURATION REFERENCE Overview When Tripwire is first installed on a system the installation script will read the installation configuration file install cfg unless an alternate configuration file is specified on the command line By default the installation script will create an encoded and signed Tripwire configuration file tw cfg in the us7 TSS bin directory and a clear text copy of this configuration file twcfg txt in the same directory Note that the install cfg file is used only once to designate target directories during the initial installation of the Tripwire software See Chapter 1 Installing Tripwire
20. for more information The Tripwire configuration file is modified using the twadmin create cfgfile command With this command the user can designate an existing clear text file as the current configuration file Using the current site key and passphrase the new configuration file is encoded signed and saved For example twadmin create cfgfile site keyfile key site key configfile txt Components of the The Tripwire configuration file is structured as a list configuration file of keyword value pairs and may also contain comments and variable definitions The syntax for the configuration file is similar to but not identical with with the syntax used for the policy file described in Chapter 4 Comments Any lines with in the first column are treated as comments For example This is a comment in the TW config file 3 2 TRIPWIRE 2 0 for Unix 3 CONFIGURATION REFERENCE The general syntax for variable definition is Variables keyword value For example EDITOR usr local bin jove Variable substitution on the right hand side is permitted using the syntax varname For example DBFILE ROOT db HOSTNAME db Variable names are case sensitive and may contain all alphanumeric characters underscores the characters and period It is an error to use a variable before it has been defined Certain variables are read only and attempti
21. if Tripwire is set to run every morning at 3 AM for instance When an encoded and signed file needs to be read Tripwire uses the public key to remove encryption from the file When one of these files needs to be modified Tripwire uses the private key and prompts for the site or local passphrase Only individuals authorized to modify Tripwire files should have access to these passphrases Public and private keys always work together in pairs To simplify key management in Tripwire both of these keys are stored together in a single keyfile Tripwire protects the policy and configuration files Site and local keys with the same public private key pair called the site key The database file uses a separate public private key pair called the local key In the Tripwire configuration file the LOCALKEYFILE and SITEKEYFILE variables specify where on disk the local and site key files respectively are stored Note The configuration file embeds a copy of the public key This is because key file locations are stored in the configuration file which must be encoded and signed Tripwire programs extract this public key and use it for verification when accessing configuration files TRIPWIRE 2 0 for Unix 6 3 6 APPENDICES Keyfiles are required for reading encoded Tripwire files If a keyfile is lost it is impossible to read the Tripwire files that have been encoded with that keyfile Standard security procedures should be in pla
22. of operation The twadmin utility is used to perform certain administrative functions related to Tripwire files and configuration options Specifically twadmin allows binary encoding decoding and cryptographic signing verifying of Tripwire files and provides a means to generate local and site keys Valid command line arguments for each mode are shown The following conventions are used f filename Optional arguments are in square brackets All other arguments are required m I D P Z Arguments that must be chosen from a set are in curly braces This command mode designates an existing clear text file as the new configuration file for Tripwire The clear text configuration file must be specified on the command line Using the site key the new configuration file is encoded signed and saved Meaning table continued Argument Security settings 5 TWADMIN COMMAND REFERENCE Meaning el no encryption Do not sign the configuration file The configuration file will still be stored in a binary encoded form and will not be human readable Mutually exclusive with Q and S Either e or S must be specified Unattended operation Q passphrase site passphrase passphrase Specifies passphrase to be used with site key for signing the configuration file Valid only in conjunction with S Input configfile txt Specifies the clear text configuration file that
23. policy file creation and updating and report generation Examples of other useful Tripwire features are also presented LEIP Wire MES cede cessoustede avatars 2 2 Tripwire cryptographic keys 2 3 Tripwire programs 00 cceceeeeeteeeeteees 2 3 Walkthrough cece eee cee eeeeeeeeees 2 4 Writing and installing the policy file 2 4 Initializing the database eee 2 4 Checking integrity oe eee eeeeeeeees 2 5 Updating the database eee 2 5 Updating the policy file we 2 6 Using email reporting 1 0 2 7 2 1 2 RUNNING TRIPWIRE Tripwire files 2 2 Tripwire run time operation is affected by the configuration policy and database files Each of these files allows you to control a separate aspect of Tripwire behavior Together these files work together to ensure the security and integrity of your system The configuration file stores system specific information such as the location of the Tripwire data files Some of this information is generated by the Tripwire installation script but other parameters may need to be changed by the system administrator See Chapter 3 Configuration Reference for more details The policy file describes the system objects to be monitored and the allowed changes Should unexpected changes occur the policy file can describe the person to be notified and the severity of the violation See Chapter 4 Policy Reference for more details The
24. this information to the database Tripwire verifies that no information conflicts with information already in the database For example suppose that after the last integrity check a rule existed for bin and resulted in information being stored about bin login Then unknown to the administrator an intruder deletes bin login Meanwhile the Tripwire administrator decides to modify the rule for bin When Tripwire is run in Update Policy mode it gathers information from the file system for this new rule Unfortunately no record for bin login will be created it has been deleted by the intruder 5 12 TRIPWIRE 2 0 for Unix 5 TRIPWIRE COMMAND REFERENCE However Tripwire will detect that the old rule used to cover bin and that there used to be a record for bin login Therefore bin login will be reported as a conflict The same concept applies to both added and modified files If properties specified in the property mask differ a warning is printed These conflicts should be treated with the same seriousness as integrity checking violations For this reason it is recommended that you always run Update Policy mode with secure mode high so that these situations can be detected and appropriate actions taken Note that this does not apply to file system objects and properties that the new policy file expressly excludes Consequently no warnings are generated for changes to files or properties you no longer
25. 3 2 Variables cesseecseeissscetetestiscedabeves crsvenstecseneveet 3 3 Minimum configuration file 3 6 Installing on multiple systems 3 6 TRIPWIRE 2 0 for Unix 4 Policy reference OVERVICW 25550 eeiite ciple ete gee his 4 2 ComMents oies iii ieaie aed 4 2 R l S incana N 4 2 Normal rules 2 cides eiiiclaciesciitieckeeeveivs 4 2 Object NAMES sic 2 scidseseccscips epee eesosas 4 3 Property maskS 00 eeceeeeeeeeeeeeeeeeeeeeees 4 6 SLOP POMS sessesseqesevsevyelvessanepusededensbesveste vee 4 9 Rule attributes peisso iii eee ereeeeeees 4 10 MULT AMG sess ces vases vascoveeceoss T 4 12 SEVENI 255s chestivsctacsiasseadecctontveceensoeiows 4 12 EMA eene eene AE EN 4 13 TECUISE arois E E RA ER EARI 4 13 Directives soise iniotichsiisimeseito iesse 4 14 Conditional interpretation ee 4 15 Message reporting esec 4 16 Indicating end of file 2 00 0 eee 4 17 Variables s20i ssi ssesbeses scestbsotscdecsbesidsdoessthsses 4 17 Predefined variables ceeceeeeeeeeeeees 4 19 Command reference Command introduction 0 0 ee 5 2 PIP WILE ei epic ek eh eee ds 5 3 Introduction 5 55 cscs sents each seees vensdscedeaacoesenbee 5 4 Initializing the database 0 0 0 eee 5 5 Checking Integrity connerie ern 5 6 Updating the database 0 eee 59 Updating the policy file oe 5 11 CWPTING eeneioe ahs EEE 5 16 Printing a database file 0 5 16 Printing a report fi
26. Initial value false 3 4 table continued next page TRIPWIRE 2 0 for Unix LOOSEDIRECTORY CHECKING no When a file is added or removed from a directory Tripwire reports both the changes to the file itself and the modification to the directory size number of links etc This can creates redundant entries in Tripwire reports With loose directory checking Tripwire will not check directories for any properties that would change when a file is added or deleted This includes size number of links access time change time modification time number of blocks growing file and all hashes If the value for this variable is t rue case sensitive then loose directory checking is turned on and these properties will be ignored for all directories Turning loose directory checking on is equivalent to appending the following property mask to the rules for all directory inodes snacmb1CMSH Initial value false TRIPWIRE 2 0 for Unix 3 5 3 CONFIGURATION REFERENCE Minimum The following is an example of the minimum configuration file requirements for a Tripwire configuration file Note that the values specified here are merely examples the important point is that each of the variables below must have some valid assigned value POLFILE usr local tw policy tripwire pol DBFILE usr local tw db tripwire db REPORTFILE usr local tw report tripwire twr SITEKEYFILE usr local tw ke
27. OOT bin TRIPWIRE 2 0 for Unix 1 3 1 INSTALLING TRIPWIRE Target directories TWROOT TWBIN TWPOLICY TWMAN TWDB TWSITEKEYDIR TWLOCALKEYDIR TWREPORT CLOBBER The table below shows each installer target directory as well as its default setting Default Value usr TSS TWROOT TWROOT TWROOT TWROOT TWROOT bin policy man db key TWROOT key TWROOT report false Description The root directory for the Tripwire distribution The default installation places all Tripwire files underneath this directory Program executables Contains all Tripwire program executables and the Tripwire configuration file Policy files Contains the Tripwire policy files Manual pages Contains the Tripwire manual pages Database files Contains all the Tripwire database files created from the system policy files Site key Contains the site cryptographic key used by Tripwire to secure configuration and policy files Local key Contains the local cryptographic key used by Tripwire to secure database files and reports Generated reports Contains output of Tripwire integrity checks Each integrity checking run will create a file in this directory for archival purposes Specifies whether the installer will overwrite existing files By default the installer will not overwrite existing files When files would be overwritten
28. PPENDICES For background information and references on Cryptography cryptography please consult the Cryptography FAQ references available on the Internet via anonymous FTP to rtfm mit edu then proceed to pub usenet news answers cryptography faq The same information can be found on the Web at http www faqs org faqs cryptography faq Important In the aforementioned FAQ an example is given in which public keys allow encryption only and private keys allow decryption as well as encryption Tripwire s keys work in the opposite fashion Public keys allow decryption only while private keys allow encryption as well as decryption TRIPWIRE 2 0 for Unix 6 5 6 APPENDICES File signatures When a Tripwire database is created all pertinent attributes for objects to be monitored are stored in the database However to detect file changes it is not sufficient merely to compare file attributes For example it is possible to change a file without changing its size or modification date with the appropriate user privileges This provides the motivation also to store file signatures small fixed size values that are generated from the object data i e the file contents The Unix sum 8 is a trivial example of such a signature called a checksum However because it merely adds all the values of all the characters in the file together and truncates the sum to 16 bits sum 8 is not a very suitable signature for Tri
29. Purdue University and distributed by Tripwire Security Systems Inc under exclusive license arrangements Using configuration file install cfg This program will copy Tripwire files to the following directories TWROOT usxr TSS TWBIN usr TSS bin TWPOLICY usr TSS policy TWMAN usr TSS man TWREPORT usr TSS report TWDB usr TSS db TWSITEKEYDIR usr TSS key TWLOCALKEYDIR usr TSS key CLOBBER is false Continue with installation y n If any of the install target directories already exists files could potentially be overwritten You should be certain before proceeding that overwriting Tripwire files in the directories listed is acceptable Inspect the list of directories that the installer will use If you are satisfied that the list is correct type 6699 y to proceed with the installation 1 8 TRIPWIRE 2 0 for Unix 1 INSTALLING TRIPWIRE When file copying is completed the install script Generating creates the site and local key files This process may cryptographic keys take several minutes If you have not specified and signed files passphrases on the installer command line you will be prompted for the site and local passphrases At the end of this process the installer will create signed policy and configuration files A clear text copy of the Tripwire configuration file is preserved in the TWBIN directory as twefg txt If you wish to change configuration settings you can modif
30. REFERENCE Meaning m p Selects policy file printing mode print polfile Output is sent to stdout m R remove encryption Remove cryptographic signing for one or more files The type of each file will be examined and the appropriate key local key for databases and reports site key for configuration and policy files will be used to remove signing from it The file will then be rewritten unsigned Files will remain in binary encoded format Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Configuration File Configuration file overrides input c cfgfile Use the specified configuration file cfgfile cfgfile p polfile Print the specified policy file polfile polfile S sitekey Use the specified site key file site keyfile sitekey keyfile key c cfgfile Use the specified configuration file cfgfile cfgfile Key files K key Specify the keyfile to use to remove cryptographic signing from the files twadmin will attempt to use this key for all files without regard to the file type The local passphrase will be used with this key Removing This command mode allows the user to remove encryption from
31. a warning is printed and the file copy is skipped An exception is the configuration and policy files To insure a self consistent installation new copies of these files are always produced Any existing configuration or policy files are saved with a bak extension Replace false with t rue if you wish to overwrite all files without warning 1 INSTALLING TRIPWIRE With the default settings shown above the installer will create the following directory tree on your system fost TSS lt TWROOT README Release_Notes bin lt TWBIN siggen tripwire tw cfg twefg txt twadmin twprint db lt TWDB key lt TWSITEKEYDIR site key key lt TWLOCALKEYDIR machinename local key policy lt TWPOLICY tw pol twpol txt policyguide txt report lt TWREPORT man lt TWMAN man4 twceonfig 4 twpolicy 4 man5 twfiles 5 man8 siggen 8 tripwire 8 twadmin 8 twintro 8 twprint 8 1 4 TRIPWIRE 2 0 for Unix TRIPWIRE 2 0 for Unix 1 5 1 INSTALLING TRIPWIRE Tripwire After the installation script has copied all files to cryptographic keys your machine Tripwire will sign sensitive files using public private key cryptography This prevents an intruder from modifying your policy configuration and database files Tripwire uses two separate key files for this operation Keyfile types Your site key is used to sign Tripwire files that can be shared among many machines This key is used for
32. acters The escaped sequences are interpreted in the same way as in the C language The following examples define allowable sequences e octal numbers 412 1 2 or 3 octal digits e hex numbers x2AFB1 x followed by one or more hex digits e characters t v b r f a V and all other escaped characters are treated as if not escaped Examples test test te x73t2 test2 te 163t3 test3 tes t ILLEGAL escape sequences only valid in double quotes c program files gt ReadOnly c bang doc gt ReadOnly Object names are concatenated whitespace inserted between or within object names is ignored Quotes are also ignored unless inside a quoted string and preceded by a backslash This allows more flexible handling of variable substitution and quoting 4 4 TRIPWIRE 2 0 for Unix Tripwire recurses into directories but only within the current filesystem In other words Tripwire does not cross mount points More specifically Tripwire will not recurse into any subdirectories which have a different device number as returned from I stat 2 TRIPWIRE 2 0 for Unix 4 5 4 POLICY REFERENCE For example if usr local is a mount point then 4 POLICY REFERENCE asr gt pinugsmc a j mask pinug define a variable called mask file gt mask g use the mask defined by mask but turn off property g wou
33. aphically to sign configuration policy database files or reports Multiple files may be specified on the command line The files will be signed using either the site or local key as appropriate for the file type To automate the process the passphrase for the keyfiles can be included on the command line Encrypting a file Argument Mode of operation Meaning m E Sign one or more files encrypt Target files must be currently unsigned Each file will be singed using either the site or local key as appropriate for the type of file The keyfile used for either site or local key may be overridden using the S or L option Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Configuration File local keyfile localkey c cfgfile Use the specified configuration file cfgfile cfgfile Key files L localkey Specify the local keyfile to use to sign database files and reports S sitekey site keyfile sitekey Specify the site keyfile to use to sign configuration and policy files This command allows the user to examine the listed files and print a report of their encryption status 5 TWADMIN COMMAND REFERENCE Examining the encryption status This report displays the filename file type whether of a file or not a file is signed and what key if any is used to sign it Argument Mod
34. are reported as warnings but the changes are made to the database Configuration file overrides input p policyfile polfile policyfile Use the specified policy file c cfgfile cfgfile cfgfile ie se the specified configuration file d dbfile dbfile dbfile Update the specified database file S keyfile site keyfile keyfile ie se the specified site key file to read the configuration and policy files L keyfile local keyfile keyfile Use the specified local key file to read and write the database and to read the report file V editor visual editor Use the specified editor to edit the update ballot box Mutually exclusive with a r report twrfile report Read the specified report file 5 10 table continued next page TRIPWIRE 2 0 for Unix Policy update mode is used by tripwire to change or Updating the update the policy file and to synchronize an earlier policy file database with new policy file information The filename of the new clear text version of the policy file is specified on the command line The new policy file is compared to the existing version and the database is updated according to the new policy rules Any changes in the database since the last integrity check will be detected and reported How these violations are interpreted depends on the security mode specified with th
35. ation of the database Valid command line arguments for each mode are shown in the sections below The following conventions are used f filename Optional arguments are in square brackets All other arguments are required m I D P Z Arguments that must be chosen from a set are in curly braces 5 4 TRIPWIRE 2 0 for Unix When run in Database Initialization mode tripwire 5 TRIPWIRE COMMAND REFERENCE Initializing the reads the policy file generates a database based on database its contents and then cryptographically signs the resulting database The database will be created in the location specified by the DBFILE variable in the Tripwire configuration file unless another location is specified on the command line Additional command line options can be entered to specify which policy configuration and key files are used to create the database If no options are specified the default values from the current configuration file are used Argument Mode of operation Meaning m i Selects database initialization mode init Create the baseline Tripwire database from the specified policy file Reporting y Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Configuration file overrides input p polfile polfile polfile Use the specified policy file c cfgfile cfgfile cfgfile s
36. by sags Nana Required Installer Description POLFILE yes yes Default policy file Initial value ROOT policy tw pol DBFILE yes yes Default database file Initial value ROOT db HOSTNAME db REPORTFILE yes yes Specifies name of generated reports Initial value ROOT report HOSTNAME DATE twr SITEKEYFILE yes yes Specifies default site key file Initial value ROOT key site key LOCALKEYFILE yes yes Specifies default local key file VELEL Name EDITOR Required no Initial value ROOT key HOSTNAME local key The following variables are not required to run Tripwire but some of the program s functionality will be lost without them Set b installer Description yes Specifies editor to be used in any interactive mode If EDITOR is not defined and no editor is specified on the command line specifying interactive mode will cause an error The editor specified must be able to take a filename as a command line parameter If the process is killed it must exit with a non zero status Initial value bin vi LATEPROMPTING no Prompt for passphrases as late as possible to minimize the amount of time that the password is stored in memory If the value is t rue case sensitive then late prompting is turned on If it is set to any other value or is removed from the configuration file its value is interpreted as false and late prompting is turned off
37. ce to prevent discovery of passphrases by physical observation of keyboards or monitors directly via video camera etc or by unauthorized electronic monitoring of your network Note that the passphrases are not stored anywhere on disk Therefore they cannot be discovered by examining your system disks Security Issue Although you can use the same private key for all machines in your network it may not be advisable Sharing a key amongst machines means that if the passphrase for that key is discovered security of all machines in the domain could be compromised Of course using different keys requires memorization or recording in a secure place of passphrases for all of the keys For a large number of machines this may be impractical A reasonable compromise for installations with numerous machines would be to divide the machines into a manageable number of groups and assign a different private key and passphrase for each group Tripwire can only use one site key and one local key per process This means that the configuration and policy files for any given command must be protected by the same site key Likewise database and report files must be protected by the same local key For example if host db was signed using localkey1 and host twr was signed with localkey2 the following command line will generate an error tripwire update dbfile host db twrfile myhost twr 6 4 TRIPWIRE 2 0 for Unix 6 A
38. database file serves as the baseline for integrity checking After the database is created the Tripwire integrity checker compares each system object in the policy file against its actual entry in the database If an object has changed outside of constraints defined in the policy file a violation is reported Once the three files have been created Tripwire can generate reports that describe the differences between the actual system and the data contained in the Tripwire database This information is archived into report files a collection of rule violations discovered during an integrity checking run It is critical that Tripwire files be protected an attacker who is able to modify these files can subvert Tripwire operation For this reason all of the files above are signed using public key cryptography to prevent unauthorized modification TRIPWIRE 2 0 for Unix 2 RUNNING TRIPWIRE Two separate sets of keys generated during the Tripwire cryptographic installation process protect critical Tripwire data keys files One or both of these key sets is necessary for performing almost every Tripwire task The site key is used to protect files that could be used across several systems These files include the policy and configuration files The local key is used to protect files specific to the local machine such as the Tripwire database This key may also be used for signing integrity check reports Security Issue You may a
39. directly from any binary report file using the following command tripwire update twrfile report reportfile twr Initializing the After installing the policy file the next step is to database create the baseline Tripwire database To do so run the tripwire program in Database Initialization mode tripwire init 2 4 TRIPWIRE 2 0 for Unix Security Issue The EDITOR environment variable is not used by Tripwire This is to reduce the exposure to Trojan Horse attacks for example the EDITOR environment variable could be changed to run an untrusted program with malicious side effects TRIPWIRE 2 0 for Unix 2 5 2 RUNNING TRIPWIRE Updating the policy If you wish to update the Tripwire policy file you file will need to save it as a clear text file edit it and install it as the new policy file similar to the first step in this walkthrough print out the policy file twadmin print polfile gt policy twpol txt oe edit the file vi policy twpol txt ae He install the new policy file tripwire update polfile policy twpol txt ale 2 RUNNING TRIPWIRE Email reporting adds considerable flexibility to Using email Tripwire policies Consider the following policy that reporting describes two distinct areas of responsibility distributed between two administrators bin gt ReadOnly rulename 0S executables emailto Susan http gt
40. du and nisc jvnc net MDS generates a 128 bit signature and uses four rounds to ensure pseudo random output Hardware Throughput Mbyte sec 167 MHz UltraSPARC 1 8 1 100 MHz Intel Pentium 3 1 SHA SHS SHS is the NIST Digital Signature Standard called the Secure Hash Standard and is described in NIST FIPS 180 Tripwire refers to it as the SHA or Secure Hash Algorithm because Tripwire uses a non certified implementation and cannot claim standards conformance SHS generates a 160 bit signature Hardware Throughput Mbyte sec 167 MHz UltraSPARC 1 1 5 100 MHz Intel Pentium 0 8 6 8 TRIPWIRE 2 0 for Unix Haval was written by Yuliang Zheng at the University of Wollongong and is described in Zheng Y Pieprzyk J Seberry J 1993 HAVAL a one way hashing algorithm with variable length of output In Advances in Cryptology AUSCRYPT 92 Lecture Notes in Computer Science Springer Verlag Haval is shipped with Tripwire configured similarly to the other signature algorithms 128 bit signature using four passes 6 APPENDICES Haval Hardware Throughput Mbyte sec 167 MHz UltraSPARC 1 6 8 100 MHz Intel Pentium 3 6 Cyclic Redundancy Checks have long been the de facto error detection algorithm standard These algorithms are fast robust and provide reliable detection of errors associated with data transmission CRC 32 is provided as a fast but insec
41. e Z or secure mode option In high security mode Tripwire will print a list of violations and exit without making changes to the database In low security mode the default the violations are still reported but changes to the database are made automatically TRIPWIRE 2 0 for Unix 5 11 5 TRIPWIRE COMMAND REFERENCE The Tripwire database is the baseline against which security violations are found As a result an assumption exists that the information in the database represents a file system that has not already been compromised Although twadmin create polfile can create a new policy file it requires re initializing the database This is necessary for new Tripwire installations A potential problem exists with this procedure when you have been monitoring a system with Tripwire for any length of time When you re initialize the database there exists a risk that files have been modified between your last integrity check and the database re initialization The Policy Update mode addresses this security risk In this mode Tripwire checks the rules in the new policy file against the rules in the current database Any substantively identical rules have their records copied directly into the new database Changes in these rules will be detected in the next integrity check as normal Conversely any information on objects specified in the new policy file but not in the old database is gathered by Tripwire Before writing
42. e of operation Meaning m e Examine the listed files Report their type and examine whether or not binary encoding is used For each file specified a report will be given displaying whether or not it is signed and if it is signed with what key Signing type for files will be determined by a trial and error method first using the site key then local key then the keyfile provided with the K option Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Configuration File keyfile key c cfgfile Use the specified configuration file cfgfile cfgfile Key files K key Test to see if file is signed using the specified key L localkey local keyfile localkey Specify the key to use as a local key when examining database or report files Unattended operation S sitekey site keyfile sitekey Specify the key to use as a site key when examining policy or configuration files File examination P passphrase local passphrase passphrase Specify passphrase to be used with the local keyfile filel file2 List of files to examine Q passphrase site passphrase passphrase Specify passphrase to be used with the site keyfile File conversion filel file2 List of files to sign using the site or local key as appropriate d
43. e the specified configuration file S sitekey site keyfile sitekey Use the specified site key file to read the configuration and policy files L localkey local keyfile localkey Use the specified local key file to write the database file Mutually exclusive with e Configuration file overrides output d database dbfile database Write to the specified database file table continued next page TRIPWIRE 2 0 for Unix 5 5 5 TRIPWIRE COMMAND REFERENCE table continued Argument Meaning Unattended operation P passphrase local passphrase passphrase Use the specified passphrase with local key to sign database Mutually exclusive with e Security settings e Do not sign the database To sign the database after no encryption initialization requires the use of twadmin Mutually exclusive with P and L Checking integrity After building the Tripwire database the next step is typically to run tripwire in integrity checking mode This mode scans the system for violations as specified in the policy file Using the policy file rules Tripwire will compare the state of the current file system against the initial baseline database An integrity checking report is printed to stdout and is saved in the location specified by the REPORTFILE setting in the Tripwire configuration file The generated report describes each p
44. e this technique is very fast the mathematics it employs are well understood Furthermore since the 32 bit signature space is so small a brute force search for a CRC collision is well within the capabilities of most workstations There are currently several programs in the public domain that can for any given input file provide a different output file with the same CRC signature Tripwire ships with four signature routines This section briefly describes each signature routine It is by no means an authoritative reference but it provides some background on each of the signature routines provided Signature functions All observed timing measures provided for the signature routines were performed using siggen 8 and the same input files under Solaris on a 167 MHz UltraSPARC 1 and under Linux on a Pentium 100 with 32 megabytes of RAM The numbers provided are simply an informal gauge of throughput rather than an authoritative metric Please note that the base64 encoding used by Tripwire for signature functions is the one described in RFC 1521 TRIPWIRE 2 0 for Unix 6 7 6 APPENDICES MD5 MDS is the RSA Data Security Inc Message Digest Algorithm a proposed data authentication standard The Internet Draft submission can be found as Internet Working Draft RFC 1321 available from http www merit edu internet documents Alternatively primary anonymous ftp repositories for RFCs include nic ddn mil wuarchive wustl e
45. e_name arguments Directives Description ifhost else endif White space may precede or follow the construct but non whitespace characters may not appear on the line before the construct nor may any characters intervene between the two characters Directive names are case sensitive The following directives are supported each of these is described in detail below Allow conditional interpretation of the policy file print error Print a message to stderr and optionally exit end Marks the logical end of file 4 14 TRIPWIRE 2 0 for Unix 4 POLICY REFERENCE Note that the directives cannot result from variable expansion The following illustrates correct and incorrect syntax machine spock ifhost machine This is correct syntax IFHOST ifhost IFHOST spock but this will produce an error The ifhost else and endif directives are used to allow conditional interpretation of a policy file The syntax for each is Conditional interpretation ifhost hosti host2 else endif Where host1 host2 are unqualified hostnames The following illustrates how one might employ directives to use one policy file with four different hosts ifhost spock kirk bin gt ReadOnly endif ifhost chekov uhura usr bin gt pinug else usr bin gt pinugsmC endif If the unqualifi
46. ed hostname of the machine running Tripwire matches any of the hosts listed in the ifhost directive all the lines between the ifhost and the matching endif are interpreted TRIPWIRE 2 0 for Unix 4 15 4 POLICY REFERENCE If there is no match any lines between the ifhost and endif are skipped However if there is an el1se in those skipped lines any lines between the else and endif are interpreted There is no elsif directive Note that only the logical OR operation is supported The ifhost and else directives can be nested arbitrarily deeply For example ifhost chekov uhura else ifhost bones endif endif 4 POLICY REFERENCE The end directive marks the logical end of the Indicating end of file policy file Any text appearing after this directive will be ignored by Tripwire applications For user convenience and to allow reuse of Variables properties Tripwire supports variables for string substitution Variables can be defined anywhere between rules The syntax for variable definition is varname value Message reporting The print and error directives are intended for debugging and remote diagnostics The syntax is Variable names are case sensitive and may contain all alphanumeric characters underscores the characters and period The regular expression for variable names is print STRING error STRING varname A Za z0 9
47. epending on the file type 5 26 TRIPWIRE 2 0 for Unix TRIPWIRE 2 0 for Unix 5 27 5 TWADMIN COMMAND REFERENCE Generating keys This command provides the interface to create site or local keys for Tripwire Although keys are generated by the install process this command can be used at any time to regenerate the keys The site and local keys may be generated simultaneously or one at a time with two separate invocations of twadmin Argument Mode of operation Meaning m G generate keys Selects key generation mode Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Output L localkey Generate keys into the specified files At least one local keyfile localkey of these options must be specified S sitekey site keyfile sitekey Unattended operation P passphrase local passphrase passphrase Specifies passphrase to be used when generating a local key Q passphrase site passphrase passphrase 5 28 Specifies passphrase to be used when generating a site key TRIPWIRE 2 0 for Unix SIGGEN Section contents TRIPWIRE 2 0 for Unix 5 SIGGEN COMMAND REFERENCE Running siggen 0 0 0 0 eee 5 30 5 29 5 SIGGEN COMMAND REFERENCE Running siggen The siggen utility can be used to display cryptographic
48. eteereeeeeeeee 1 10 VIII TRIPWIRE 2 0 for Unix TRIPWIRE 2 0 for Unix 1 1 1 INSTALLING TRIPWIRE Installation overview The Tripwire installation CD contains two complete Tripwire installation files 1 2 distributions of Tripwire 2 0 for Unix one for Solaris SPARC and one for RedHat Intel Linux The root directory of the CD contains the README file and release notes If you have not yet read the README it is recommended that you do so now In addition to the documentation each distribution of Tripwire will have its own directory The directories are named Solaris and RedHat Change to the directory appropriate for your operating system You will see the following files and directories install cfg is the installation configuration file a Bourne shell script used by the installer to set configuration variables These settings specify the target directories where the installer will copy files and the desired behavior when existing Tripwire files would be overwritten install sh is the installation script which you run to begin installation You can specify that it should read the default configuration file or one that you customized for your site pkg is a directory containing files that the installation script needs to install Tripwire on your machine These files are used exclusively by the installer and should not be modified README and Release_Notes are text files providing last minute product informa
49. figuration file specified under the cfgfile command line option Meaning 5 TWPRINT COMMAND REFERENCE The tripwire application can create report files and Printing a report also display them as part of an integrity check or file update operation However only the print report mode prints the contents of a Tripwire report Note If no report is specified under the twrfile command line option the default report will be used The default report is specified by the REPORTFILE variable in the configuration file either tw cfg or the configuration file specified under the cfgfile command line option The default filename format as installed for the report file name is HOSTNAME DATE twr where the DATE variable includes the current time to the nearest second Unless twprint print report is run within one second of such a report s creation wprint will be unable to find the report because the DATE variable will have changed to reflect the current time Therefore when printing a report you should always use the twrfile command line option to explicitly specify the report Argument Meaning Mode of operation m d print dbfile Database printing mode m r Report printing mode print report Reporting y Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Reporting v Verbose mode verbo
50. i L iamh a Lu re ut La q a a tat ii Lae COPYRIGHT NOTICE All files in this distribution of Tripwire are distributed by Tripwire Security Systems Inc under exclusive license arrangements All rights reserved Some individual files in this distribution may be covered by other copyrights as noted in their embedded comments This release is for single CPU and single site end use purposes Duplication is only allowed for the purpose of backup Any other use of this software requires the prior written consent of Tripwire Security Systems Inc If this software is to be used on a Web site the Tripwire Protected logo can be used on the site home page along with appropriate copyright and trademark information Neither the name of Purdue University nor the names of the authors may be used to endorse or promote products derived from this material without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR PURPOSE Copyright 1999 Tripwire Security Systems Inc Tripwire is a trademark of the Purdue Research Foundation and is licensed exclusively to Tripwire Security Systems Inc All references to other brands or trademarks are the property of their respective owners Tripwire Security Systems Inc The Berg Building 615 SW Broadway
51. ing the x next to each policy violation indicating you approve this change to the file system If you remove the x from the ballot box the database will not be updated with the new value for that object After the user exits the editor and provides the correct local passphrase tripwire will update and save the database Argument Mode of operation Meaning 5 TRIPWIRE COMMAND REFERENCE table continued Argument Meaning Unattended operation P passphrase Use the specified passphrase with local key to local passphrase passphrase sign the database file a Specifies that all the entries in the twr file are accept all updated without any prompting Mutually exclusive with V Security level m u Selects database updating mode update Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Z high low secure mode high low Specifies the security level which affects how certain conditions are handled when inconsistent information is found between the twr file and the current database High If properties of an object in the database do not match the expected old values in the twr file in high security mode Tripwire reports the differences as warnings and exits without changing the database Low default In the case of inconsistencies the differences
52. ing Tripwire one the most successful security programs ever written I look forward to reviewing the progress of our decision to focus the resources needed to further advance the program s functionality and value Gene Spafford Ph D TRIPWIRE 2 0 for Unix lil TABLE OF CONTENTS 1 Installing Tripwire Installation Overview 0 0 cece 1 2 Tripwire installation files 0 eee 1 2 Configuring your installation 0 0 0 0 13 Target directories nesie 1 4 Tripwire cryptographic keys oo 1 6 Keyfile types i 35 scsassesssciaceictssdaesass csin 1 6 Installing Tripwire 0 0 0 0 cece eeereeeeeee 1 7 Starting the install oer 1 7 Creating and copying files oo ee 1 8 Generating cryptographic keys and Sioned PUSS recone eE 1 9 After installing 0 0 cece eneeneeeeees 1 10 Running Tripwire Tripwire files 2 00 ee eeeeeeeeeeseeeeeeeeeeeeeees 2 2 Tripwire cryptographic keys 23 Tripwire programs 00 00 0000 eceeeeeeeeeeeee 2 3 Walkthrough oo ec eeeeeceeceseeeeeeeeees 2 4 Writing and installing the policy file 2 4 Initializing the database cece eeeeeeeeee 2 4 Checking integrity oo eee tees 2 5 Updating the database 0 0 eee 2 5 Updating the policy file 0 2 6 Using email reporting eee 2 7 Configuration reference OVER vje W nr ie5escd besa iseus eas tasacedaxs Ee 32 Components of the configuration file 3 2 COMMENTS ecreis ee ea E E
53. l txt might contain just one line 2 RUNNING TRIPWIRE After creating the baseline database you can check Checking integrity the integrity of your file system by running the tripwire program in Integrity Checking mode tripwire check tmp gt ReadOnly This will print a Tripwire report to stdout and save a binary report file as specified by the REPORTFILE setting in the configuration file If acceptable changes are reported in the Tripwire report you can update specific object information in Updating the the database The easiest way to do this is to run database tripwire in Integrity Checking mode using the interactive option In order for Tripwire to use this file as its policy it must be encoded with the site key generated at install time To do this run the twadmin program in Create Policy mode tripwire check interactive twadmin create polfile policy twpol txt This will encode and sign the specified clear text file twpol txt using the site key and install it to the location specified by the POLFILE setting in the configuration file An editor session will open using the program specified by the EDITOR setting in the configuration file Each change in the report will be displayed with a corresponding ballot box Deselect all the unacceptable changes in the ballot boxes write the file and exit to update the database You can also update the database
54. ld cause all of usr to be scanned except the directory tree rooted at usr local If the goal is to scan usr in its entirety including usr local the following rules should be specified When property symbols appear in a selection mask without any preceding plus or minus sign then plus is assumed p n compare permissions and number of links pn same as above usr gt pinugsmc a j asr local gt pinugsmc a Property masks Property masks describe object properties and whether Tripwire should examine each such property The correct syntax is described by the following regular expression pinugtsldbamcCMSH The plus and minus signs are not unary operators they toggle an internal state so once a plus or minus appears in the selection mask it applies to all successive properties until another plus or minus appears All three of these selection masks are That is the property mask must include one or more property symbols each of which may be preceded by an optional plus or minus sign Each one character symbol is an abbreviation for a particular property that Tripwire is able to examine during integrity checking If the character is preceded by a plus checking is done for that property if preceded by a minus checking is not done for that property For example equivalent p nts compare permissions number of links and file size pns same as above pns same as above
55. le oe 5 17 twadmin 0c ensesine osae unisens 5 19 Running twadmin oe eee eee 5 20 Creating a configuration file 0 5 20 Printing a configuration file ee 5 21 TRIPWIRE 2 0 for Unix TABLE OF CONTENTS TABLE OF CONTENTS VI Creating a policy file oe 5 22 Printing a policy file oe 5 24 Removing encryption POM A feissin acisna 5 24 Encrypting a fleanen oys 5 26 Examining the encryption status OF ATMS eirp dusters 5 27 Generating Keys oo ieor 5 28 SISSON AS E A eens 5 29 RUNNING Sie OEN soer ir E nE E 5 30 Appendices Tripwire s cryptographic system 6 2 Public and private keys eee 6 3 Site and local keys oe eeeeeeeees 6 3 Cryptography references ceeee 6 5 ile SiSMatures sisien nas 6 6 Signature FUNCTIONS 0 0 eee eee eeeeeeeeeees 6 7 MDS roenn eea r EOE 6 8 SHA SHS neinei eirerpin eaer sa Esaa aii 6 8 Hayal sieni testetsc sth cuciocevendteiesensbertebiceeents 6 9 CRG 32 career esas 6 9 Tripwire quick reference 04 6 10 TRIPWIRE 2 0 for Unix The following typographic conventions are used in this manual Italic Bold Fixed Width Fixed Bold Fixed Italic is used for file and command names and to denote terms the first time they are used is used for ftp and http URLs is used in examples to show text that is entered literally and in regular text to show variables operators and the output from commands or pr
56. licy file Run twadmin in Print Policy Mode twadmin print polfile Inspect configuration file Run twadmin in Print Configuration mode twadmin print cfgfile Inspect database file to ensure that files are being monitored Run wprint in Print Database mode twprint print dob dbfile db myhost db Inspect an individual report file Run wprint in Print Report mode twprint print report twrfile ceport myhost 19981115 175828 twr Encryption and key changes Change the local key Run twadmin in Remove Encryption mode and then again in Encrypt File mode Note Make sure you make backup copies of these files before running these commands twadmin remove encryption report db twadmin generate keys local keyfile key myhost local key twadmin encrypt report db tripwire check verbose Update Tripwire database for objects marked as policy violations Run tripwire in Interactive Update mode or in Database Update mode tripwire check interactive Or tripwire check verbose tripwire update verbose twrfile usr TSS report myhost 19981112 172634 twr Change the site key Run twadmin in Remove Encryption mode and then again in Encrypt File mode Note Make sure you make backup copies of these files before running these commands twadmin
57. lso wish to back up Tripwire files on secondary media or to store them in a remote location for additional safety See Chapter 6 Appendices for more information on Tripwire s Cryptographic System The following programs are installed as part of the Tripwire package Tripwire programs tripwire is used for creating the database checking file system integrity and updating the database or policy file twadmin is used for creating the site and local keys configuration file policy files and signing files twprint verifies and prints Tripwire database and report files in a human readable ASCII format siggen generates and prints cryptographic signatures for specified files This can assist in verifying the integrity of system files without doing an entire Tripwire integrity check TRIPWIRE 2 0 for Unix 2 3 2 RUNNING TRIPWIRE Walkthrough This section describes the steps that a new Tripwire administrator might take after completing the installation process These include generating a Tripwire database creating Tripwire integrity checking reports updating the database and administering various configuration files Writing and During installation Tripwire creates a generic policy installing the file tw pol For optimal performance you will need policy file to create a policy file tailored to your system It may be helpful to refer to the policyguide txt file as you do this A very simple policy file named twpo
58. lto rule uses the mail program specified by the MAILPROGRAM variable in the configuration file See Chapter 3 Configuration Reference for more information Also note that email is sent only if the email report argument of the tripwire command is specified When the recurse rule attribute is set to t rue and recurse the rule refers to a directory object tripwire will recursively scan the entire contents of the directory both files and subdirectories When the recurse rule attribute is set to false and the rule refers to a directory object tripwire will scan the inode corresponding to the directory but none of the files or subdirectories contained therein When a rule refers to a file as opposed to a directory specifying the recurse attribute has no effect the file will be scanned no matter what value recurse is given The default value for recurse is t rue TRIPWIRE 2 0 for Unix 4 13 4 POLICY REFERENCE For example to monitor the attributes of the tmp directory without monitoring any of its contents the following would be used tmp gt ReadOnly recurse false Directives Tripwire supports a small set of preprocessor like directives that allow conditional interpretation of the policy file and perform certain diagnostic and debugging operations The primary intent of this mechanism is to support sharing a policy file among multiple machines Directives have the following syntax directiv
59. ly and creates the Tripwire site and local key files To start the installation go to the directory containing the Tripwire installation files Typically this is either the subdirectory on the Tripwire CD appropriate for your OS or a directory containing a copy of the Tripwire CD Starting the install Run the installation script by typing install sh By default the installation script reads the configuration file named install cfg located in the same directory However you can specify an alternate configuration file on the command line This argument is required if you customize the configuration file and are installing from read only media install sh tmp install cfg Security issue The install cfg file is a Bourne shell script that is executed by the install script Therefore this file should be inspected before running to prevent a Trojan Horse attack One method of attacking a system is to replace the harmless contents of a file such as an install script with malicious instructions Thus the user is tricked into running a compromised file This is commonly known as a Trojan Horse attack TRIPWIRE 2 0 for Unix 1 7 1 INSTALLING TRIPWIRE Creating and The install script will print an opening banner and copying files list all directories that will be created Installer program for Tripwire tm 2 0 for Unix Tripwire tm Copyright 1992 99 by the Purdue Research Foundation of
60. n cryptography Also included are descriptions of the cryptographic signature routines that Tripwire utilizes Chapter Tripwire s cryptographic system 6 2 contents Public and private keys eee 6 3 Site and local keys eee eeeeeeee 6 3 Cryptography references cee 6 5 File signatures 20 0 0 ecseseeeceecseeeeeeeeneees 6 6 Signature functions 0 0 eee eee 6 7 D D D E E E AE 6 8 SHA SHS wisiasinisgeia denies 6 8 AVA oenen e e atin 6 9 CRCI 2 oieri i e r ae 6 9 Tripwire quick reference 0 00 6 10 TRIPWIRE 2 0 for Unix 6 1 6 APPENDICES Tripwire s Cryptographic System 6 2 Tripwire uses public private key cryptography to protect its critical data files This chapter describes the Tripwire cryptography architecture and the role of the site and local keys It also directs the reader to background information and references on cryptography The Tripwire database policy and configuration files contain information critical to generating accurate reports See Chapter 2 Running Tripwire for more information on each of these files Therefore these files must be protected from unauthorized alteration Allowing these files to be modified by an attacker compromises the security of the computer system that Tripwire has been installed to protect In the Tripwire ASR 1 3 Academic Source Release and earlier versions storing these critical files on read onl
61. ng to override such variables is an error Two variables are predefined by the Tripwire package and may not be changed Variable Name Meaning HOSTNAME Unqualified hostname that Tripwire is running on e g leonardo DATE String representation of date and time e g 19980930 180833 TRIPWIRE 2 0 for Unix 3 3 3 CONFIGURATION REFERENCE The following variables must be set in order for Tripwire to operate The initial values shown below are the values assigned during installation if the default install cfg file is used Relative pathnames are permitted expressed in relation to the directory in which the Tripwire binaries reside table continued Variable Name MAILPROGRAM Required no Set by Installer yes 3 CONFIGURATION REFERENCE Description MAILPROGRAM is used to specify the program that will be used for email reporting of rule violations detected by Tripwire The program must take an RFC822 style mail header Recipients will be listed in the To field of the mail header Mail headers and the body of the report are then sent to stdin of MAILPROGRAM The mail program must be able to ignore lines that consist of a single period the oi option to sendmail produces this behavior If MAILPROGRAM is not defined in the configuration file requests for email notification will cause an error Initial value usr lib sendmail oi t Variable Set
62. ograms is used in examples to show actual user input on the command line is used in examples to show variables which should be replaced with a relevant value The prompt is used for all command line examples The is specified for all Tripwire commands This convention is recommended for all users to ensure that Tripwire commands are executed from the appropriate directory and to protect against Trojan Horse attacks TRIPWIRE 2 0 for Unix CONVENTIONS Vil 1 INSTALLING TRIPWIRE INSTALLING TRIPWIRE Introduction Installing Tripwire is a simple process whether you have a single machine or hundreds of networked machines To enhance your understanding of the installation process we have included both an overview to demonstrate what you can expect to see and installation instructions to take you step by step through the installation process Chapter Installation Overview ccceeee 1 2 contents Tripwire installation files 1 2 Configuring your installation 1 0 1 3 Target directories enipe uinean 1 4 Tripwire cryptographic keys 00 1 6 Keyfile types vice sci sasessascsbesasteadsassesbeetieeses 1 6 Installing Tripwire 0 00 0 eeeeeeeeneees 1 7 Starting the install sc ccss0 scscesetesccseecsrecees 1 7 Creating and copying files wo 1 8 Generating cryptographic keys and SISMEG DUES os sviiissencsaeissaschansessvscssecesacs 1 9 After installing ee ee eese
63. olicy file violation in detail depending on whether the specified file system object was added deleted or changed Each report item lists the properties of the object as it currently resides on the file system and if appropriate the old value stored in the database If there are differences between the database and the current system the administrator can either fix the problem by replacing the current file with the correct file e g an intruder replaced bin login or update the database to reflect the new file e g a fellow system administrator installed a new version of usr local bin emacs Running an integrity check using the tripwire interactive option is the same as running a non interactive integrity check immediately followed by running tripwire in Database Update mode In Interactive mode the editor specified in the 5 6 TRIPWIRE 2 0 for Unix 5 TRIPWIRE COMMAND REFERENCE configuration file with the EDITOR variable is launched on a clear text copy of the Tripwire report In that report next to every rule violation will be ballot boxes that look like this Modified x usr local tw drwxr xr x root 0 512 Tue Nov 17 13 36 50 1998 If you leave the x in the ballot box the database will be updated That is you approve this change to the filesystem If you remove the x from the ballot box then the database will not be updated with the new value s for that object
64. our customized policy file twadmin create polfile policy twpol txt 13 Initialize your Tripwire database tripwire init Congratulations If you successfully completed these steps then Tripwire is set and ready to go ll TRIPWIRE 2 0 for Unix Dear Tripwire customer As you may know Purdue University has elected to transfer management and product responsibility for the Tripwire security system to its co developer Mr Gene Kim and his firm Tripwire Security Systems Inc of Portland Oregon where he is now Chief Technology Officer This decision was made to ensure the continued development and support of Tripwire and to maintain the integrity of its design goals The results of the arrangement will benefit you Purdue University and Tripwire Security Systems by allowing the product to evolve and receive the necessary focus and resources needed to maintain its functionality in years to come Furthermore by placing Tripwire with a focused commercial entity we believe that there will be resources and motivation to enhance and port Tripwire to a wider range of uses and platforms This can only help the user community concerned with security As a business Tripwire Security Systems will be able to invest the time and resources for quality technical support They will also be in a better position to respond to customer suggestions and integrate valuable new features into future Tripwire releases Thank you for mak
65. portant files in different directories can be tagged with a unique rulename e g rulename watchme You can then run tripwire and interpret your data later using the rulename watchme as a sorting key severity This attribute associates a severity level with a rule When tripwire is run in Integrity Checking mode it is possible to specify that only rules exceeding a certain severity level be used For example 4 POLICY REFERENCE The emailto rule attribute allows one or more email emailto addresses to be associated with a rule When the rule is violated notification is sent to the specified email address es The emailto attribute takes only a single argument so to specify multiple email addresses include them as a quoted space delimited list For example Correct examples bin gt ReadOnly emailto admin foo com ok etc gt ReadOnly emailto admin foo com noc foo com ok Incorrect example bin gt ReadOnly emailto admin foo com noc foo com WRONG In the policy file usr lib gt ReadOnly severity 80 ae ae On the command line Rule will be run in this case tripwire check severity 60 Rule will not be run in this case tripwire check severity 90 The default severity value is 0 and the range of legal values is 0 to MAXINT defined by the operating system 4 12 TRIPWIRE 2 0 for Unix Note that the emai
66. pugs int 1damcCMSH TRIPWIRE 2 0 for Unix 4 19 4 POLICY REFERENCE 5 COMMAND REFERENCE COMMAND REFERENCE Introduction This chapter provides an overview of the four programs used by Tripwire The various modes for each program are described in detail with a complete list of command line options Chapter Command introduction 0 000 0000 5 2 contents CHUP WIE ooo eee ce cece ceeceteeeeceeeeeeeeeeeeeeeees 5 3 CWP osii a heen 5 15 CWA 2 i a as 5 19 SISSON ye Le Ra 5 29 4 20 TRIPWIRE 2 0 for Unix TRIPWIRE 2 0 for Unix 5 1 5 COMMAND REFEREN CE Command All Tripwire applications except siggen observe the introduction following convention for command lines command mode selector options files That is the mode selector must always be the first argument on the command line and any files not associated with the command line options must appear last on the command line For example twadmin create cfgfile site keyfile keyfile configfile txt Specifying command line arguments in any other order will generate a syntax error All Tripwire applications support the following argument for obtaining usage version and copyright information If this argument is present on the command line the help message will be displayed and all other command line arguments will be ignored Argument Meaning Display version and usage information and exit 5 2
67. pwire it is easy to cover up a change and preserve the existing checksum Tripwire can utilize the MDS SHA and Haval message digest algorithms also known as one way hash functions finger printing routines or manipulation detection codes Message digests are usually large at least 128 bits and computationally infeasible to reverse They employ cryptographic techniques to ensure that any small change in the input stream results in a large change in the output Therefore any unauthorized malicious or accidental change will be evident Because these algorithms use a 128 bit or larger signature using a brute force attack to introduce a deliberate change in the file while trying to keep the same signature becomes a computationally infeasible task They provide a high degree of assurance that an intruder cannot change a file without being detected by Tripwire 6 6 TRIPWIRE 2 0 for Unix 6 APPENDICES Message digest algorithms have considerable computational cost when compared to simpler signature routines In general this higher security is obtained at the expense of speed it will take longer to check your files with message digest algorithms Tripwire provides several state of the art message digest algorithms to allow the maximum amount of flexibility in deciding the security and performance balance Unlike message digest algorithms the CRC 32 algorithm uses simple polynomial division to generate the checksums Whil
68. rectiv s uiis ireisiis ursinus 4 14 Conditional interpretation 0 0 0 0 4 15 Message reporting 0 eee eres 4 16 Indicating end of file ee eee 4 17 Variables ssi sos oe aioi e deo teassestivdzas iss 4 17 Predefined variables cecceee 4 19 TRIPWIRE 2 0 for Unix 4 1 4 POLICY REFERENCE Overview The policy file describes which system objects Tripwire should monitor In Tripwire 2 0 objects are defined as files and directories A property mask is associated with each object in the policy file describing what types of changes Tripwire should monitor and which ones can safely be ignored Comments rules directives and variables are the standard components of the policy file Each of these components is described in detail below Comments In a policy file any text following a up to the next line break is considered a comment 4 POLICY REFERENCE An objectname is the fully qualified pathname for a directory or file and the property mask specifies what properties of the object to examine or ignore The gt token separates the objectname and the property mask and a semicolon must terminate the rule If the pathname specified is a directory the directory and all of its descendants will be scanned with the indicated property mask If the pathname refers to an individual file only that file will be scanned with the specified mask Examples of normal rules are Example
69. se Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Configuration file overrides input Configuration file overrides input c cfgfile cfgfile cfgfile Use the specified configuration file c cfgfile cfgfile cfgfile Use the specified configuration file d database dbfile database Use the specified database file r report twrfile report Print the specified report file L localkey local keyfile localkey Use the specified local key file to verify the database file L localkey Use the specified local key file to verify local keyfile localkey the signed report file 5 16 TRIPWIRE 2 0 for Unix TRIPWIRE 2 0 for Unix 5 17 5 TWPRINT COMMAND REFEREN CE 5 18 TRIPWIRE 2 0 for Unix TWADMIN Section contents TRIPWIRE 2 0 for Unix 5 TWADMIN COMMAND REFERENCE Running twadmiin 5 20 Creating a configuration file 5 20 Printing a configuration file 5 21 Creating a policy file 0 5 22 Printing a policy file 0 0 5 24 Removing encryption from a file 0 eee teeters 5 24 Encrypting a file 00 5 26 Examining the encryption status of a fle sooren eiee 5 27 Generating keys 0 0 0 0 eee 5 28 5 19 5 TWADMIN COMMAND REFERENCE Running twadmin Creating a configuration file Argument Mode
70. signature values for any specified file See the signature function reference section of Chapter 6 Appendices for more information about the signature functions supported by Tripwire Valid command line arguments for each mode are shown The siggen application displays some or all of the signature values for any specified file s in base64 notation Argument Meaning Reporting t Terse mode Prints requested signatures for a given file terse delimited by spaces all on one line with no extraneous information one line per file Output options h Display results in hexadecimal rather than base64 notation hexadecimal Signature selection a Display all signature function values default all C Display CRC 32 POSIX 1003 2 compliant 32 bit Cyclic CRC Redundancy Check M Display MD5 the RSA Data Security Inc MD5 Message Digest Algorithm S Display SHA the NIST Secure Hash Algorithm SHA NIST FIPS 180 H Display Haval value a 128 bit signature code Haval Input filel file2 List of filesystem objects for which to display values 5 30 TRIPWIRE 2 0 for Unix 6 APPENDICES APPENDICES Introduction Tripwire s internal security relies on a private public key system of cryptography This chapter specifically describes Tripwire s cryptographic system It also directs the reader to background information and references o
71. the configuration and policy files Your local key is used to sign Tripwire files that are machine dependent This key is used for the database files and optionally for the report files Tripwire s site and local keys are encoded using passphrases chosen by the user A passphrase is simply another name for password implying that passphrases should be longer than a typical English word Your passphrases should be chosen carefully and should exhibit the following characteristics Each passphrase should be at least 8 characters Note no constraint checking is done Passphrases should include upper and lower case letters For maximum security we recommend that the passphrases not be words that you would find in a dictionary Using a combination of letters and numbers is a good strategy It is recommended that the site key and the local key not use the same passphrase With two passphrases an intruder who compromises the local key on one machine does not necessarily have the ability to compromise all other machines Please refer to Chapter 6 for more information on Tripwire s cryptographic system 1 6 TRIPWIRE 2 0 for Unix 1 INSTALLING TRIPWIRE After customizing the installation configuration file Installing Tripwire you are ready to run the install script The installer creates and copies Tripwire files into the target directories It also ensures that file and directory permissions are set correct
72. tion These are identical to the files of the same names in the CD root directory TRIPWIRE 2 0 for Unix All installation options are specified as command line arguments to the install script install sh or as 1 INSTALLING TRIPWIRE Configuring your installation settings in the configuration file An example of command line arguments for an unattended install is shown below install sh tmp install cfg s Darth4Vader 1 Sky8Walker f n This table summarizes installer command line options Argument Meaning configfile Use the specified file for installation values By default the installer uses the values in install cfg for installation options Suppress prompting By default the installer will display all the target directories that will be created and populated and prompt the user for verification before proceeding This mode requires the site and local passphrase arguments s passphrase Use the specified passphrase for site key 1 passphrase Use the specified passphrase for local key Specifies that the installer should overwrite any existing files found in the target directories This will override the CLOBBER setting in the install cfg file An example of settings found in the configuration file is shown below The root of the TSS directory tree TWROOT usr TSS Tripwire binaries are stored in TWBIN TWBIN TWR
73. ure alternative to the slower message digest algorithms CRC 32 generates a 32 bit signature CRC 32 Hardware Throughput Mbyte sec 167 MHz UltraSPARC 1 15 2 100 MHz Intel Pentium 5 9 TRIPWIRE 2 0 for Unix 6 APPENDICES Tripwire quick reference Desired action Getting started This section provides the Tripwire commands for the most common Tripwire tasks The commands are presented in a practical chronological order from post installation to integrity checking to file maintenance Note that the verbose GNU style arguments are used in each example for clarity Generate site and local keys usually done by installer Run twadmin in Key Generation mode twadmin generate keys local keyfile key local key site keyfile key site key Install your customized configuration file Run twadmin in Create Configuration File mode twadmin create cfgfile twefg txt Install your customized policy file Run twadmin in Create Policy File mode twadmin create polfile policy twpol txt Initialize the Tripwire database Run tripwire in Database Initialization mode tripwire init verbose Running and maintaining Compare system against baseline database checking for policy violations Run tripwire in Integrity Check mode Desired action Configuring 6 APPENDICES Command Inspect po
74. want to monitor Argument Meaning Mode of operation m p Selects policy updating mode update policy Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet table continued next page TRIPWIRE 2 0 for Unix 5 13 5 TRIPWIRE COMMAND REFERENCE Argument Configuration file overrides input table continued Meaning p policyfile polfile policyfile Update the specified policy file c cfgfile cfgfile cfgfile Use the specified configuration file d dbfile dbfile dbfile Update the specified database file S keyfile site keyfile keyfile Use the specified site key file to read the configuration file and to read and write the policy file L keyfile local keyfile keyfile Use the specified local key file to read and write the database file Unattended operation P passphrase local passphrase passphrase Use the specified passphrase with the local key to sign the database file Q passphrase site passphrase passphrase Use the specified passphrase with the site key to sign the policy file Security level Z high low Specifies the security level which affects whether secure mode high low the policy and database file are saved if a violation of the old policy exists Violations are
75. will become the new binary encoded and signed configuration file m F create cfgfile Take the specified clear text file see Input below and store it as a binary encoded Tripwire configuration file After a configuration file has been created it is stored in a binary encoded form This command Printing a configuration file provides a way of printing out the current contents of the configuration file in a readable text format Argument Mode of operation Meaning i print cfgfile Prints the configuration file to stdout Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Configuration file overrides input S sitekey site keyfile sitekey Use the specified site key file to sign the new configuration file Mutually exclusive with e Either e or S must be specified Reporting v Verbose mode verbose Mutually exclusive with s s Silent mode silent Mutually exclusive with v quiet Configuration file overrides input Configuration file overrides output c cfgfile cfgfile cfgfile Print the specified configuration file c cfgfile cfgfile cfgfile Specify the destination configuration file 5 20 table continued next page TRIPWIRE 2 0 for Unix TRIPWIRE 2 0 for
76. with v quiet table continued next page 5 22 TRIPWIRE 2 0 for Unix table continued Argument Configuration file overrides input 5 TWADMIN COMMAND REFERENCE Meaning c cfgfile cfgfile cfgfile Specifies the destination binary encoded configuration file S sitekey site keyfile sitekey Specifies site key file to be used Mutually exclusive with e Configuration file overrides output p polfile polfile polfile Specifies policy file to be written Unattended operation Q passphrase site passphrase passphrase Specifies passphrase to be used with the site key for signing the policy file Mutually exclusive with e Security settings e no encryption Does not sign the policy file The policy file will still be stored in a binary encoded form and will not be human readable Mutually exclusive with Q and S Input policyfile txt Specifies the clear text policy file that will become the new binary encoded and signed policy file TRIPWIRE 2 0 for Unix 5 23 5 TWADMIN COMMAND REFERENCE Printing a policy After a policy file has been created it is stored in a file binary encoded form This command provides a way of printing out the current contents of the policy file in a readable text format Argument Meaning Mode of operation Argument Mode of operation 5 TWADMIN COMMAND
77. y mask 4 2 TRIPWIRE 2 0 for Unix usr bin gt mask3 usr bin gt mask4 In the policy file objects may not be expressed Object names using environment variables for security reasons Examples etc valid etc passwd valid SHOME not valid TRIPWIRE 2 0 for Unix 4 3 4 POLICY REFERENCE The following regular expression defines the characters that are not allowed in object names 4 POLICY REFERENCE Therefore all of the following rules are equivalent EAIN SANIN An r t Yr S8 INVA 4 In other words any character is allowed except for an exclamation point braces greater than sign parentheses newline tabs spaces commas semicolons equal sign dollar sign pound vertical bar backslash and quote Legal example usr local gt ReadOnly usr local gt ReadOnly usr local gt ReadOnly usr local gt ReadOnly usr local Illegal example usr local weird filename characters gt here Because object names may contain characters that are not allowed on the left hand side of rules Tripwire supports quoted object names Object name quoting might be needed when for example the object name contains spaces exclamation marks or equals signs Object names with these characters must be double quoted Examples Filenames can contain escape sequences inside quoted strings to handle unprintable char
78. y media was required to ensure that they could not be modified by unauthorized individuals In Tripwire 2 0 these critical files are encoded and signed in a way that requires knowledge of a secret passphrase to modify them This approach makes it computationally infeasible for an unauthorized individual to modify the files without detection For this reason it is no longer necessary to store the database policy and configuration files on read only media Security Issue If Tripwire files are stored on disk an attacker who can not access the files can still delete them It is unlikely that such an attack would go unnoticed and it is therefore very difficult for an attacker to silently subvert Tripwire operation To address this issue some sites may continue to store these files on read only media while other sites will rely on backup mechanisms to handle these contingencies TRIPWIRE 2 0 for Unix 6 APPENDICES Tripwire files are protected with El Gamal Public and private asymmetric cryptography that uses public and keys private keys with a 1024 bit signature Critical Tripwire files are stored on disk in an encoded and signed form Reading these files requires only the public key while writing them requires the private key and a secret passphrase Because one of the requirements for Tripwire is unattended operation the public key is stored on disk along with the Tripwire executable No one need type in the passphrase
79. y site key LOCALKEYFILE usr local tw key local key If any of these variables is not defined Tripwire will report an error and will exit There is no limit to the number of additional variables that may be defined Note Variables are case sensitive polfile is not the same as POLFILE Installing on To share a single site key file across multiple multiple systems systems place the site key file on a shared volume and specify the location of that key file in the configuration file For example SITEKEYFILE mnt server keydir site key LOCALKEYFILE usr local tw key local key 3 6 TRIPWIRE 2 0 for Unix 4 POLICY REFERENCE POLICY REFERENCE Introduction The Tripwire policy file describes which components of a system should be scanned by Tripwire and specifies the types of data to be collected and stored in the database file This chapter describes the format of the policy file and consists of the following sections Chapter OVEN VOW oasis ests tie intact e AE 4 2 contents Comments 335 esis niece eect 4 2 Riles inueni esse tees 4 2 Normal rules i eicesstssencesdsvexecveceedestapeesecess 4 2 Obj ct MAM ES irnir 4 3 Property MASKS csssses donseteeesagiseveesavenestes 4 6 SLOP POMS cerio reee aR tees 4 9 Rule attributes 0 00 0 0 ec e 4 10 milena me enie is ieri 4 12 SOVETILY eiaeaen EE 4 12 CMA G sosccdencszsteoeecousetaceteersetareedeeeetean ET 4 13 MOCUISE eoi aesir eee reion 4 13 Di
80. y this file and produce a new encoded signed tw cfg file By default the installer creates a sample policy file called tw pol A clear text copy of this policy file is preserved in the policy directory as twpol txt This file is heavily commented and is specific to the operating system where Tripwire is being installed An additional commented policy file policyguide txt is installed in the policy directory It illustrates all features of the policy language These initial policy files are intended only to confirm basic functionality of Tripwire Once installation is complete you should create an appropriate policy file to replace the sample file Security Issue For added security it is recommended that clear text copies of policy and configuration files not be stored on systems where Tripwire is deployed TRIPWIRE 2 0 for Unix 1 9 1 INSTALLING TRIPWIRE After installing 1 10 Congratulations You have successfully completed the Tripwire installation In most cases your next step is to modify your policy and configuration files and then initialize the Tripwire database Please proceed to the next chapter for more information on these tasks TRIPWIRE 2 0 for Unix 2 RUNNING TRIPWIRE RUNNING TRIPWIRE Introduction Chapter contents TRIPWIRE 2 0 for Unix This chapter is a primer on fundamental Tripwire concepts It provides a walkthrough of Tripwire operations showing examples of
Download Pdf Manuals
Related Search
tripwire tripwire tripwire hook recipe tripwire recipe tripwire duper tripwire minecraft tripwire hook tripwire interactive tripwire eve tripwire games tripwire hook duper tripwire band tripwire hook farm tripwire farm tripwire lee child tripwire crafting recipe tripwire recipe minecraft tripwire duper minecraft tripwire customer portal tripwire tarkov tripwire object show tripwire hook crafting recipe tripwire hook minecraft tripwire villager tripwire tool tripwire agent