Tripwire Tutorial: Linux Host Based Intrusion Detection System

by Ramesh Natarajan on December 8, 2008

Tripwire - Linux IDSPhoto courtesy of judepics

Tripwire is a host based Intrusion detection system for Linux. Tripwire monitors Linux system to detect and report any unauthorized changes to the files and directories. Once a baseline is created, tripwire monitors and detects, which file is added, which file is changed, what is changed, who changed it, and when it was changed. If the changes are legitimate, you can update the tripwire database to accept these changes.

Also, for monitoring solution, please refer to all our previous articles on Nagios

This step by step instruction guide explains how to install and configure open source version of tripwire.

1. Download Tripwire

Download the latest tripwire open source version from tripwire sourceforget project website. Extract the tripwire source code to the /usr/src directory as shown below.

# cd /usr/src
# wget http://internap.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.4.1.2-src.tar.bz2
# bzip2 -d tripwire-2.4.1.2-src.tar.bz2
# tar xvf tripwire-2.4.1.2-src.tar

2. Install Tripwire

Use the prefix option as shown below to specify the installation directory. In this example, I’ve installed tripwire under /opt/tripwire. During make install, it will prompt you for various user inputs, that are highlighted in red below.

# cd tripwire-2.4.1.2-src

# ./configure --prefix=/opt/tripwire

# make

# make install

make[3]: Entering directory `/usr/src/tripwire-2.4.1.2-src'
prefix="/opt/tripwire" sysconfdir="/opt/tripwire/etc" \
        path_to_vi="/bin/vi" path_to_sendmail="/usr/sbin/sendmail" \
        ./install/install.sh
Installer program for: Tripwire(R) 2.4 Open Source
LICENSE AGREEMENT for Tripwire(R) 2.4 Open Source
Please read the following license agreement.  You must accept the
agreement to continue installing Tripwire.
Press ENTER to view the License Agreement.
[Note: Press enter key as instructed to view the license]

Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept
[Note: Type accept to accept the license]

This program will copy Tripwire files to the following directories:
        TWBIN: /opt/tripwire/sbin
        TWMAN: /opt/tripwire/man
     TWPOLICY: /opt/tripwire/etc
     TWREPORT: /opt/tripwire/lib/tripwire/report
         TWDB: /opt/tripwire/lib/tripwire
 TWSITEKEYDIR: /opt/tripwire/etc
TWLOCALKEYDIR: /opt/tripwire/etc
CLOBBER is false.
Continue with installation? [y/n] y
[Note: Press y to continue the installation]

The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
[Note: Assign a passphrase for site keyfile.]

Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
[Note: Assign a passphrase for local keyfile.]

Creating signed configuration file...
Please enter your site passphrase:
Wrote configuration file: /opt/tripwire/etc/tw.cfg
[Note: Enter the site passphrase.]

Creating signed policy file...
Please enter your site passphrase:
Wrote policy file: /opt/tripwire/etc/tw.pol
[Note: Enter the site passphrase]

The installation succeeded.

  • Site passphrase will secure the tw.cfg tripwire configuration file
    and tw.pol tripwire policy file. You have to assign a site passphrase
    even for a single instance tripwire.
  • Local passphrase will protect tripwire database and report files.

3. Initialize Tripwire Database

For the first time use, you should initialize the tripwire database as shown below.

# cd /opt/tripwire/sbin/

# ./tripwire --init

Please enter your local passphrase:
Parsing policy file: /opt/tripwire/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/sys" is on a different file system...ignoring.
### Warning: File system error.
### Filename: /cdrom
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /floppy
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /initrd
### No such file or directory
### Continuing...
### Warning: File system error.
Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd
The database was successfully generated.

4. Modify Tripwire Policy File

As shown above, during the tripwire database initialization, it may display “No such file or directory” error message for some of the default files mentioned in the tripwire policy file. If your system don’t have those files, edit the policy file and comment those entries.

For example, modify the /opt/tripwire/etc/twpol.txt tripwire policy file and comment out /cdrom and /floppy as shown below.

(
  rulename = "OS Boot Files and Mount Points",
)
{
  /boot                         -> $(ReadOnly) ;
#  /cdrom                        -> $(Dynamic) ;
#  /floppy                       -> $(Dynamic) ;
  /mnt                          -> $(Dynamic) ;
}


Using the tripwire policy files you can define the directories and files that needs to be monitored for the changes. You can also be more granular and specify the file attributes that should be either monitored or ignored.

Following are some of the UNIX system properties that are monitored by tripwire.

  • File addition, deletion and modification
  • File permissions and properties
  • Access timestamp
  • Modification timestamp
  • File type and file size
  • User id of owner and group id of owner
  • Hash checking: CRC-32, POSIX 1003.2 compliant 32-bit Cyclic Redundancy Check; MD5, the RSA Security Message Digest Algorithm; SHA, part of the SHS/SHA algorithm; HAVAL, a strong 128-bit signature algorithm

5. Update Tripwire Policy File

Once you’ve modified the policy file, it needs to be updated as shown below.

# ./tripwire --update-policy --secure-mode low ../etc/twpol.txt

Parsing policy file: /opt/tripwire/etc/twpol.txt
Please enter your local passphrase:
Please enter your site passphrase:
======== Policy Update: Processing section Unix File System.

======== Step 1: Gathering information for the new policy.
The object: "/sys" is on a different file system...ignoring.

======== Step 2: Updating the database with new objects.

======== Step 3: Pruning unneeded objects from the database.
Wrote policy file: /opt/tripwire/etc/tw.pol
Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd

Note: if any files has been modified from the time you’ve done the tripwire initialization until the tripwire update policy, they will be listed under the “Step 1: Gathering information for the new policy” output of the above command.

### Warning: Policy Update Changed Object.
### An object has been changed since the database was last updated.

### Object name: Conflicting properties for object
### /u01/app/oracle/oradata/dbfiles/prod01.dbf
### > Modify Time
### > CRC32
### > MD5

6. Check for any changes to the files and update tripwire database.

Once the tripwire setup is completed, you should regularly perform checks to find out what files where added or modified from the last time the tripwire database was updated. You can perform this check interactively from command line as shown below.

# ./tripwire --check --interactive

Parsing policy file: /opt/tripwire/etc/tw.pol
*** Processing Unix File System ***

Performing integrity check...
Wrote report file:
/opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336.twr


This will automatically open the following tripwire report file in the vi, where you can review all the files that has been added or modified to the system. As shown below, the “Added” and “Modified” files will have a check mark in front of them, indicating that you are accepting these changes to be updated to the tripwire database.

===============================================================================
Report Summary:
===============================================================================
Host name:                    prod-db-srv
Host IP address:              192.168.1.10
Host ID:                      None
Policy file used:             /opt/tripwire/etc/tw.pol
Configuration file used:      /opt/tripwire/etc/tw.cfg
Database file used:           /opt/tripwire/lib/tripwire/prod-db-srv.twd
Command line used:            ./tripwire --check --interactive

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Added:
[x] "/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trc"
[x] "/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trm"

Modified:
[x] "/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_CONFIG.ams"
[x] "/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_INFO.ams"

Added object name:  /u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trc

  Property:            Expected                    Observed
  -------------        -----------                 -----------
* Object Type          ---                         Regular File
* Device Number        ---                         2049
* Inode Number         ---                         12026017
* Mode                 ---                         -rw-r-----
* Num Links            ---                         1
* UID                  ---                         oracle (1082)
* GID                  ---                         oinstall (1083)
* Size                 ---                         837
* Modify Time          ---                         Sat 06 Dec 2008 10:01:51 AM PST
* Blocks               ---                         8
* CRC32                ---                         AYxMeo
* MD5                  ---                         AXSkOul8R/np0fQP4q3QLv

Modified object name:  /u01/app/oracle/diag/tnslsnr/proddb/listener/trace/listener.log

  Property:            Expected                    Observed
  -------------        -----------                 -----------
  Object Type          Regular File                Regular File
  Device Number        2049                        2049
  Inode Number         2295281                     2295281
  Mode                 -rw-r-----                  -rw-r-----
  Num Links            1                           1
  UID                  oracle (1082)               oracle (1082)
  GID                  oinstall (1083)             oinstall (1083)
* Size                 5851880                     5858608
* Modify Time          Sat 06 Dec 2008 09:58:53 AM PST
                                                   Sat 06 Dec 2008 11:39:56 AM PST
* Blocks               11456                       11472
* CRC32                ANdM8R                      CK+bWM
* MD5                  DCW84lCuD2YJOhQd/EuVsn      CV8BMvZNJB9KQBXAf5yRDY

Please enter your local passphrase:
Incorrect local passphrase.
Please enter your local passphrase:
Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd

7. How to view the twr report file?

All the tripwire report files with *.twr extension are stored under /opt/tripwire/lib/tripwire/report directory. tripwire report file *.twr is not a text file, which you can view directly. In order to view the report, use twprint and convert the *.twr file to a readable text format as shown below.

# ./twprint --print-report --twrfile \
/opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336.twr  > \
/tmp/readable-output.txt

8. Monitor Linux System Integrity Regularly

Add tripwire checking as a cron job to monitor and report any changes on an on-going basis. For example, add the following line to your crontab to execute tripwire check daily at 4:00 a.m.

# Tripwire Monitor process
00 4 * * * /opt/tripwire/sbin/tripwire  --check

9. Tripwire Configuration and Policy File Locations

Use twadmin to view the current tripwire policy files. Only partial output is shown below.

#./twadmin --print-polfile
@@section GLOBAL
TWDOCS="/opt/tripwire/doc/tripwire";
TWBIN="/opt/tripwire/sbin";
TWPOL="/opt/tripwire/etc";
TWDB="/opt/tripwire/lib/tripwire";
TWSKEY="/opt/tripwire/etc";
TWLKEY="/opt/tripwire/etc";
TWREPORT="/opt/tripwire/lib/tripwire/report";
HOSTNAME=prod-db-srv;

Use twadmin to get information about all the tripwire configuration files as shown below.

# ./twadmin --print-cfgfile
ROOT          =/opt/tripwire/sbin
POLFILE       =/opt/tripwire/etc/tw.pol
DBFILE        =/opt/tripwire/lib/tripwire/$(HOSTNAME).twd
REPORTFILE    =/opt/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE   =/opt/tripwire/etc/site.key
LOCALKEYFILE  =/opt/tripwire/etc/prod-db-srv-local.key
EDITOR        =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL   =3
MAILMETHOD    =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM   =/usr/sbin/sendmail -oi -t


If you liked this article, please bookmark it on delicious, Digg and Stumble it.


Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 14 comments… read them below or add one }

1 Anonymous November 18, 2009 at 7:24 pm

Awesome tutorial!! Thanks a lot!!

2 alif January 23, 2011 at 8:43 pm

Hi,
I tried to install this tripwire. During checkingm i received this error. Would you please advice me on how to solve this. I uninstalled and install again. Same error accoured.

I tun ./tripwire–init as following :

[root@myhost sbin]# ./tripwire –init
Please enter your local passphrase:
Parsing policy file: /opt/tripwire/etc/tw.pol
Generating the database…
*** Processing Unix File System ***
The object: “/backup” is on a different file system…ignoring.
The object: “/misc” is on a different file system…ignoring.
The object: “/net” is on a different file system…ignoring.
The object: “/sys” is on a different file system…ignoring.
### Warning: File system error.
### Filename: /etc/aliases.db
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /etc/mail/statistics
### No such file or directory
### Continuing…
### Error: File seek failed.
### Filename: /var/lib/mysql/tech0104_ucc/uc_pms.MYD
### Success./tripwire –update-policy –secure-mode low ../etc/twpol.txt
### Exiting…

However when I issue this command to initialize database :

./tripwire –update-policy –secure-mode low ../etc/twpol.txt

It appear this error :

Parsing policy file: /opt/tripwire/etc/twpol.txt
### Error: File could not be opened.
### Filename: /opt/tripwire/lib/tripwire/myhost.twd
### No such file or directory
### Exiting…

Any advice on this??

3 Pratik Patel April 5, 2011 at 4:02 am

Move / Remove /var/lib/mysql/tech0104_ucc/uc_pms.MYD file & check.

4 Dennis September 17, 2011 at 2:03 am

great tutorial..thank you very much!

5 Vasim Memon December 23, 2011 at 5:58 am

Hello Brother,
Personally Thanks for creating such a nice blog.

I am trying to install tripwire on RHEL 5.X but i m getting this error after running below command
prefix=”/opt/tripwire” sysconfdir=”/opt/tripwire/etc” \
path_to_vi=”/bin/vi” path_to_sendmail=”/usr/sbin/sendmail” \
./install/install.sh

Error: –
Error: configuration parameter $TWPOLICY undefined.

Please let me know the solution,
I would be very much thankful to you

6 Pedro June 6, 2012 at 3:20 pm

How do you get rid of the messages: The object: “/sys” is on a different file system…ignoring. ?

I’ve tried including TRAVERSEMOUNTS = true in the configuration file, but I still get that message.

7 Drum June 8, 2012 at 11:36 am

If I had Tripwire monitoring only 1 file, Is there any way to automate an action if violation is detected?

Actions could be like: disconnecting from network, replacing file with backup, sending a signal to be read by another application, etc.

8 Monika March 13, 2013 at 7:43 am

Respected Sir,
The tutorial is really awesome and helpful.
But i want to know more that, how can I specify the file attributes that should be ignored. also Modification time-stamp is not visible in my report, how can i add modification time in report. Kindly help me by your valuable suggestions.
Thank you.

9 Manglesh Vyas April 18, 2013 at 6:29 am

Hi,

Thanks for nice document for installing Tripwire, i did try and got below error, could you please help.

Parsing policy file: /opt/tripwire/etc/twpol.txt
### Error: File could not be opened.
### Filename: /opt/tripwire/lib/tripwire/RRDRSS01.twd
### No such file or directory
### Exiting…

10 Pardeep Saini April 18, 2013 at 10:51 pm

Installation requires some RPM package installation, so installing these packages in the beginning helps.

yum install gcc gcc-c++ gcc-cpp
yum install make

11 manglesh April 23, 2013 at 9:42 am

Thanks Pardeep,

i have installed all package related to gcc* and issue had been resolved.

Thanks again for your help.

12 Murali May 30, 2013 at 5:41 am

I have configured trip wire, all fine, added my home directory /home/user to twpol.txt, invariant directories. I am not getting report on changes done to a sample file under this directory.

13 Dhananjaya September 12, 2013 at 4:39 am

Is there any way to get log file for specific period only. How I get extract only changes in specific date ?

14 Sagar Indalkar November 27, 2013 at 5:01 am

Hi Ramesh,

Thanks for detailed blog.

First time I have seen such a wonderful blog. Helped me a lot.

Keep it up buddy

Regards,
Sagar Indalkar

Leave a Comment

Previous post:

Next post: