Tools Required: Linux, Tripwire
Tools Optional: Sendmail
This is a [longish] guide on how to correctly configure and use Tripwire on Linux to improve the OS security. Tripwire is both an Intrusion Detection System and a great admin tool, there is a commercial version of it here but I will be discussing the open source version hosted on Sourceforge.
So in short, you give Tripwire a list of files you want to ‘protect’ and at configured intervals Tripwire scans these files and will alert you of any changes to them. It essentially monitors the integrity of critical files. Consider the scenario where an attacker breaks into your system, one of his goals will be to enable a means for future access. Lets say he does this in a covert manner by writing a backdoor into your FTP server and recompiling it leaving no visible trace. Tripwire could be configured to watch the FTP daemon files and changing a single bit will course an alert to be raised. Sounds pretty useful right? It is. Im told however that Tripwire sees limited deployment in production servers (can’t comment if this is true or not though), some reasons for this may be a) It’s a very paranoid piece of software b) regular file changes can cause an obscene number of false positives.
Tripwire works by using a cryptographic hash function to generate a checksum of specified files, this checksum goes into a database and that database is encrypted. So even if you get rooted, an attacker shouldn’t be able to modify the checksum database (key management issues here!). A hash function will take an arbitrary sized input value (a file) and will output a fixed size hash value. A single bit change in the input should reflect a major change in the outputted hash value (Avalanche Effect), so they make a pretty good way of detecting a modified file 
Ok, so this tutorial will configure Tripwire to monitor a system directory and alert if integrity changes. Also, for full effectiveness this should be applied at a fresh install, what’s the point if your files may already be compromised?
I will assume for this example you have some important FTP server files in /root/demoFTP.
Installation:
- Download the Tripwire source & extract
[jack@tmob Desktop]$ cd tripwire-2.4.2-src
Next we need to edit the install script slightly, edit the file install/install.cfg we need to disable the use of sendmail and enable smtp instead, if you have sendmail running and configured on your server ignore this step. Changed section should look like this (don’t worry about a valid server, I wont be covering email alerts here):
TWMAILMETHOD=SMTP
TWSMTPHOST="mail.domain.com"
TWSMTPPORT=25
Now we can configure the build process & compile (edit the install directory to your preference):
...
[jack@tmob tripwire-2.4.2-src]$ make
...
Next is the installation, run ‘make install’ as root, as part of this we will need to accept the license agreement and configure some passwords for the database.
Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept
...
Some verification stuff here
...
Continue with installation? [y/n] y
...
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.
...
The installation succeeded.
Ok, so you’ve just entered 2 (strong) passwords:
- Site: Secures configuration and policy files
- Local: Secures database and report files
That’s the installation all done, it’s now installed to /opt/tripwire
Configuration:
The main file we are concerned with is the Tripwire policy file: /opt/tripwire/etc/twpol.txt
Below is my clean, cut down bare essential config for this example (alot of the default comments are left in to explain the syntax. The specific rule for this tutorial is at the bottom.
@@section GLOBAL
TWDOCS="/opt/tripwire/doc/tripwire";
TWBIN="/opt/tripwire/sbin";
TWPOL="/opt/tripwire/etc";
TWDB="/opt/tripwire/lib/tripwire";
TWSKEY="/opt/tripwire/etc";
TWLKEY="/opt/tripwire/etc";
TWREPORT="/opt/tripwire/lib/tripwire/report";
HOSTNAME=tmob;
##############################################################################
# Predefined Variables #
##############################################################################
#
# Property Masks
#
# - ignore the following properties
# + check the following properties
#
# a access timestamp (mutually exclusive with +CMSH)
# b number of blocks allocated
# c inode creation/modification timestamp
# d ID of device on which inode resides
# g group id of owner
# i inode number
# l growing files (logfiles for example)
# m modification timestamp
# n number of links
# p permission and file mode bits
# r ID of device pointed to by inode (valid only for device objects)
# s file size
# t file type
# u user id of owner
#
# C CRC-32 hash
# H HAVAL hash
# M MD5 hash
# S SHA hash
#
##############################################################################
Device = +pugsdr-intlbamcCMSH ;
Dynamic = +pinugtd-srlbamcCMSH ;
Growing = +pinugtdl-srbamcCMSH ;
IgnoreAll = -pinugtsdrlbamcCMSH ;
IgnoreNone = +pinugtsdrbamcCMSH-l ;
ReadOnly = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ;
@@section FS
########################################
# Tripwire Binaries and Data Files #
########################################
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(ReadOnly) ;
$(TWBIN)/tripwire -> $(ReadOnly) ;
$(TWBIN)/twadmin -> $(ReadOnly) ;
$(TWBIN)/twprint -> $(ReadOnly) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
$(TWSKEY)/site.key -> $(ReadOnly) ;
# don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
}
################################################
# JCSecurity Demo #
################################################
(
rulename = "FTP Demo Configs",
)
{
/root/demoFTP -> $(ReadOnly) (recurse=2);
}
Our rule (there are also included rules for checking the Tripwire configs & binaries):
# JCSecurity Demo #
################################################
(
rulename = "FTP Demo Configs",
)
{
/root/demoFTP -> $(ReadOnly) (recurse=2);
}
This defines a rule to monitor the directory /root/demoFTP, $(ReadOnly) is the property mask and is defined and explained higher in the config (ReadOnly = +pinugtsdbmCM-rlacSH), basically its a very strict rule and stores multiple hashes, file owner information, sizes e.t.c. (recurse=2) tells the rule to recurse to a depth of 2 inside the directory. So a single bit change inside this directory will raise an alert.
In a proper deployment, you would set up rules to monitor all your critical global configs and system binaries, for example: /etc /usr/bin /usr/sbin /home
Next we have to compile this policy file and initialize the database for the first time.
Please enter your site passphrase:
Wrote policy file: /usr/local/etc/tw.pol
Please enter your local passphrase:
Parsing policy file: /usr/local/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /usr/local/lib/tripwire/tmob.twd
The database was successfully generated.
We now have a secured integrity database with full details of /root/demoFTP
Running A Scan & Report Generation::
First for testing purposes change something in a file inside /root/demoFTP, i had a config file inside it and just added some junk to it.
To check the integrity of the files, simply run ‘./tripwire –check’ this will generate a report file. The generated report should show that the integrity of config.txt has changed.
Here is my report:
Parsing policy file: /usr/local/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /usr/local/lib/tripwire/report/tmob-20100402-140935.twr
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root
Report created on: Fri 02 Apr 2010 14:09:35 BST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: tmob
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /usr/local/etc/tw.pol
Configuration file used: /usr/local/etc/tw.cfg
Database file used: /usr/local/lib/tripwire/tmob.twd
Command line used: ./tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Tripwire Data Files 0 0 0 0
Tripwire Binaries 0 0 0 0
* FTP Demo Configs 0 0 0 1
(/root/demoFTP)
Total objects scanned: 12
Total violations found: 1
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: FTP Demo Configs (/root/demoFTP)
Severity Level: 0
-------------------------------------------------------------------------------
Modified:
"/root/demoFTP/config.txt"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Clearly the report shows the file “/root/demoFTP/config.txt” has been modified
Updating & Regular Scans:
If you change a file under a monitored directory, you will need to update the database. This is done using an interactive check, run “./tripwire –check –interactive” and the report will be loaded up in vi, here you can edit which files will be updated in the database. Quit vi with :wq and the database will be updated.
Checks should be performed at regular intervals, maybe every couple of hours or once a day depending on factors such as server performance and data sensitivity. Best way to do this is by adding “/opt/tripwire/sbin/tripwire –check” as a system cron job.
Reports will be saved to /opt/lib/tripwire/reports, and you can also get e-mail alerts if you configure smtp or sendmail during installation, I wont go into that though.
Conclusions:
So now Tripwire will monitor /root/demoFTP/* at regular intervals, by reading the reports/alerts we will know if an attacker breaks in and modifies any of these files, apply this idea system-wide to critical files and you have a strong level of integrity acting as an intrusion detection system
Limitations:
Tripwire is reliant on your OS, that is by trusting Tripwire you are trusting your operating system. What can cause mistrust in an OS? A Rootkit! Tripwire reads files when it needs to make an integrity check, if you wanted to you could make a stealth rootkit to hijack the Linux open() syscall, so when the software tries to verify the integrity of an attacker modified file, you redirect the open() call to a hidden old version. Tripwire will ok the hash and be non-the wiser. This attack is discussed in detail here, implemented in a kernel module.
Another limitation to be aware of is the choice of hash function. If you pick a weak hash like MD4 or MD5 with known collision attacks then you are asking for trouble Use something with decent strength > 256bits and you will be significantly better off (SHA-512, Whirlpool).
Good stuff as usual! Not really looked into this kind of protection before, or at least certainly not so file specific. I believe the Nagios plugin suite covers some of this functionality, but not anywhere near so security focused..
I’d be interested to see you cover something like Snort maybe as well, getting it going is easy enough, but writing half decent detection rules can be a right pain!
Thanks, haven’t heard of Nagios before, looks to have a nice feature list.
Good idea on Snort, the rules are indeed a nightmare to remember! Might have to guide it up, helps reinforce the learning