27 February 2013

346. Tripwire -- keeping an eye on important files

The whole UEFI/Secure Boot debacle lead me to this post: http://arstechnica.com/information-technology/2013/02/linus-torvalds-i-will-not-change-linux-to-deep-throat-microsoft/

In the comments section 'rhavenn' wrote this in passing: " ...by taking a SHA512 hash of your kernel, offloading that to a 3rd party and occasionally verifying the hash. It's nothing tripwire or any other software hasn't been doing for ages. "

Which lead me to check if tripwire was in the debian repos -- and it is.
UPDATE: You can also checkout 'aide' which is also in the repos.

Given how I use my work computers I'm more concerned with disk corruption than infection by malicious code, but as someone who goes through the occasional airport, and with it the potential risk of having to hand over my laptop (never happened so far), I do see a the use for tripwire. Also, in spite of the almost complete lack of viruses in the wild for linux, one should never be complacent (just look at OS X). Besides, learning new things is always a good thing.

Although to be fair, what tripwire does is what most (decent) antivirus programs also do.

Here's how to get set up with tripwire.


sudo apt-get install tripwire

You'll be asked to answer a series of questions:

Tripwire uses a pair of keys to sign various files, thus ensuring their unaltered state. By acceptin here, you will be prompted for the passphrase for the first of those keys, the site key, during the installation. You are also agreeing to create a site key if one doesn't exist already. Tripwire uses the site key to sign files that may be common to multiple systems, e.g. the configuration & policy files. See twfiles(5) for more information. Unfortunately, due to the Debian installation process, there is a period of time where this passpgrase exists in an unencrypted format. Were an attacker to have access to your machine during this period, he could possibly retrieve your passphrase and use it at some later point. If you would rather not have this exposure, decline here. You will then need to create a site key, configuration file & policy file by hand. See twadmin(8) for more information. Do you wish to create/use your site key passphrase during installation?
Tripwire keeps its configuration in a encrypted database that is generated, by default, from /etc/tripwire/twcfg.txt Any changes to /etc/tripwire/twcfg.txt, either as a result of a change in this package or due to administrator activity, require the regeneration of the encrypted database before they will take effect. Selecting this action will result in your being prompted for the site key passphrase during the post-installation process of this package. Rebuild Tripwire configuration file?
Tripwire uses two different keys for authentication and encryption of files. The site key is used to protect files that could be used across several systems. This includes the policy and configuration files. You are being prompted for this passphrase either because no site key exists at this time or because you have requested the rebuilding of the policy or configuration files. Remember this passphrase; it is not stored anywhere! Enter site-key passphrase:
Tripwire uses two different keys for authentication and encryption of files. The local key is used to protect files specific to the local machine, such as the Tripwire database. The local key may also be used for signing integrity check reports. You are being prompted for this passphrase because no local key file currently exists. Remember this passphrase; it is not stored anywhere! Enter local key passphrase:
Tripwire has been installed The Tripwire binaries are located in /usr/sbin and the database is located in /var/lib/tripwire. It is strongly advised that these locations be stored on write-protected media (e.g. mounted RO floppy). See /usr/share/doc/tripwire/README.Debian for details.

Initialise the database:
sudo tripwire -m i
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /proc/30401/task/30401/fdinfo/4
### No such file or directory
### Continuing...
The object: "/proc/fs/nfsd" is on a different file system...ignoring.
The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.
Wrote database file: /var/lib/tripwire/beryllium.twd
The database was successfully generated.

Checking a single file:
sudo tripwire -m c /bin/ls
Integrity checking objects specified on command line...
Wrote report file: /var/lib/tripwire/report/beryllium-20130227-141840.twr

Open Source Tripwire(R) Integrity Check Report

Report generated by:          root
Report created on:            Wed Feb 27 14:18:40 2013
Database last updated on:     Never

Report Summary:

Host name:                    beryllium
Host IP address:    
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/beryllium.twd
Command line used:            tripwire -m c /bin/ls 

Rule Summary: 

  Section: Unix File System

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Root file-system executables    100               0        0        0        

Total objects scanned:  1
Total violations found:  0

Object Summary: 

# Section: Unix File System

No violations.

Error Report: 

No Errors

*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc.
Integrity check complete.

As a cronjob:
You can also just run
sudo tripwire -m c
in which case your system will be checked.

I would guess that putting this as a cronjob to run once per week would be the intended way of using tripwire. Edit /etc/crontab and put
0 22 * * 7 root tripwire -m c

Update: Tripwire on debian puts a file in /etc/cron.daily

No comments:

Post a Comment