346. Tripwire -- keeping an eye on important files

The whole UEFI/Secure Boot debacle lead me to this post: http://arstechnica.com/information-technology/2013/02/linus-torvalds-i-will-not-change-linux-to-deep-throat-microsoft/

In the comments section 'rhavenn' wrote this in passing: " ...by taking a SHA512 hash of your kernel, offloading that to a 3rd party and occasionally verifying the hash. It's nothing tripwire or any other software hasn't been doing for ages. "

Which lead me to check if tripwire was in the debian repos -- and it is.
UPDATE: You can also checkout 'aide' which is also in the repos.

Given how I use my work computers I'm more concerned with disk corruption than infection by malicious code, but as someone who goes through the occasional airport, and with it the potential risk of having to hand over my laptop (never happened so far), I do see a the use for tripwire. Also, in spite of the almost complete lack of viruses in the wild for linux, one should never be complacent (just look at OS X). Besides, learning new things is always a good thing.

Although to be fair, what tripwire does is what most (decent) antivirus programs also do.

Here's how to get set up with tripwire.

---

Installation

sudo apt-get install tripwire

You'll be asked to answer a series of questions:

Tripwire uses a pair of keys to sign various files, thus ensuring their unaltered state. By acceptin here, you will be prompted for the passphrase for the first of those keys, the site key, during the installation. You are also agreeing to create a site key if one doesn't exist already. Tripwire uses the site key to sign files that may be common to multiple systems, e.g. the configuration & policy files. See twfiles(5) for more information. Unfortunately, due to the Debian installation process, there is a period of time where this passpgrase exists in an unencrypted format. Were an attacker to have access to your machine during this period, he could possibly retrieve your passphrase and use it at some later point. If you would rather not have this exposure, decline here. You will then need to create a site key, configuration file & policy file by hand. See twadmin(8) for more information. Do you wish to create/use your site key passphrase during installation?

Tripwire keeps its configuration in a encrypted database that is generated, by default, from /etc/tripwire/twcfg.txt Any changes to /etc/tripwire/twcfg.txt, either as a result of a change in this package or due to administrator activity, require the regeneration of the encrypted database before they will take effect. Selecting this action will result in your being prompted for the site key passphrase during the post-installation process of this package. Rebuild Tripwire configuration file?

Tripwire uses two different keys for authentication and encryption of files. The site key is used to protect files that could be used across several systems. This includes the policy and configuration files. You are being prompted for this passphrase either because no site key exists at this time or because you have requested the rebuilding of the policy or configuration files. Remember this passphrase; it is not stored anywhere! Enter site-key passphrase:

Tripwire uses two different keys for authentication and encryption of files. The local key is used to protect files specific to the local machine, such as the Tripwire database. The local key may also be used for signing integrity check reports. You are being prompted for this passphrase because no local key file currently exists. Remember this passphrase; it is not stored anywhere! Enter local key passphrase:

Tripwire has been installed The Tripwire binaries are located in /usr/sbin and the database is located in /var/lib/tripwire. It is strongly advised that these locations be stored on write-protected media (e.g. mounted RO floppy). See /usr/share/doc/tripwire/README.Debian for details.

Initialise the database:

sudo tripwire -m i

Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
[..]
### Warning: File system error.
### Filename: /proc/30401/task/30401/fdinfo/4
### No such file or directory
### Continuing...
[..]
The object: "/proc/fs/nfsd" is on a different file system...ignoring.
The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.
[..]
Wrote database file: /var/lib/tripwire/beryllium.twd
The database was successfully generated.

Checking a single file:

sudo tripwire -m c /bin/ls

Integrity checking objects specified on command line...
Wrote report file: /var/lib/tripwire/report/beryllium-20130227-141840.twr


Open Source Tripwire(R) 2.4.2.2 Integrity Check Report

Report generated by:          root
Report created on:            Wed Feb 27 14:18:40 2013
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    beryllium
Host IP address:              192.168.1.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/beryllium.twd
Command line used:            tripwire -m c /bin/ls 

===============================================================================
Rule Summary: 
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Root file-system executables    100               0        0        0        
  (/bin)

Total objects scanned:  1
Total violations found:  0

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

No violations.

===============================================================================
Error Report: 
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc.
Integrity check complete.

As a cronjob:
You can also just run

sudo tripwire -m c

in which case your system will be checked.

I would guess that putting this as a cronjob to run once per week would be the intended way of using tripwire. Edit /etc/crontab and put

0 22    * * 7   root    tripwire -m c

Update: Tripwire on debian puts a file in /etc/cron.daily

345. Replacing gEdit with Kate

For some reason I can't get gEdit to auto-spellcheck as I type anymore. There's simply no option to do it. Funnily enough, my favourite editor vim does it without any issues -- but while I like vim and use it for most of my data processing, I prefer to edit e.g. html in gEdit. Habit, I suppose.

Anyway, while gEdit is great for everything else, it's given me an excuse to familiarise myself a bit more with Kate which I take is the KDE counterpart to gEdit. A counterpart that's on steroids like a lot of KDE applications (that's not necessarily a good thing -- see e.g. vim vs emacs -- but each to their own)

Another cool thing with kate is that you can run it in a vim compatibility mode. (Sure, there's also gVim for the real deal, but gVIM looks ugly on my computer and I'm a shallow person.)

1. Installation
sudo apt-get install kate

2. Associations
Edit ~/.local/share/applications/defaults.list

 text/plain=kate.desktop
 text/x-python=kate.desktop
 text/x-sql=kate.desktop
 text/html=kate.desktop
 text/dat=kate.desktop
 text/xml=kate.desktop

You can associate kate with as many formats are you want this way.

Create ~/.local/share/applications/kate.desktop

[Desktop Entry]
Name=kate
Comment=kate text editor
Exec=/usr/bin/kate
Type=Application
Categories=Office;Accessories;

Set dynamic word wrap, enable vim, override

3. Desktop
In gnome, either navigate through your menu to 'Main Menu' (under 'system tools') or, if you're running a stock gnome 3 without a menu, go to the overview mode (what you end up with when you put the mouse in the top left corner) and type in main menu.

Either way, go to accessories and tick the box next to Kate.

4. Set up kate

Start kate, go to settings, configure kate and set your defaults:

Enable vi mode

Set up automatic spell check

Activate Dynamic Word Wrap

And enjoy:

344. Compile a kernel (3.8) without using kpkg

Note: There is a much better and easier way: http://verahill.blogspot.com.au/2013/02/342-compiling-kernel-38-on-debian.html . What follows is just done for the sake of exploration.

Post begins:
It is incredibly easy to compile your own kernel on Debian using kernel-package. See e.g. http://verahill.blogspot.com.au/2013/02/342-compiling-kernel-38-on-debian.html

In the interest of learning how to compile a kernel in a more generic way which is applicable to non-debian systems (arch, red hat etc.), here's a method which doesn't rely on kpkg (kernel-package).

The downside is that this method does not produce a set of .deb files, and that you can't uninstall it using apt.

I'll be brief since most things are covered e.g. here.  I looked at this post when writing this.

sudo apt-get install build-essential ncurses-bin
mkdir ~/tmp
cd ~/tmp
wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.8.tar.bz2
tar xvf linux-3.8.tar.bz2
cd linux-3.8/
cat /boot/config-`uname -r`>.config
make oldconfig

Once you're done answering the questions, do

time make -j3

This takes 29 minutes (AMD Athlon II X3).

time make -j3 modules

This takes 4 minutes. Finish by running

sudo make modules_install
sudo make headers_install INSTALL_HDR_PATH=/usr/src/linux-3.8.0
sudo make install

Note that the default path for the headers is /usr/include, which doesn't play well with most programs that check for the presence of headers before installation, so use INSTALL_HDR_PATH to specify the destination (at least on debian).

make install takes care of initramfs and grub-update as well and generates

/boot/config-3.8.0
/boot/initrd.img-3.8.0
/boot/System.map-3.8.0
/boot/vmlinuz-3.8.0

And that's really it -- compiling a kernel even without kernel-packages is pretty easy. Reboot and everything should be in working order.