Modifying the Tripwire Configuration

Tripwire configuration involves two plain-text configuration files, encrypted variants of these plain-text files, and an encrypted database file. You may want to update any of these files. To do so, you must do more than just edit the original configuration files:

Modifying the Configuration File To modify the configuration file (typically /etc/tripwire/twcfg.txt), you must first edit the original file and then use twadmin to create a new binary file (typically /etc/tripwire/tw.cfg). Type twadmin -create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt to do the job.

Creating a new Policy File If you've made particularly extensive changes or are initializing the database for the first time, you may want to create an entirely new encrypted policy file. You can do so by typing twadmin -create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt to replace the encrypted binary tw.pol file. After changing the policy, you should type tripwire —init to reinitialize the Tripwire database.

Modifying the Policy To modify the policy, you use the tripwire utility itself and its -update-policy option. Specifically, if you've modified the policy stored in /etc/tripwire/twpol.txt, you can type tripwire --update-policy -S /etc/tripwire/site.key /etc/tripwire/twpol.txt to update the encrypted binary tw.pol file. Prior to issuing this command, you must update the database, as described next.

Updating the Database If you've made changes to your system and want to update the Tripwire database to reflect these changes, you must pass the -update parameter to Tripwire to have it do this job. In practice, this command may also require you to pass it the name of a Tripwire report file, as in tripwire --update -twrfile /var/lib/tripwire/report/knox.luna.edu-20031212-155357.twr. Tripwire displays a modified version of the report in the editor specified in the configuration file. Partway through this report, there will be lines showing the added, changed, or deleted files, such as/etc/strangefile in Figure 21.1. Be sure an X appears in the box next to each file whose changed status you want to update. If you don't want to update a file, remove the X next to its name. When you're done, save your changes and exit the editor. Tripwire asks for your local passphrase and changes the database. If you want to forgo the prompting phase, you can add the -accept-all parameter.

Figure 21.1: You use an editor to specify which changed files you want to add to the database.

RPM: A Pinch-Hitting Tripwire Substitute

Imagine this scenario: You're administering a Linux system but you neglected to install Tripwire. You run across some suspicious activity, such as strange behavior from one of your programs. By itself, this activity isn't strong evidence of a security breach, but it is suspicious. What can you do to investigate the matter? If your system uses RPMs, one answer is to use the rpm utility—specifically its verify (-V) option. Because the

RPM database includes MD5 sums and similar checks of package integrity, it can be used to verify the integrity of your packages, albeit with some important caveats. To verify a single package, type rpm -V packagename, as described in Chapter 11, "Managing Packages." Any files that have changed appear in a list, along with a string summarizing the ways in which they've changed. To verify every package on the system, type rpm -Va. This command is likely to produce copious output, though, so you may want to pipe it through less or redirect it to a file you can peruse later.

One big caveat concerning this approach is that a miscreant can easily defeat a simple test by installing a root kit named after a regular package but using RPM. The root kit's files will then appear to be valid to rpm. One possible countermeasure is to verify the suspect files against the original archive, ideally stored on CD-ROM. For instance, rpm -Vp /path/to/packagename.rpm will verify the installed package against the one in /path/to. For even better security, boot using an emergency boot system and test your system using the emergency system's version of rpm. This practice will protect against the possibility that the miscreant might replace your copy of rpm with one that ignores compromised files.

Overall, RPM can't come close to replacing Tripwire. At best, RPM is an awkward security tool compared to Tripwire. At worst, RPM's results aren't trustworthy. Nonetheless, it's better than nothing if you haven't installed Tripwire or some other security auditing tool.

Team LIB

0 0

Post a comment