Verifying System Integrity with Tripwire

After all the work editing configuration files, performing system integrity checks is fairly straight-forward: Type tripwire -check. As with initializing the database, this process is likely to take several minutes. When it's done, it creates a report that it stores in the REPORTFILE directory, as specified in the configuration file. Tripwire may also e-mail the report to the account specified with the GLOBALEMAIL variable, but only if Tripwire found problems or MAILNOVIOLATIONS is set to true. The command also sends the report to stdout, so you can see it on the screen. The report is fairly verbose, but pay particular attention to the filesystem summary section. For the policy file shown in Listing 21.1, the output should include lines like this if you've made no changes to the system except to add a single file to /etc:

Rule Name Severity Level Added Removed Modified

Tripwire Binaries 0 0 0 0

Total objects scanned: 5149 Total violations found: 1

The final line shown here reveals that one problem was found. The matrix makes it plain that the problem was a file added to /etc. Later in the report, you'll find lines that report on violations in more detail:

Added:

"/etc/strangefile"

If you see a report like this, you should investigate further. If the "problem" is really something innocent, you can either ignore it or modify the Tripwire database to reflect the valid change to the system.

Warning If you choose to ignore the reported violation, be aware that Tripwire might then be unable to detect subsequent unauthorized changes to the file or directory in question. For instance, if you add a legitimate user, and if a cracker subsequently breaks in and adds an account, Tripwire won't be able to detect the cracker's activity unless you update its database to reflect the new valid user.

Tip Before adding software, changing configuration files, adding users, or making any other change that would appear in a Tripwire report, you should run Tripwire to be sure there are no suspicious activities. You can then update the Tripwire database after making your changes and be confident that the database doesn't include any untoward changes. For still greater security, take down the network just before running Tripwire, to be sure the system isn't compromised as you make your own valid changes.

Running Tripwire manually can be worthwhile at times, but as a general rule, Tripwire works best when run regularly. Typically, you'll create a cron job to have the program perform a check on a regular basis—typically daily. For instance, you might create a script to run Tripwire and drop it into /etc/cron.daily. In fact, the Debian, Mandrake, and Red Hat Tripwire packages all include scripts to do precisely this. If you're using one of these packages, you should see a Tripwire report appear in your e-mail every morning, depending on the setting of MAILNOVIOLATIONS in twcfg.txt.

If you want to examine a regular Tripwire report some time after it's been made, you must use the twprint utility to examine the binary report file. These reports are most likely to be stored in /var/lib/tripwire/report/ and to be named after your computer, along with a date code and .twr extension, such as knox.luna.edu-20030703-040252.twr. Pass twprint the-m r-r options and the filename, as in:

# twprint -m r -r/var/lib/tripwire/report/knox.luna.edu-20030703-040252.twr

The result of typing this command should be much the same as having Tripwire check your system, except that the program displays the results of a check that's already been run. You might use this facility to compare a recent check against old ones, in order to ascertain when a particular change to the system occurred.

0 0

Post a comment