Overview

What is it?

Tripwire is an open-source program that monitors file integrity. It performs a check of the filesystem state against a known baseline state, and alerts on changes that are detected.

Tripwire can monitor file contents, but also permissions, ownership, or directories.

Setup

Installing

Tripwire is a bit of a pain to install in an automated way, because it wants to try and walk you through a few initial setup steps.

We cover automated installation below.

Manual Installation

Install Tripwire using aptitude, since it is present in the official Debian repositories:

sudo apt-get -y update
sudo apt-get -y install tripwire

This will present several interactive prompts for the mulit-step setup process.

The steps are described on the Tripwire Readme: https://github.com/Tripwire/tripwire-open-source

Automated Installation

This SO answer gives some help, but this Unix SE answer is also needed. Here's the final incantation:

sudo DEBIAN_FRONTEND=noninteractive apt-get -y install tripwire

This should install tripwire with zero user intervention required.

Getting Help

both tripwire and twadmin offer top level help

tripwire --help
twadmin --help

These will give you the top-level command flags, like --init or --check.

If you want to get help on how to use a command flag, pass the name of the flag (without dashes) with the help command, like this:

# to get help on tripwire --scan
tripwire --help scan

# to get help on twadmin --create-polfile
twadmin --help create-polfile

These commands will tell you the flags you can pass when performing that action.

Automated Setup Details

Some details about what happens and where things go when setup is automated...

Automated Key Creation

The Tripwire setup process sets up two different keys:

• site key - the key used to secure the configuration file (if the configuration file is compromised, all findings from tripwire are suspect); this can be used across multiple servers just as config files can be
• local key - the key used on each machine to run the binary (ensures binary does not run without owner's consent)

These keys can be protected with a passphrase if Tripwire is being set up manually, but the automated installation process will not put any passphrase in place.

Automated installation will put the keys here:

• /etc/tripwire/HOSTNAME-local.key - this is the automatically generated local key
• /etc/tripwire/site.key - this is the automatically generated site key

Policy and Config Files

Note that the policy and configuration files that are created have two versions: the actual policy/config file (which is encrypted using the site key), and the plain text version.

The automated installation has the default encrypted policy file at <code/etc/tripwire/tw.pol and the plain text version at:

/etc/tripwire/twpol.txt

The automated installation has the default encrypted config file at <code/etc/tripwire/tw.cfg and the plain text version at:

/etc/tripwire/twcfg.txt

Initializing the Database

There is yet another manual step that must be run to scan the filesystem and prepare the database (I guess this is creating the baseline??)

To initialize the database:

sudo tripwire --init

This interactively prompts the user for the local key passphrase (these Tripwire people are REALLY trying to make life harder for automation-centric folks, huh?)

Use the -P my_passphrase or --local-passphrase my_passphrase flag to specify these on the CLI - they should be empty strings if using automated setup

sudo tripwire --init -P ""

Perform Initial Scan, Review Policy File, Eliminate False Positives

The procedure to make your policy file useful is to go through this process once, manually, on your operating system of choice, with the machine configured the way it will look in the final state.

Run a scan using tripwire, generate findings, and remove rules that generate false positives. Iterate until no false positives are generated:

• perform a a scan
• review the findings from the scan
• update the plain text policy file to remove rules that generate false positives
• generate a new encrypted policy file form the plain text policy file
• (repeat until no false positives)

Once you are done, there is one last step:

• Use the new and improved policy to create a new baseline

Perform a Scan

To run a scan and generate findings:

sudo sh -c 'tripwire --check | grep Filename > test_results'

Review Findings from Scan

Now review the findings in test_results and figure out which ones are false positives.

Some findings are reported because the files are changed, but some findings are because the files are not present.

The default policy file looks for some files that aren't present on all operating systems, so now update the policy file to remove those rules.

Updating the Plain Text Policy File

Update the policy file to adjust the rules:

vim /etc/tripwire/twpol.txt

Generate Encrypted Policy File from Plain Text Policy File

Once you are finished, generate a new encrypted policy file from the unencrypted plain text policy file:

sudo twadmin --create-polfile /etc/tripwire/twpol.txt

Use the -Q or --site-passphrase to pass the site key passphrase on the command line:

sudo twadmin --create-polfile -Q "" /etc/tripwire/twpol.txt

Create New Baseline

The final step, once your policy file is ship shape, is to make a new baseline using the same command we used before, tripwire --init:

sudo tripwire --init -P ""

Now you're finally done with the manual, one-time setup process, and tripwire is ready to rock!

Rules We Removed

• We removed files in the /root directory not present on our system, in the "Root config files" rule
• We removed the rule for /etc/rc.boot since that file was not present on our system
• We removed the /proc file from the list of directories being monitored (there were no particular processes we wanted to monitor)

How Long Do Scans Take

On an older laptop with 2 x 2.5 GHz cores and a fresh Debian install, the process of running tripwire --check took about 5 minutes.

CPU usage during the scan was mostly between 10% and 50%, with a few near-100% spikes.

(Once we removed the rules for /root and /proc, the scans went much faster.)

Links

excellent digital ocean guide: https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps

automated installation of tripwire with puppet: https://github.com/autostructure/tripwire

Flags

Kali Linux "The quieter you become, the more you are able to hear." Penetration testing Linux distribution. Kali  · Category:Kali Kali/Wireless Reboot Kali Software: Kali Tools Kali Top 10 Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · Commix Dirbuster  · Valgrind Attack Workflow: Kali/Workflow 1 Physical Attacks: Kali/Layer 1 Attacks 2 Data/MAC Attacks: Kali/Layer 2 Attacks 3 Network Attacks: Kali/Layer 3 Attacks 4 Transport Attacks: Kali/Layer 4 Attacks 5 Session Attacks: Kali/Layer 5 Attacks 6 Presentation Attacks: Kali/Layer 6 Attacks 7 Application Attacks: Kali/Layer 7 Attacks Red Team Blue Team Metasploitable - Red Team Metasploitable - Blue Team Networking: Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA Kali/IPv6 Booting: Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB Installing: Kali/Installing  · Kali/Post Install  · Kali/Fixes Kali on Raspberry Pi: Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle Flags  · Template:KaliFlag  · e