Table of Contents
Ubuntu - Tripwire - Configure Tripwire
The default configuration should be adjusted.
Run a check and place the files listed into a file called test_results in our tripwire config directory:
cd /etc/tripwire tripwire --check | grep Filename > test_results
If we view this file, we should see entries that look like this:
less /etc/tripwire/test_results
result:
Filename: /etc/rc.boot Filename: /root/mail Filename: /root/Mail Filename: /root/.xsession-errors . . .
Configure the Policy File to Match Your System
Now that we have a list of files that are setting off tripwire, we can go through our policy file and edit it to get rid of these false positives.
Open the plain text policy in your editor with root privileges:
sudo vi /etc/tripwire/twpol.txt
Do a search for each of the files that were returned in the test_results file. Comment out all of the lines that you find that match.
In the “Boot Scripts” section, you should comment out the /etc/rc.boot line, since this isn't present in an Ubuntu system:
- /etc/tripwire/twpol.txt
( rulename = "Boot Scripts", severity = $(SIG_HI) ) { /etc/init.d -> $(SEC_BIN) ; #/etc/rc.boot -> $(SEC_BIN) ; /etc/rcS.d -> $(SEC_BIN) ;
There were a lot of files in the /root home directory that needed to be commented out on my system. Anything that is not present on your system should be commented out:
- /etc/tripwire/twpol.txt
( rulename = "Root config files", severity = 100 ) { /root -> $(SEC_CRIT) ; # Catch all additions to /root #/root/mail -> $(SEC_CONFIG) ; #/root/Mail -> $(SEC_CONFIG) ; #/root/.xsession-errors -> $(SEC_CONFIG) ; #/root/.xauth -> $(SEC_CONFIG) ; #/root/.tcshrc -> $(SEC_CONFIG) ; #/root/.sawfish -> $(SEC_CONFIG) ; #/root/.pinerc -> $(SEC_CONFIG) ; #/root/.mc -> $(SEC_CONFIG) ; #/root/.gnome_private -> $(SEC_CONFIG) ; #/root/.gnome-desktop -> $(SEC_CONFIG) ; #/root/.gnome -> $(SEC_CONFIG) ; #/root/.esd_auth -> $(SEC_CONFIG) ; #/root/.elm -> $(SEC_CONFIG) ; #/root/.cshrc -> $(SEC_CONFIG) ; /root/.bashrc -> $(SEC_CONFIG) ; #/root/.bash_profile -> $(SEC_CONFIG) ; #/root/.bash_logout -> $(SEC_CONFIG) ; /root/.bash_history -> $(SEC_CONFIG) ; #/root/.amandahosts -> $(SEC_CONFIG) ; #/root/.addressbook.lu -> $(SEC_CONFIG) ; #/root/.addressbook -> $(SEC_CONFIG) ; #/root/.Xresources -> $(SEC_CONFIG) ; #/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login #/root/.ICEauthority -> $(SEC_CONFIG) ; }
The last part of my check was complaining about file descriptors in the /proc filesystem. These files change all of the time, so will trigger false positives regularly if we leave the configuration as is.
In the “Devices & Kernel information” section, you can see that the /proc filesystem is listed to be checked.
- /etc/tripwire/twpol.txt
( rulename = "Devices & Kernel information", severity = $(SIG_HI), ) { /dev -> $(Device) ; /proc -> $(Device) ; }
However, this will check every file under it. We don't particularly want that. Instead, we will remove this specification, and add configuration options for all of the directories under /proc that we do want to check:
- /etc/tripwire/twpol.txt
{ /dev -> $(Device) ; #/proc -> $(Device) ; /proc/devices -> $(Device) ; /proc/net -> $(Device) ; /proc/tty -> $(Device) ; /proc/sys -> $(Device) ; /proc/cpuinfo -> $(Device) ; /proc/modules -> $(Device) ; /proc/mounts -> $(Device) ; /proc/dma -> $(Device) ; /proc/filesystems -> $(Device) ; /proc/interrupts -> $(Device) ; /proc/ioports -> $(Device) ; /proc/scsi -> $(Device) ; /proc/kcore -> $(Device) ; /proc/self -> $(Device) ; /proc/kmsg -> $(Device) ; /proc/stat -> $(Device) ; /proc/loadavg -> $(Device) ; /proc/uptime -> $(Device) ; /proc/locks -> $(Device) ; /proc/meminfo -> $(Device) ; /proc/misc -> $(Device) ; }
While we are in this portion of the file, we also want to do something with the /dev/pts filesystem. Tripwire will not check that location by default because it is told to check /dev, and /dev/pts is on a separate filesystem, which it will not enter unless specified. To get tripwire to check this as well, we can explicitly name it here:
- /etc/tripwire/twpol.txt
{ /dev -> $(Device) ; /dev/pts -> $(Device) ; #/proc -> $(Device) ; /proc/devices -> $(Device) ; /proc/net -> $(Device) ; /proc/tty -> $(Device) ; . . .
The last thing we will comment out are the /var/run and /var/lock lines so that our system does not flag normal filesystem changes by services:
- /etc/tripwire/twpol.txt
( rulename = "System boot changes", severity = $(SIG_HI) ) { #/var/lock -> $(SEC_CONFIG) ; #/var/run -> $(SEC_CONFIG) ; # daemon PIDs /var/log -> $(SEC_CONFIG) ; }
Save and close the file when you are finished editing.
Now that our file is configured, we need to implement it by recreating the encrypted policy file that tripwire actually reads:
sudo twadmin -m P /etc/tripwire/twpol.txt
After this is created, we must reinitialize the database to implement our policy:
sudo tripwire --init
shows
Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** Wrote database file: /var/lib/tripwire/tripit.twd The database was successfully generated.
All of the warnings that you received earlier should be gone now. If there are still warnings, you should continue editing your /etc/tripwire/twpol.txt file until they are gone.
Verify the Tripwire Configuration.
Tidy Up
Clean up our files a bit to remove sensitive information from our system.
We can delete the test_results file that we created:
sudo rm /etc/tripwire/test_results
Remove the actual plain text configuration files. We can do this safely because they can be generated at-will from the encrypted files with our password.
All we have to do to regenerate the plain text file is pass the encripted file to twadmin, in much the same way that we did to generate the encrypted version. We just pipe it into a plain text file again:
sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'
Test this now by moving the text version to a backup location and then recreate it:
sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'
If it worked correctly, you can safely remove the plain text files now:
sudo rm /etc/tripwire/twpol.txt sudo rm /etc/tripwire/twpol.txt.bak