Table of Contents
Ubuntu - Tripwire - Verify the Tripwire Configuration
Check to see what the tripwire report looks like and if there are truly no warnings:
The basic syntax for a check is:
sudo tripwire --check
You should see a report output to your screen specifying that there were no errors or changes found on your system.
shows
Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... The object: "/dev/hugepages" is on a different file system...ignoring. The object: "/dev/mqueue" is on a different file system...ignoring. The object: "/dev/shm" is on a different file system...ignoring. The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring. Wrote report file: /var/lib/tripwire/report/server1.sharewiz.net-20161126-110710.twr Open Source Tripwire(R) 2.4.2.2 Integrity Check Report Report generated by: root Report created on: Sat 26 Nov 2016 11:07:10 GMT Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: server1.sharewiz.net Host IP address: 192.168.1.2 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/server1.sharewiz.net.twd Command line used: tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Other binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Other libraries 66 0 0 0 Root file-system executables 100 0 0 0 Tripwire Data Files 100 0 0 0 * System boot changes 100 16 0 3 (/var/log) Root file-system libraries 100 0 0 0 (/lib) Critical system boot files 100 0 0 0 Other configuration files 66 0 0 0 (/etc) Boot Scripts 100 0 0 0 Security Control 66 0 0 0 Root config files 100 0 0 0 Devices & Kernel information 100 0 0 0 Invariant Directories 66 0 0 0 Total objects scanned: 121417 Total violations found: 19 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: System boot changes (/var/log) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/log/psad/59.27.80.177" "/var/log/psad/59.27.80.177/danger_level" "/var/log/psad/59.27.80.177/192.168.1.2_email_alert" "/var/log/psad/59.27.80.177/192.168.1.2_signatures" "/var/log/psad/59.27.80.177/192.168.1.2_start_time" "/var/log/psad/59.27.80.177/192.168.1.2_packet_ctr" "/var/log/psad/59.27.80.177/email_ctr" "/var/log/psad/59.27.80.177/59.27.80.177_whois" "/var/log/psad/220.164.163.75" "/var/log/psad/220.164.163.75/danger_level" "/var/log/psad/220.164.163.75/192.168.1.2_email_alert" "/var/log/psad/220.164.163.75/192.168.1.2_signatures" "/var/log/psad/220.164.163.75/192.168.1.2_start_time" "/var/log/psad/220.164.163.75/192.168.1.2_packet_ctr" "/var/log/psad/220.164.163.75/email_ctr" "/var/log/psad/220.164.163.75/220.164.163.75_whois" Modified: "/var/log/psad" "/var/log/psad/top_ports" "/var/log/psad/top_sigs" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete.
Notice the following lines near the top of the report. These indicate that tripwire is not monitoring these, so it would be best to update the Tripwire configuration by including these missing objects. See Configure Tripwire.
The object: "/dev/hugepages" is on a different file system...ignoring. The object: "/dev/mqueue" is on a different file system...ignoring. The object: "/dev/shm" is on a different file system...ignoring. The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.
Do an interactive check
sudo tripwire --check --interactive
This will run the same tests as normal, but at the end, instead of outputting the report to the screen, it is copied into a text file and opened with the default editor.
This report goes into quite a lot of detail about each file that changed. In fact, on my machine, the report generated was 2,275 lines long. This amount of information is extremely helpful in the event of a real security problem, but in our case, it's generally probably not too interesting for the most part.
The important part is near the top. After some introductory information, you should see some lines with check boxes for each of the added or modified files:
Rule Name: Other binaries (/usr/sbin) Severity Level: 66 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/usr/sbin/maidag" Modified: [x] "/usr/sbin" . . .
These check boxes indicate that you want to update the database to allow these changes. You should search for every box that has an “x” in it and verify that those are changes that you made or are okay with.
If you are not okay with a change, you can remove the “x” from the box and that file will not be updated in the database. This will cause this file to still flag tripwire on the next run.
After you have decided on which file changes are okay, you can save and close the file.
At this point, it will ask for your local passphrase so that tripwire can update its database files.
Do an interactive check
sudo tripwire --check --interactive
This will run the same tests as normal, but at the end, instead of outputting the report to the screen, it is copied into a text file and opened with the default editor.
This report goes into quite a lot of detail about each file that changed. In fact, on my machine, the report generated was 2,275 lines long. This amount of information is extremely helpful in the event of a real security problem, but in our case, it's generally probably not too interesting for the most part.
The important part is near the top. After some introductory information, you should see some lines with check boxes for each of the added or modified files:
Rule Name: Other binaries (/usr/sbin) Severity Level: 66 ------------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/usr/sbin/maidag" Modified: [x] "/usr/sbin" . . .
These check boxes indicate that you want to update the database to allow these changes. You should search for every box that has an “x” in it and verify that those are changes that you made or are okay with.
If you are not okay with a change, you can remove the “x” from the box and that file will not be updated in the database. This will cause this file to still flag tripwire on the next run.
After you have decided on which file changes are okay, you can save and close the file.
At this point, it will ask for your local passphrase so that tripwire can update its database files.
If we accepted all of the changes, and if we re-run this command, the report should be much shorter now and list no changes.