TripWire

Tripwire is a tool that keeps a database of information about files on the server. It performs regular checks and reports about files that have been changed, deleted, created, or renamed.

1. Automatic Check

Cron runs /etc/cron.daily/tripwire once a day. This invokes tripwire as /usr/sbin/tripwire --check --quiet. The meaning of the parameters:

2. Configuration Files `/etc/tripwire`

3. Data Files `/var/lib/tripwire`

4. Updating the Database

The check operation creates a signed binary report file every time it runs. This report is like a "diff" of the database and the current file system. The database is updated by "patching" it with the report. Here is the procedure:

  1. The command is tripwire --update

  2. If it complains that the file could not be opened then you must specify the report file with the -r option. Choose the file with the most recent timestamp. The timestamp is included in the filename so use tab-completion. Example: tripwire --update -r /var/lib/tripwire/report/fyodor.hcoop.net-20051023-065438.twr

  3. This will open a selection file in the pico editor. Look through the file and clear the [x] for any line that should not be saved to the database. The process is essentially certifying that each filesystem change is valid and proper.

  4. Save the file with ^O (Control-Oh)
  5. Quit with ^X (Control-x)
  6. Now you will be prompted for the local passphrase.

5. Changing the Policy

  1. First follow the instructions to Update the Database
  2. change to /etc/tripwire

  3. edit the policy in twpol.txt

  4. create the signed binary tw.pol file with tripwire --update-policy --secure-mode low twpol.txt

  5. you will be prompted for the site and local passphrases

6. Updating the Configuration

  1. change to /etc/tripwire

  2. edit the configuration in twcfg.txt

  3. run twadmin --create-cfgfile -S site.key -c tw.cfg twcfg.txt to create the signed binary tw.cfg file

  4. you will be prompted for the site passphrase

7. Passphrases

MichaelLeonhard generated the passphrases. To obtain them, save your public key to /root/$(USER).pubkey. Then send Michael an email about it. He will encrypt the passphrases and email them to you. The security of Tripwire depends on these passphrases. DO NOT store your private key or decrypt the passphrases on Fyodor. Here is the procedure:

  1. Download the latest version of GnuPG to your personal computer

  2. Check the signature of the downloaded file
  3. Install GnuPG onto your personal computer
  4. On your personal computer, create a public/private key pair with gpg --gen-key, use a good passphrase

  5. Export an ASCII version of your public key with gpg --export -a >> public.key

  6. Copy your public key to your home directory on Fyodor with scp public.key username@fyodor.hcoop.net:

  7. SSH into Fyodor and demonstrate your administrative priveleges by copying the public key to a secure location, cp ~/public.key /root/username.pubkey (where username is your username)

  8. Email MichaelLeonhard (username leonhard) to request a copy of the passphrases

  9. Decrypt the passphrase:
    • Read Michael's email on your personal computer, copy the PGP MESSAGE section to the clipboard
    • Open a terminal (or cmd prompt) on your personal computer and run gpg on your personal computer

    • Paste the GPG message block into the terminal
    • Type your secret passphrase, hit enter, then type ^Z (CTRL-Z)
    • Write down the passphrases that are printed out
    • Close the terminal

Please note how "your personal computer" appears throughout these instructions. Your private key and the decrypted passphrases should only exist on your personal computer. Thanks for caring about security.

--MichaelLeonhard


CategorySystemAdministration

TripWire (last edited 2008-07-07 04:28:17 by localhost)