|
⇤ ← Revision 1 as of 2005-10-24 03:20:07
Size: 896
Comment: created page with initial information --MichaelLeonhard
|
Size: 4303
Comment: added more information --MichaelLeonhard
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 6: | Line 6: |
| == Configuration `/etc/tripwire` == | Tripwire is run from `/etc/cron.daily/tripwire` with the following command line: `/usr/sbin/tripwire --check --quiet` * `--check` causes the program to compare the current files in the system with the recorded attributes in the database and print a report to stdout * `--quiet` tells it not to print the path of every file and directory that is examined == Configuration Files `/etc/tripwire` == |
| Line 10: | Line 17: |
| * `tw.pol` is a signed binary file that holds policy information | |
| Line 12: | Line 18: |
| * `tw.pol` is a signed binary file that holds the logging and reporting policy information | |
| Line 14: | Line 21: |
| == Data `/var/lib/tripwire` == | == Data Files `/var/lib/tripwire` == |
| Line 18: | Line 25: |
| == Updating the Database == The check operation creates a signed binary report file every time it runs. This report is like a "diff" of the database and the current file system. The database is updated by "patching" it with the report. Here is the procedure: 1. The command is `tripwire --update` 1. If it complains that the file could not be opened then you must specify the report file with the `-r` option. Example: `tripwire --update -r /var/lib/tripwire/report/fyodor.hcoop.net-20051023-065438.twr` 1. This will open a selection file in the `pico` editor. Look through the file and clear the `[x]` for any line that should not be saved to the database. The process is essentially certifying that each filesystem change is valid and proper. 1. Save the file with ^O (Control-Oh) 1. Quit with ^X (Control-x) 1. Now you will be prompted for the local passphrase. == Changing the Policy == 1. First follow the instructions to Update the Database 1. change to `/etc/tripwire` 1. edit the policy in `twpol.txt` 1. create the signed binary tw.pol file with `tripwire --update-policy --secure-mode low twpol.txt` 1. you will be prompted for the site and local passphrases == Updating the Configuration == 1. change to `/etc/tripwire` 1. edit the configuration in `twcfg.txt` 1. run `twadmin --create-cfgfile -S site.key -c tw.cfg twcfg.txt` to create the signed binary tw.cfg file 1. you will be prompted for the site passphrase == Passphrases == MichaelLeonhard generated the passphrases. To obtain them, save your GPG public key to /root/$(USER).pubkey. Then send Michael an email about it. He will encrypt the passphrases with GPG and email them to you. The security of Tripwire depends on these passphrases. DO NOT store your private key or decrypt the passphrases on Fyodor. Here is the procedure: 1. Download the latest version of GPG to your personal computer 1. Check the signature of the downloaded file 1. Install GPG onto your personal computer 1. On your personal computer, create a public/private key pair with `gpg --gen-key`, use a good passphrase 1. Export an ASCII version of your public key with `gpg --export -a >> public.key` 1. Copy your public key to your home directory on Fyodor with `scp public.key username@fyodor.hcoop.net:` 1. SSH into Fyodor and demonstrate your administrative priveleges by copying the public key to a secure location, `cp ~/public.key /root/username.pubkey` (where username is your username) 1. Email MichaelLeonhard (username leonhard) to request a copy of the passphrases 1. Decrypt the passphrase: * Read Michael's email on your personal computer, copy the GPG message block to the clipboard * Open a terminal (or cmd prompt) on your personal computer and run `gpg` on your personal computer * Paste the GPG message block into the terminal * Type your secret passphrase, hit enter, then type CTRL-Z or ^Z * Write down the passphrases * Close the terminal |
Tripwire is a tool that keeps a database of information about files on the server. It performs regular checks and reports about files that have been changed, deleted, created, or renamed.
Tripwire is run from /etc/cron.daily/tripwire with the following command line:
/usr/sbin/tripwire --check --quiet
--check causes the program to compare the current files in the system with the recorded attributes in the database and print a report to stdout
--quiet tells it not to print the path of every file and directory that is examined
1. Configuration Files `/etc/tripwire`
fyodor.hcoop.net-local.key is a cryptographic key used to sign the database and reports
site.key is a cryptographic key used to sign the configuration and policy files
tw.cfg is a signed binary file that holds configuration information
twcfg.txt is the text source of tw.cfg
tw.pol is a signed binary file that holds the logging and reporting policy information
twpol.txt is the text source of tw.pol
2. Data Files `/var/lib/tripwire`
fyodor.hcoop.net.twd is the signed tripwire database, storing information about every monitored file
reports/ holds the signed binary reports
3. Updating the Database
The check operation creates a signed binary report file every time it runs. This report is like a "diff" of the database and the current file system. The database is updated by "patching" it with the report. Here is the procedure:
The command is tripwire --update
If it complains that the file could not be opened then you must specify the report file with the -r option. Example: tripwire --update -r /var/lib/tripwire/report/fyodor.hcoop.net-20051023-065438.twr
This will open a selection file in the pico editor. Look through the file and clear the [x] for any line that should not be saved to the database. The process is essentially certifying that each filesystem change is valid and proper.
- Save the file with ^O (Control-Oh)
- Quit with ^X (Control-x)
- Now you will be prompted for the local passphrase.
4. Changing the Policy
- First follow the instructions to Update the Database
change to /etc/tripwire
edit the policy in twpol.txt
create the signed binary tw.pol file with tripwire --update-policy --secure-mode low twpol.txt
- you will be prompted for the site and local passphrases
5. Updating the Configuration
change to /etc/tripwire
edit the configuration in twcfg.txt
run twadmin --create-cfgfile -S site.key -c tw.cfg twcfg.txt to create the signed binary tw.cfg file
- you will be prompted for the site passphrase
6. Passphrases
MichaelLeonhard generated the passphrases. To obtain them, save your GPG public key to /root/$(USER).pubkey. Then send Michael an email about it. He will encrypt the passphrases with GPG and email them to you. The security of Tripwire depends on these passphrases. DO NOT store your private key or decrypt the passphrases on Fyodor. Here is the procedure:
- Download the latest version of GPG to your personal computer
- Check the signature of the downloaded file
- Install GPG onto your personal computer
On your personal computer, create a public/private key pair with gpg --gen-key, use a good passphrase
Export an ASCII version of your public key with gpg --export -a >> public.key
Copy your public key to your home directory on Fyodor with scp public.key username@fyodor.hcoop.net:
SSH into Fyodor and demonstrate your administrative priveleges by copying the public key to a secure location, cp ~/public.key /root/username.pubkey (where username is your username)
Email MichaelLeonhard (username leonhard) to request a copy of the passphrases
- Decrypt the passphrase:
- Read Michael's email on your personal computer, copy the GPG message block to the clipboard
Open a terminal (or cmd prompt) on your personal computer and run gpg on your personal computer
- Paste the GPG message block into the terminal
- Type your secret passphrase, hit enter, then type CTRL-Z or ^Z
- Write down the passphrases
- Close the terminal