UW Extension: Unix Linux Administration Extraordin-Air Team Final Project

Extraordin-Air Team Final Project

Item 10. STATEMENT OF PROBLEM
Setup and configure tripwire.

INVESTIGATIVE PROCESS-
Discussed tripwire pilot with configuration designer and testers at work. Read man pages and documentation. Finally, basically followed procedure in Red Hat Linux 7.3 Bible. Verified text files, etc. Ran integrity check to validate configuration.

RECIPE-
Tripwire is already "loaded" (but not installed) on Red Hat beginning at 7.1.

Installation:
You need to be root to set up tripwire.

In the tripwire directory:
cd /etc/tripwire
there is a configuration file: twpol.txt (tripwire policies). It is a good idea to look at this file before starting but do not make any changes to it until after you have run the install script for the first time (otherwise install will not work).

Run the install script.
./twinstall.sh
You will need to create 2 passwords ('keyfile passphases'):
a site keyfile passphrase
and a local keyfile passphrase

These need to be well-formed passwords. They will be used to 'digitally sign' files that tripwire creates and to verify the origin and integrity of files.

During the install, you must re-enter the site passphrase to create the default configuration file and then the policy file (which lists which files you want "protected"). The text copy of the configuration file twpol.txt may now be edited and the updates made. I recommend keeping a copy of the old twpol.txt file, renamed.

Configuration:
This next step produces the initial checksum databse for your file system.
tripwire --init
Enter your local key passphrase. The checksum database will be written to
/var/lib/tripwire/host.twd

Edit Configuration
Use resulting error messages to edit policy file

vi /etc/tripwire/twpol.txt
Re-configure policy file and re-run checksum to verify new policies.
tripwire --update-policy /etc/tripwire/twpol.txt
tripwire --init
If the result still contains error messages, reedit policy file and rerun tripwire --update-policy /etc/tripwire/twpol.txt
tripwire --init
until there are no remaining error messages.

Verify files-
Periodically run:
tripwire --check
If file fails check research to determine if site was hacked or simply result of normal file modification.
If files have been updated run:
tripwire --update

Protection of tripwire files-
It is recommended that the executable and database files be stored on separate machine or removable media. Also, cron jobs should be configured to periodically run integrity check and send "alarms."