Detecting attacks with the Tripwire IDS

Check and Report

Before you bundle Tripwire off into a cron job, you should check whether the software really sends email without any glitches. The following command does the trick:

# tripwire --test --email <address>@<domain>.com

If everything works, you can type tripwire --check to run your first real integration check (Figure 1). Tripwire outputs the reports in short form at the console and stores them at the same time in more detail in /var/lib/tripwire/report/$HOSTNAME-timestamp.twr (Figure  2).

Figure 1: During the integrity check, Tripwire outputs a short summary on the standard output. The associated reports usually show much more detail.
Figure 2: One report for each cronjob and manual integrity check: If you do not delete the reports, they tell a long tale of intentional or unintentional file manipulation.

If you want to mail the reports, you also need to set the --email-report switch. The reports are then dispatched to the recipients defined in the policy file for the matching rules.

Occasionally, admins change things on running systems. Because Tripwire does not know that these modifications are allowed, the reports may be full of violations. To avoid this, you need to adjust the Tripwire database on the basis of the report. Use the command

# tripwire --update -twrfile \
  /var/lib/tripwire/report/$HOSTNAME-timestamp.twr

to open an editor that lists all rule violations (Figure 3). Alternatively, Tripwire can use tripwire --check --interactive to adopt the changes immediately.

Figure 3: Changes that are understandable and allowed can be added to the Tripwire database.

If you then consent by doing nothing, Tripwire modifies the database accordingly; these integrity violation messages do not occur in future tests. If a rule violation is not approved and if you want Tripwire to continue reporting it in future tests, simply uncheck the checkbox associated with the violation.

If you want to look at the Tripwire database, you can use the

twprint --print-dbfile

command and use a similar approach for binary report files (Figure 4):

# twprint --print-report --twrfile /var/lib/tripwire/report/$HOSTNAME-timestamp.twr

If all manual checks run satisfactorily, you can set up a cron job to delegate the integrity check by opening the cron table as root, typing crontab -e, and adding

 

to tell the system to run a daily check at 5:00am and report by email, for example.

Figure 4: The Tripwire report shows in some detail where discrepancies have occurred.

Security Tips

Ideally, you will want to set Tripwire up on a freshly installed system: Only then can you really be sure that all the files are still in their original state. The keys, policy file, and configuration file should be readable and writable only for root; the following command takes care of this:

# chmod 600 site.key $HOSTNAME-local.key tw.*

The /etc/tripwire and /var/lib/tripwire/ directories are also intended for root access only (chmod 700 …).

If possible, you should also specially protect the Tripwire database so that the attacker has no chance to change it. For a desktop computer, an external storage medium is a good way of doing this. A server can download the database from another computer before each test using SSH and the public key method or load the database from a read-only medium.

Conclusions

Tripwire lives up to its name. The simple but effective Tripwire HIDS can be set up quickly and provides its service quietly and discreetly. Although the HIDS does not defend against attacks, it does help identify anomalies in good time. Admins often have little chance of detecting modified files left behind by attackers, but Tripwire serves up the evidence by email, reducing search and removal overhead.

The rules can also be adapted easily retroactively. The report files are usually fairly small, and the risk of slowly but surely using up all your disk space is virtually non-existent. By allowing intended changes that update or change configuration files, you can adapt the database in an uncomplicated way.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tripwire

    The simple but effective Tripwire HIDS provides its service quietly and discreetly, preventing attackers from infecting computers with trojans, backdoors, or modified files by identifying anomalies unnoticed by the user.

  • Security Lessons: System Rescue

    Kurt provides some tips and recommends some tools to help you detect signs of network intrusion and data corruption.

  • Host-Based IDS

    A host-based intrusion detection system is a simple but powerful tool for finding traces of an attacker's footprint.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News