Detecting attacks with the Tripwire IDS
Check and Report
Before you bundle Tripwire off into a cron job, you should check whether the software really sends email without any glitches. The following command does the trick:
# tripwire --test --email <address>@<domain>.com
If everything works, you can type tripwire --check
to run your first real integration check (Figure 1). Tripwire outputs the reports in short form at the console and stores them at the same time in more detail in /var/lib/tripwire/report/$HOSTNAME-timestamp.twr
(Figure 2).
If you want to mail the reports, you also need to set the --email-report
switch. The reports are then dispatched to the recipients defined in the policy file for the matching rules.
Occasionally, admins change things on running systems. Because Tripwire does not know that these modifications are allowed, the reports may be full of violations. To avoid this, you need to adjust the Tripwire database on the basis of the report. Use the command
# tripwire --update -twrfile \ /var/lib/tripwire/report/$HOSTNAME-timestamp.twr
to open an editor that lists all rule violations (Figure 3). Alternatively, Tripwire can use tripwire --check --interactive
to adopt the changes immediately.
If you then consent by doing nothing, Tripwire modifies the database accordingly; these integrity violation messages do not occur in future tests. If a rule violation is not approved and if you want Tripwire to continue reporting it in future tests, simply uncheck the checkbox associated with the violation.
If you want to look at the Tripwire database, you can use the
twprint --print-dbfile
command and use a similar approach for binary report files (Figure 4):
# twprint --print-report --twrfile /var/lib/tripwire/report/$HOSTNAME-timestamp.twr
If all manual checks run satisfactorily, you can set up a cron job to delegate the integrity check by opening the cron table as root, typing crontab -e
, and adding
to tell the system to run a daily check at 5:00am and report by email, for example.
Security Tips
Ideally, you will want to set Tripwire up on a freshly installed system: Only then can you really be sure that all the files are still in their original state. The keys, policy file, and configuration file should be readable and writable only for root; the following command takes care of this:
# chmod 600 site.key $HOSTNAME-local.key tw.*
The /etc/tripwire
and /var/lib/tripwire/
directories are also intended for root access only (chmod 700
…).
If possible, you should also specially protect the Tripwire database so that the attacker has no chance to change it. For a desktop computer, an external storage medium is a good way of doing this. A server can download the database from another computer before each test using SSH and the public key method or load the database from a read-only medium.
Conclusions
Tripwire lives up to its name. The simple but effective Tripwire HIDS can be set up quickly and provides its service quietly and discreetly. Although the HIDS does not defend against attacks, it does help identify anomalies in good time. Admins often have little chance of detecting modified files left behind by attackers, but Tripwire serves up the evidence by email, reducing search and removal overhead.
The rules can also be adapted easily retroactively. The report files are usually fairly small, and the risk of slowly but surely using up all your disk space is virtually non-existent. By allowing intended changes that update or change configuration files, you can adapt the database in an uncomplicated way.
Infos
- Tripwire: http://www.tripwire.org
- Purdue University: http://www.purdue.edu
- Tripwire, Inc.: http://www.tripwire.com
- OpenSUSE security repos: http://download.opensuse.org/repositories/security/
- Tripwire download: http://sourceforge.net/projects/tripwire/files/latest/download
- Code for this article: ftp://ftp.linux-magazin.com/pub/listings/magazine/163
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.