Back in 'Nam, the NVA had this thing where they'd tie a couple of tin cans to two trees, either side of a route where the enemy was expected to cross. The open ends of the two cans were facing each other and they'd put a hand grenade with the pin out into each can. The grenades were attached to each other by a thin wire, stretching almost invisibly across the thoroughfare. Along comes the enemy and catches the wire with his foot, pulling both grenades out of the two cans either side of him and kaboom, goodbye cruel world!
The Unix version of tripwire isn't quite so vicious, although you might find yourself dying from boredom.
Instead of maiming military personnel it's designed to let you know if any files have changed on a system.
This might indicate an intrusion and so might be a useful thing to add to a server and should appeal to anally-retentive personalities in particular.
Google and download a copy of tripwire-portable-0.9.tar.gz [869K] (or its updated equivalent) put it in /usr/local/src
Preconfiguration
cd /usr/local/src
tar -zxvf tripwire-portable-0.9.tar.gz
cd tripwire-portable-0.9
vi config1.sh
#!/bin/sh
#Tripwire Config Script 1 - config1.sh
sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg && \
./configure --prefix=/usr --sysconfdir=/etc/tripwire && \
make
chmod 755 config1.sh
./config1.sh
Installation
vi install.sh
#!/bin/sh
#Tripwire Install Script - install.sh
make install && \
cp -v policy/*.txt /usr/share/doc/tripwire
chmod install.sh
./install.sh
Accept the licence agreement
Continue with installation - y
Two passwords will next be chosen - "site" and "local"..
Enter the site keyfile passphrase (choose a password) - Password
Enter the local keyfile passphrase - Hello
Please enter your site passphrase - Password
Please enter your site passphrase - Password (second time to confirm)
The default policy file is
/etc/tripwire/twpol.txt. In fact most of the config stuff lives in this directory.
Configuration
vi config2.sh
#!/bin/sh
#Tripwire Config Script 2 - config2.sh
twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
/etc/tripwire/twpol.txt &&
tripwire --init
chmod 755 config2.sh
./config2.sh
Please enter your site passphrase - Password
Please enter your local passphrase - Hello
Tripwire then takes a snapshot of the system - takes a bot o' time..
To use Tripwire after creating a policy file to run a report, use the following command:
tripwire --check > /etc/tripwire/report.txt
Then to see the results of the scan..
more /etc/tripwire/report.txt
Note that after an integrity check is run, the report (or email) must be examined and then the Tripwire database must be modified to reflect the changed files on the system. This is so that Tripwire will not continually notify you that files you intentionally changed are a security violation.
Here's a flow chart indicating the sequence of events for Tripwire..
- A.
