This tutorial will explain how to detect system files changes and additions using Tripwire.
At initialization, Tripwire creates an encrypted database with the cryptographic hashes of the system files.
Then, at check, Tripwire compares the newly calculated hashes to the stored ones.
User knows what files have been changed or added; he has then to decide if the change is legit (he can use Synaptic history for this) or not.
If the change is legit, user updates the database.
If not, he reinstalls the changed files, and delete the added ones.
This method can be useful to detect alterations by malware.
This tutorial is based on two online ones:
https://www.howtoforge.com/tutorial/how ... untu-1604/
https://computingforgeeks.com/install-a ... on-ubuntu/
1) Install tripwire:
Tripwire is available in Mint repositories.
Code: Select all
sudo apt update
sudo apt install -y tripwire
- Create new 'site-key' for Tripwire - choose 'Yes' and press Next button to continue.
- For new 'local-key', choose 'Yes' and press Next again.
- For the Rebuild Tripwire Configuration option, choose 'Yes' and press Next.
- Same for Rebuild Tripwire Policy option - choose 'Yes' and press Next.
- Now you will be prompted for the 'site-key' passphrase. Type a passphrase. Repeat the 'site-key' passphrase and Next.
- Now you will be prompted for the 'local-key' passphrase. Type a passphrase. Repeat the 'local-key' passphrase and Next.
And now, tripwire installation completes.
2) Configure Tripwire policy for Ubuntu / Linux Mint system:
After Tripwire installation, we need to initialize the database system. Run the following command for it.
Code: Select all
sudo tripwire --init
And you will likely get several 'No such directory' errors on the terminal output.
To solve this error, we need to edit Tripwire configuration file and regenerate the configuration.
Before editing the Tripwire configuration, we need to check which directory doesn't exist, something that you can do using the following command:
Code: Select all
sudo sh -c "tripwire --check | grep Filename > no-directory.txt"
Code: Select all
cat no-directory.txt
Next, go to the Tripwire configuration directory and edit the configuration file twpol.txt:Filename: /etc/rc.boot
Filename: /root/mail
Filename: /root/Mail
Filename: /root/.xsession-errors
Filename: /root/.xauth
Filename: /root/.tcshrc
Filename: /root/.sawfish
Filename: /root/.pinerc
Filename: /root/.mc
Filename: /root/.gnome_private
Filename: /root/.gnome-desktop
Filename: /root/.gnome
Filename: /root/.esd_auth
Filename: /root/.elm
Filename: /root/.cshrc
Filename: /root/.bash_profile
Filename: /root/.bash_logout
Filename: /root/.amandahosts
Filename: /root/.addressbook.lu
Filename: /root/.addressbook
Filename: /root/.Xresources
Filename: /root/.Xauthority
Filename: /root/.ICEauthority
Filename: /proc/9187/fd/3
Filename: /proc/9187/fdinfo/3
Filename: /proc/9187/task/9187/fd/3
Filename: /proc/9187/task/9187/fdinfo/3
Code: Select all
cd /etc/tripwire
sudo nano twpol.txt
On the 'System Boot Changes' rule, since these files change at each boot, comment as below (unless you want to keep an eye on what happens during boot):(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
#/etc/rc.boot -> $(SEC_BIN) ;
/etc/rcS.d -> $(SEC_BIN) ;
On the 'Root config files' rule, make the following comments:(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
#/var/lock -> $(SEC_CONFIG) ;
#/var/run -> $(SEC_CONFIG) ; # daemon PIDs
#/var/log -> $(SEC_CONFIG) ;
Finally, on the 'Device and Kernel information' rule, comment as below:(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
#/root/mail -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
#/root/.xsession-errors -> $(SEC_CONFIG) ;
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.tcshrc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.gnome_private -> $(SEC_CONFIG) ;
#/root/.gnome-desktop -> $(SEC_CONFIG) ;
#/root/.gnome -> $(SEC_CONFIG) ;
#/root/.esd_auth -> $(SEC_CONFIG) ;
#/root/.elm -> $(SEC_CONFIG) ;
#/root/.cshrc -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
#/root/.bash_profile -> $(SEC_CONFIG) ;
#/root/.bash_logout -> $(SEC_CONFIG) ;
/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
#/root/.Xresources -> $(SEC_CONFIG) ;
#/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#/root/.ICEauthority -> $(SEC_CONFIG) ;
Normally, that's it. Check a last time with the content of "no-directory.txt" file that all the errors have been treated. Save the changes and exit the editor.(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
)
{
/dev -> $(Device) ;
#/proc -> $(Device) ;
After editing the config file, implement all changes by recreating the encrypted policy file using the twadmin command as shown below:
Code: Select all
sudo twadmin -m P /etc/tripwire/twpol.txt
Now, reinitialize the Tripwire database:
Code: Select all
sudo tripwire --init
Check that you get no error this time:
The database can be printed with the following command:Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
The object: "/root/.cache/doc" is on a different file system...ignoring.
The object: "/root/.cache/gvfs" is on a different file system...ignoring.
The object: "/dev/hugepages" is on a different file system...ignoring.
The object: "/dev/mqueue" is on a different file system...ignoring.
The object: "/dev/pts" is on a different file system...ignoring.
The object: "/dev/shm" is on a different file system...ignoring.
Wrote report file: /var/lib/tripwire/report/michel-G74Sx-20220518-130122.twr
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: mer. 18 mai 2022 13:01:22
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: michel-G74Sx
Host IP address: 127.0.1.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/michel-G74Sx.twd
Command line used: tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Other binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Other libraries 66 0 0 0
Root file-system executables 100 0 0 0
Tripwire Data Files 100 0 0 0
System boot changes 100 0 0 0
(/var/log)
Root file-system libraries 100 0 0 0
(/lib)
Critical system boot files 100 0 0 0
Other configuration files 66 0 0 0
(/etc)
Boot Scripts 100 0 0 0
Security Control 66 0 0 0
Root config files 100 0 0 0
(/root)
Devices & Kernel information 100 0 0 0
(/dev)
Invariant Directories 66 0 0 0
Total objects scanned: 68470
Total violations found: 0
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Where "computername" is found in your terminal prompt:twprint -m d -d /var/lib/tripwire/computername.twd
Be careful, this database is huge, it contains the paths and hashes of 68470 files (on my computer). You can display the result on terminal, or redirect the display to a text file.username@computername:~$
3) Check integrity of system files:
Tripwire has been installed, and the Tripwire policy has been updated and reinitialized. In this step, we will be manually checking the system using Tripwire.
Verify all system files using the following command:
Code: Select all
sudo tripwire --check
If no system file has been changed or added, you will get once again a report with no violation and no error:
If a system file has been changed or added, the report will include its full path. The user will then need to analyze and decide if the change / addition is legit or not.===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Legit changes examples: user has made an update with update manager, or user has installed a new package. Synaptic history of changes will help to decide if change is legit. In that case, user needs to accept changes and update database:
Code: Select all
sudo tripwire --init
User can plan a periodic check using cron.
Regards,
MN
PS:
There are other tools doing the same kind of job:
- Rkhunter checks for less system files than tripwire.
- At the opposite, OSSEC or OSSEC+ https://www.ossec.net/ perform the most complete intrusion detection, but are more complex to set up and use.
- More generally, when one searches for "intrusion detection prevention system Linux", results are: Tripwire, fail2ban, OSSEC, Snort, Suricata, Zeek, Wrap-up, Security onion, Samhain...
Tripwire is simple to use, and should be considered as a 1st step to intrusion detection system, since its performs only system files changes or additions checks.