Tripwire

In this blog:

• What is Tripwire?

• Mirrors.

• Installation.

• Initialise Tripwire.

• Edit twpol.txt.

• File integrity check.

• Securing our system.

• Email notifications.

• What's next?

➡️ See my blog on Intrusion Detection systems here.

➡️ See my blog on attacks that can get past Intrusion Detection systems here.

What is Tripwire?

Tripwire is a popular open-source Linux IDS that's used for file integrity monitoring -- Basically checking for unauthorised changes to your files.

I will be using Kali Linux, which is a Debian based distro.

Tripwire is part of the default repository in Ubuntu and Debian, meaning we can install it using commands in the terminal.

Mirrors

Before installing the tool, we must update the list of packages in the repos, which is used by the apt tool to determine the URL of the package to install.

Run ➡️

sudo apt-get update

Without updating, the download manager might not be able to find the URL as the list could be out of date.

This is not a requirement if you know that the specific package you want has not been altered (no new version of the package or its dependencies have been made available on the mirrors).

A mirror is just a server which holds copies a master server and its repositories in various locations around the world for faster connections and greater reliability.

To find your nearest mirror, go to kali.download/kali/ and click README at the bottom.

Go to the highlighted link in the download file and you will be able to see more mirror information including your nearest mirrors.

Installation

Type the command ➡️

sudo apt-get install tripwire

Type 'y' to approve the install.

You will be shown this screen ➡️

Select yes to create your site key passphrase during installation.

Then select yes to create a local key passphrase.

Select yes to rebuild Tripwire config file.

When asked to rebuild policy files, select yes.

Create a site key passphrase and confirm. Remember this passphrase, you’ll need this later.

Then create a local key passphrase when prompted.

You’ll be shown this page for a few minutes.

Select OK.

Type ➡️

tripwire --check --help

to find tripwire options.

Initialise Tripwire

To initialise Tripwire, use the command ➡️

tripwire --init

Remember to be in sudo mode as this may not work without adequate permissions.

To get into sudo mode type sudo su and type in your root password.

This may take some time.

You should get this output.

Copy and paste this output into a text editor to reference for the next part.

Edit twpol.txt

You now want to open the twpol.txt file in nano so that you can edit it.

Type ➡️

nano twpol.txt

This is a configuration file for Tripwire. These are the directories that Tripwire has in its database and that its going to monitor.

Some of these files we don’t have. You must comment out (#) the default config files that Tripwire has that we don’t use.

Otherwise, this can pull up errors when we run Tripwire, saying certain files have been removed, deleted or tampered with (false positives).

When you open it in nano it might say the file has no write permissions. By running ls -l we can see the file permissions.

As you can see, the root user owns the folders and files. So go back to the terminal and type

sudo nano twpol.txt

and type In your root password.

I’ve opened the twpol.txt file in nano and the tripwire database in libre office.

Now go through the database file to see what files and directories Tripwire has saved and remove the ones you don’t have / use over in the nano editor.

As you can see for example, rc.boot and /root/mail don’t exist so we will need to go in to the nano editor and comment out (#) those files, to prevent a false positive.

Comment out /var/lock, /var/run, /proc and /etc.rc files too. /var/lock changes all the time – it says at the end #daemon PIDS – which commonly change and can produce a lot of false positives.

Once you’re done, save the file and exit.

To commit the changes made to the twpol.txt file, type ➡️

twadmin -m P /etc/tripwire/twpol.txt

Before you can run a --check command, you need to run ➡️

tripwire --init

again to generate the new database using the policy we just created. This can take a while.

The database has now been successfully created.

File integrity check

Running ➡️

tripwire --check 

now will produce our integrity check.

Securing our systems

The files created in this process are quite sensitive and can be removed from our system for added security.

First, we can remove the copy of the original configuration we made as a reference when commenting out files that we did not need Tripwire to check.

Moving the file

We can also remove the plain text configuration file. Don’t worry about losing anything as the file can be regenerated from the encrypted files using our password whenever we need.

To do so, pass the encrypted file to twadmin and pipe it into a plain text file.

We can test this by moving the plain text file to a different location and regenerating the plain text file in the original location and see if it reappears.

Moving the file:

Type ➡️

sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak

Regenerating the plaintext file

Type the command ➡️

sudo sh -c ‘twadmin -print-polfile > /etc/tripwire/twpol.txt’

sh -c runs the quoted string as a script.

We pass the policy file to twadmin and store the output in the twpol.txt file like before.

Now that its worked, we can confidently remove the plain text files.

We can run ls twpol.txt* to see all the files that start with ‘twpol.txt’. Theres only two (the two we want to remove).

So we can then run this command ➡️

sudo rm /etc/tripwire/twpol.txt* 

to remove all files with the said prefix quickly and easily.

Email notifications

We can set up email notifications for every time a tripwire check command is run.

We will use the mail utility.

To install it type ➡️

sudo apt-get install mailutils 

and type ‘y’ when prompted.

Run the command ➡️

sudo tripwire --check | mail -s “tripwire report for <your name>” <youremail@domain.com>

The mail utility will run the tripwire report and pipe it into the mail command which sends the results of the check to our email.

Keep in mind, the mail service cannot send emails to remote domains which means it will only send emails to your user account in Linux or another user account that you can specify.

As I found out when checking the mail that came through (or didn’t come through).

To view the tripwire report email, CD to /var/mail/<name of account>.

Here you can see the subject that I typed in the mail command. The Tripwire report will begin below this screen.

What's next?

This blog only goes through the basics of Tripwire and barely touches on its vast capabilities.

There are many more options available in Tripwire and can be explored online.