CIS 458 Lab 6: Tripwire

For this lab assignment you should work alone, or in groups of 2.

Objective: The purpose of this lab is to gain experience with tripwire, a host-based intrustion detection system.

What to turn in: Answers to the questions below.

This lab is to be done in the SEED VM.

Tripwire is a tool that helps monitor changes to your system. It creates a database of file characteristics and fingerprints. When you run a check on your system, tripwire compares the file characteristics and the file fingerprints and reports any changes made to your system. It should be installed right after the OS installation, and before connection to the network.

Install tripwire

Install tripwire in your SEED VM using the commands apt-get update, then apt-get install tripwire. When the install process asks you to generate keys, say no. If it asks you to set up mail settings choose the no configuration option.

Configuring tripwire

Tripwire uses two keys. One is the site key which is used to maintain administration of the config files and the other is the local key, which is used to maintain the database of hashes. The config files and database are normally encrypted, however, the starting configuration installed is not encrypted.

Tripwire provides a starting configuration for you: /etc/tripwire/twcfg.txt. It is considered not a good idea to use the directories tripwire gives you in the starting configuration for the keys, and maybe even for the configuration itself.

Copy the cfg file to a new directory. Edit the new config file to reflect the new obscure locations for the local and site keys, as well as the POLFILE. Update the report file location to where you want tripwire reports to be saved.

Now, generate the keys. The paths must match the settings in the config file:
twadmin -m G -S path_to_site_key
twadmin -m G -L path_to_local_key

Next, encrypt the file config file. In a production system, you should then delete the twcfg.txt file (however for this lab you may want to keep it to refer to).
twadmin -m F -S path_to_site_key path_to_twcfg.txt

Now comes the policy file. This is the file that determines what files to include/exclude and what properties to monitor. Again, the same idea applies. Tripwire gives you a sample. Copy it from /etc/tripwire/twpol.txt to somewhere (must be the same place you indicated in the config file). Alter the Global section of the file to reflect your directory choices.

Now encrypt the policy file.
twadmin -m P -c path_to_configfile path_to_twpol.txt

Again, you should delete the text version in a production system. However, for this lab, before deleting make sure to make a copy of the unmodified original, which we will need later.

Next you must initialize the database.
tripwire -m i -c path_to_configfile

This will takes a bit of time, as it is hashing each file according to the policy.

If you have errors or warnings, you should adjust the policy file until you do not. Be conscious of what you want tripwire to keep track of. To get the text version back:
twadmin -m p -c path_to_configfile > twpol.txt

Adjust the policy, re-encrypt and reinitialize the database. Repeat until correct.

Using tripwire

To do a check of the system:
tripwire -m c -c path_to_configfile

This creates a report, which, of course is encrypted. To get the report:
twprint -m r -r path_to_report -c path_to_configfile

If the report shows changes that are correct (such as program upgrades) then you must update the database
tripwire -m u -c path_to_configfile -r path_to_report

If you get repeated false alarms (example: your policy makes sure the log file doesn't change), then you need to update the policy. generate a text version of the policy. Make the changes. Then:
tripwire -m p -c path_to_configfile path_to_twpol.txt

The database must be up to date prior to this command, because tripwire runs a check before it commits the policy changes. If the check discovers ANY changes, the policy update will not be applied.

Upgrade firefox on your virtual machine. Run a check of the system.

Update the database so your firefox changes won't be in the next report. Add a new user, run a check of the system.

Reboot the virtual machine. Run the system check again.