Objective: The purpose of this lab is to gain experience with tripwire, a host-based intrustion detection system.
What to turn in: Answers to the questions below.
This lab is to be done in the SEED VM.
Tripwire is a tool that helps monitor changes to your system. It creates a database of file characteristics and fingerprints. When you run a check on your system, tripwire compares the file characteristics and the file fingerprints and reports any changes made to your system. It should be installed right after the OS installation, and before connection to the network.
Install tripwire in your SEED VM using the commands
apt-get update, then
apt-get install tripwire. When the install process asks you to generate keys, say no. If it asks you to set up mail settings choose the no configuration option.
Tripwire uses two keys. One is the site key which is used to maintain administration of the config files and the other is the local key, which is used to maintain the database of hashes. The config files and database are normally encrypted, however, the starting configuration installed is not encrypted.
Tripwire provides a starting configuration for you:
/etc/tripwire/twcfg.txt. It is
considered not a good idea to use the directories tripwire gives you in the starting configuration for the keys, and maybe even for the configuration itself.
Copy the cfg file to a new directory. Edit the new config file to reflect the new obscure locations for the local and site keys, as well as the POLFILE. Update the report file location to where you want tripwire reports to be saved.
Now, generate the keys. The paths must match the settings
in the config file:
twadmin -m G -S path_to_site_key
twadmin -m G -L path_to_local_key
Next, encrypt the file config file. In a production system, you should then delete the twcfg.txt file (however for this lab you may want to keep it to refer to).
twadmin -m F -S path_to_site_key path_to_twcfg.txt
Now comes the policy file. This is the file that determines what
files to include/exclude and what properties to monitor. Again,
the same idea applies. Tripwire gives you a sample. Copy it from
/etc/tripwire/twpol.txt to somewhere (must be the same place you
indicated in the config file). Alter the Global section of the file to reflect your directory choices.
Now encrypt the policy file.
twadmin -m P -c path_to_configfile path_to_twpol.txt
Again, you should delete the text version in a production system. However, for this lab, before deleting make sure to make a copy of the unmodified original, which we will need later.
Next you must initialize the database.
tripwire -m i -c path_to_configfile
This will takes a bit of time, as it is hashing each file according to the policy.
If you have errors or warnings, you should adjust the policy file
until you do not. Be conscious of what you want tripwire to keep
track of. To get the text version back:
twadmin -m p -c path_to_configfile > twpol.txt
Adjust the policy, re-encrypt and reinitialize the database. Repeat until correct.
To do a check of the system:
tripwire -m c -c path_to_configfile
This creates a report, which, of course is encrypted. To get the
twprint -m r -r path_to_report
If the report shows changes that are correct (such as program upgrades)
then you must update the database
tripwire -m u -c path_to_configfile -r path_to_report
If you get repeated false alarms (example: your policy makes sure the
log file doesn't change), then you need to update the policy.
generate a text version of the policy. Make the changes.
tripwire -m p -c path_to_configfile path_to_twpol.txt
The database must be up to date prior to this command, because tripwire runs a check before it commits the policy changes. If the check discovers ANY changes, the policy update will not be applied.
Upgrade firefox on your virtual machine. Run a check of the system.
Update the database so your firefox changes won't be in the next report. Add a new user, run a check of the system.
Reboot the virtual machine. Run the system check again.