In part one of this series, we looked at the procedures for installing and configuring Tripwire on a Linux system. We have now installed Tripwire, the local and site passphrases have been established, and the Tripwire database has been created and secured in an offline location. In this Daily Drill Down, we will cover the actual running of Tripwire on a production Linux server. Topics covered in this Daily Drill Down include:

  • Running Tripwire in initialization mode.
  • Running Tripwire in compare mode.
  • Running Tripwire in update mode.
  • Using the twadmin command.

The tripwire command
The tripwire command is used by administrators to perform four functions:

  • Creating the initial Tripwire database
  • Maintaining the Tripwire database
  • Performing integrity checks on the filesystem
  • Maintaining the Tripwire policy file

The tripwire command may be used in either long or short format. The short format uses the syntax:tripwire –m <option>
An example of the short option would be:tripwire  -m i
to run Tripwire in initialization mode.The long format uses the syntax:tripwire –<mode>
An example of the long format would be:tripwire –init
to run Tripwire in initialization mode.
Creating the Tripwire database
Tripwire uses initialization mode to build the Tripwire database. Initialization mode is not used as often as the other modes available with Tripwire, but it is crucial to system security that Tripwire initialization is performed correctly. This is because the Tripwire database generated in this mode will be used to confirm the security of the filesystem on your system.

The most important factor in Tripwire initialization is the current state of the system. If conditions are perfect, you will be able to install and initialize Tripwire immediately after the operating system and applications, especially security applications, have been installed and verified as having been obtained from a trusted source. Once the integrity of the current filesystem has been established, the Tripwire database is initialized with the following command:
./tripwire -init

Once this command is run, the Tripwire database is ready to be used to check filesystem integrity, using the Tripwire compare mode.

Checking the filesystem in compare mode
Now that Tripwire has been initialized, filesystem integrity may be checked using the Tripwire database. When an integrity check is run, Tripwire compares the current state of the filesystem to the database created when Tripwire was initialized and looks for violations of the rules established in the Tripwire policy file. The following command is used to run Tripwire in compare mode:
./tripwire -mc

Once the integrity check has been completed, Tripwire prints any discovered violations to the Tripwire report file. Tripwire creates two copies of this report file:

  • The first version of the report file is printed in plain text to the standard output (stdout) for the system. This is normally the terminal, but stdout may be redirected to a log file. The text version of the report file may be printed to another location, such as a log file, by editing the stdout option in the Tripwire configuration file.
  • The second version of the report file is a binary copy. The default location for this file is established with the REPORTFILE option in the Tripwire configuration file. The REPORTFILE option may be edited to save this copy in any location. The location in which to store this copy may also be specified by using the following when Tripwire is run in compare mode:

./tripwire –mc –twrfile ~/newreport.twr

The above command would store the report file in the Tripwire administrator’s home directory.

Detecting specific violations
Tripwire may be used to monitor the filesystem for the following specific violations:

  • Violations of a specific rule
  • Violations based on severity
  • Violations based on a specific file property or properties

To check for integrity based on a specific rule, use the command:
./tripwire –mc –R rulename

An example of this command would be:
./tripwire –mc –R READ

This would run a Tripwire integrity check based on the READ rule only. To run an integrity check on specific files or directories only, use the command:
./tripwire –mc –I file#1 file#2 directory#1 directory#2

Severity is an attribute, which may be assigned to any rule by the administrator. The following three values allow the administrator to assign severity levels conveniently:

  • 33 – : low severity
  • 66 – : medium severity
  • 100 – : high severity

The severity level for a rule is assigned to that rule in the policy file. For example, to assign a severity level of 70 to violations occurring in configuration files, the READ template would use the syntax in Table 1 to associate a severity level with the READ template. This template is then used to check the integrity of configuration files:

Severity level rules
File name   Syntax
/etc/inetd.conf -> (READ) (severity=70);
/etc/rc.d -> (READ) (severity=70);
/etc/pam.d -> (READ) (severity=70);
Table 1

Rules that do not have a severity level assigned to them are assigned the default severity level of 0.

It is often useful to ignore some file properties when running an integrity check. For example, to run an integrity check while ignoring the file permissions, file type, and number of links, the following would be used:
./tripwire –mc –I “p,t,n”’

The file properties to be ignored must be enclosed in quotation marks.

Tripwire update mode
Tripwire is run in update mode so that administrators may make necessary changes to the Tripwire database to reflect any authorized changes made to the filesystem. Tripwire is run in update mode with the command:
./tripwire -mu

Some options the administrator may want to use in update mode include:

  • Update using a specified policy file
  • Update using a specified database file
  • Update using a specified configuration file
  • Update using a specified report file

To run Tripwire in update using a specified policy file, use the command:
./tripwire –mp path-to-policy-file

To update the database using a specified database file, use the command:
./tripwire –md path-to-database-file

To update the database using a specified configuration file, use the command:
./tripwire –mv path-to-configuration-file

To update the database using a specified report, use the command:
./tripwire –mc path-to-report-file

Tripwire secure modes
Tripwire secure modes are used to prevent inconsistencies between the Tripwire database and the report file. There are two secure modes available when running Tripwire in update mode. The secure mode selected determines what action Tripwire will take when the current database does not match the Tripwire report file used to create the database. There are two secure modes available:

  • In secure-mode-high, any inconsistencies will prevent the database from being updated.
  • In secure-mode-low, inconsistencies are reported, but the database may still be updated.

The following situations cause errors when updating the Tripwire database:

  • The database has already been updated using the specified report file.
  • The report file was created using a different database than the one being updated.
  • The database was updated with a different report file since the report file was created.

When any of these three error conditions exist, the Tripwire database may be overwritten with incorrect information if secure-mode-low is used. Because of this, administrators should stick with the default of secure-mode-high.
When the Tripwire database is stored on a read-only filesystem, this filesystem must be remounted as read-write to be updated. To enhance security, administrators will often copy the files to be updated to their default locations and then copy them back to the database. Although the filesystem holding the database still needs to be mounted read-write for this process, this procedure will normally reduce the amount of time the database is mounted as read-write, reducing the chances of a hacker compromising the database.
Using the twadmin command
The twadmin command performs the following functions:

  • Replacing and printing configuration and policy files
  • Encoding Tripwire files
  • Decoding Tripwire files
  • Verifying Tripwire files
  • Generating local and site keys

Replacing the Tripwire configuration file
When the Tripwire configuration file needs to be edited after installation, a text copy of the current configuration may be created with the command:
./twadmin –print-cfgfile > config.txt

This command specifies the config.txt as the new configuration file for Tripwire. Once the necessary changes have been made to the configuration file, a new binary-encoded version may be created with the command:
./twadmin –create-cfgfile site-keyfile ../key/site.key config.txt

To print the current binary-encoded file in text format, the following command is used:
./twadmin -c <cfgfile-name>

Replacing the policy file
To create or replace the policy file, use the command:
./twadmin –create-polfile

Table 2 lists some of the options available with this command.

twadmin command options
-m P | –create-polfile Create a binary-encoded policy file from the specified text file.
-c cfgfile Use the specified configuration file.
-S sitekey –site-keyfile siteky Specifies the site key file used to sign the new policy file.
-p polfile –polfile polfile Used to specify the destination policy file.
-e No encryption (The new policy file will be binary-encoded, but will not be readable in text format.)
-Q passphrase –site-passphrase passphrase The specified passphrase is used to sign the policy file. It may not be used with the –e or –no-encryption options.
policyfile.tx Used to specify the text policy file to create the binary-encoded policy file.
Table 2

Printing the policy file
After the binary-encoded file has been created, twadmin may be used to print the contents of this file in text format. The following command is used to print the policy file:
./twadmin –mp polfile

./twadmin –print-polfile polfile

Signing files with Tripwire
The command may also be used to sign database, policy, report, or configuration files. twadmin will use either the site key or the local key to sign these files. The process of signing files may be automated by including the passphrase for the key files on the command line.

Files are examined by Tripwire prior to being signed, and the appropriate key is selected to sign each file. Database and report files are signed using the local key, and the site key is used to sign the policy and configuration files. Table 3 lists the arguments available to the twadmin command.

To run twadmin in encryption mode, use the command:
./twadmin -mE

./twadmin –encrypt

Any of the options listed in Table 3 may then be used to specify the actions taken by the twadmin command.

twadmin command encryption options
Option Function
-C CFGFILE –CFGFILE CFGFILE Specifies the configuration file to be used.
-L LOCALKEY –LOCAL-KEYFILE LOCALKEY Specifies the local key file used for signing files.
-S SITEKEY –SITE-KEYFILE SITEKEY Specifies the site key file to be used for signing files.
-P PASSPHRASE –LOCAL-PASSPHRASE PASSPHRASE Specifies the local passphrase used to sign configuration and report files.
-Q PASSPHRASE Specifies the passphrase used to sign policy and database files.
FILE 1?.FILE2? List of multiple files to be signed using the site or local key (Multiple file names are separated by spaces. Wildcards (*) may be used to select multiple files, but their use is discouraged for security reasons.)
Table 3

Determining the encryption status of a file
Using Tripwire in examine mode will provide the following information:

  • The filename
  • The file type and whether the file is binary-encoded
  • Whether or not the file is signed
  • Whether or not the file is signed and the key used to sign it

To determine the encryption status of a file, use the command:
./twadmin -me

./twadmin -examin

Any of the options listed in Table 3, which are used to select the local or site key file, the configuration file, or multiple files, may then be used.

Generating local and site keys
twadmin allows the administrator to generate local or site keys for Tripwire files. This allows the replacement of the key files generated during the Tripwire installation process. The site and local keys are normally changed whenever one of the following changes occurs on the network:

  • Whenever the administrator suspects the keys have been compromised
  • Whenever personnel changes require a change to the Tripwire administration policy
  • Whenever the administrator suspects the filesystem has been compromised

Whenever the site key or local key is replaced, files signed with the original key are no longer usable. There is no way to use these files again until they have been signed with the new key.
To use the twadmin command to replace keys, use the command:
./twadmin -mG

./twadmin –generate-keys

Any of the command options listed in Table 3 may then be used to specify the site or local and the passphrase to be used.

Tripwire is arguably the most important application running on your system. It is essential for system administrators to know the correct procedures for running this flexible and powerful tool. This Daily Drill Down concludes a two-part series on how to use Tripwire to ensure filesystem integrity. In part one, we discussed the procedures for installing and configuring Tripwire on your system, and in this Daily Drill Down we discussed the administration of Tripwire on an operational system. We covered running Tripwire in initialization, compare and update modes, the procedures for updating local and site keys, and the procedures for updating the policy and configuration files.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.