Tripwire software allows you to quickly identify changes occurring in a file system. It is used as a fundamental layer to the security strategy,
it provides an instrument to detect changes made to file systems, regardless of whether it was made by an unauthorised party or by someone within
the organization.
Setup a tripwire server which reports file system changes across the unix production environment and mails to the Unix administrators of any
changes made.
The suite conists of a number of scripts and the tripwire binaries. This document outlines the files used then explains what process takes place
in order to scan each server.
| /tripwire/tw.master |
This script sets up the ssh-agent used to connect to the hosts being
scanned |
| /tripwire/tw.really |
This script uses trip.hosts.check file to ssh to each server and run
the twcheck script |
| /tripwire/twinit |
This script uses the trip.hosts.init file to create a new tripwire
database |
| /tripwire/twscan <host> |
This script uses the trip.hosts.check file to verify the host then
runs a tripwire scan on that host |
| /tripwire/trip.hosts.check |
This config file lists all hosts that will be scanned. The format is
<Host name>:<Host acess dns entry> |
| /tripwire/trip.hosts.init |
This config file lists all hosts that require a new tripwire database.
The format is <Host name>:<Host access dns entry> |
| /logs/tripwire/databases |
This directory contains the tripwire databases |
| /logs/tripwire/reports |
This directory contains the mailed tripwire report |
| /logs/tripwire/reports/hosts |
This directory contains the hosts tripwire report |
| /logs/tripwire/tw.log |
This log file contains any output messages from the cron job |
| /.ssh/authorized_keys |
This file contains the SSH public key used to to connect to the hosts
being scanned |
|
|
| /usr/local/admin/bin/twcheck |
This script scp's the tripwire files from hosta and runs a scan then
scp's the report to hostb |
| /.ssh/authorized_keys |
This files contains the public key of ???? and the tripwire identity. |
Tripwire Events
Tripwire is run every 4 hours via a cron job: -
0 0,4,8,12,16,20 * * * /tripwire/tw.master >> /logs/tripwire/tw.log 2>&1
Any stdout/error messages are recorded in the tripwire log file.
The first script called is tw.master this setups the ssh-agent and then calls tw.really. tw.really uses the trip.hosts.check
file to ssh to each host and run twcheck on that host.
twcheck secure copies the tripwire binary and configuration files and the tripwire database for that server from hosta, tripwire is then
run and a report is generated of the changes made to the filesystems. This report is then copied back to hosta.
Once all the reports have been copied tw.really then filters all the host reports to generate a main tripwire report which is mailed to
the unix administrators.
Creating tripwire database
To create a new tripwire database either for a new host or an existing one, place an entry in the trip.hosts.init file. The format should
be '<host name>:<host access dns entry>'. Then run twinit , you will be prompted for the hosts root password a number of times as it
copies the tripwire bainaries and configraution files across, then tripwire will run and create a database file from the new host, this file wil
be copied back to hosta and the all tripwire files on the new host will be removed.
Then copy the /.ssh/authorized_keys and twcheck from an existsing host to the new host (see above table for paths). Make sure you
update the trip.hosts.check file so that the new host will be scanned every 4 hours via the cron entry.
Testing the Tripwire database on the fly
To test the tripwire database/host file integrity run the command twscan <host> , make sure there is an entry in the
trip.hosts.check file. The tripwire files and database will be copied onto the server after asking for the root password a few times.
The reports will be displayed on the screen. Please note no emails are sent. All tripwire files are then removed from the host.
| 