Detecting attacks with the Tripwire IDS
Check and Report
Before you bundle Tripwire off into a cron job, you should check whether the software really sends email without any glitches. The following command does the trick:
# tripwire --test --email <address>@<domain>.com
If everything works, you can type tripwire --check
to run your first real integration check (Figure 1). Tripwire outputs the reports in short form at the console and stores them at the same time in more detail in /var/lib/tripwire/report/$HOSTNAME-timestamp.twr
(Figure 2).
If you want to mail the reports, you also need to set the --email-report
switch. The reports are then dispatched to the recipients defined in the policy file for the matching rules.
Occasionally, admins change things on running systems. Because Tripwire does not know that these modifications are allowed, the reports may be full of violations. To avoid this, you need to adjust the Tripwire database on the basis of the report. Use the command
# tripwire --update -twrfile \ /var/lib/tripwire/report/$HOSTNAME-timestamp.twr
to open an editor that lists all rule violations (Figure 3). Alternatively, Tripwire can use tripwire --check --interactive
to adopt the changes immediately.
If you then consent by doing nothing, Tripwire modifies the database accordingly; these integrity violation messages do not occur in future tests. If a rule violation is not approved and if you want Tripwire to continue reporting it in future tests, simply uncheck the checkbox associated with the violation.
If you want to look at the Tripwire database, you can use the
twprint --print-dbfile
command and use a similar approach for binary report files (Figure 4):
# twprint --print-report --twrfile /var/lib/tripwire/report/$HOSTNAME-timestamp.twr
If all manual checks run satisfactorily, you can set up a cron job to delegate the integrity check by opening the cron table as root, typing crontab -e
, and adding
to tell the system to run a daily check at 5:00am and report by email, for example.
Security Tips
Ideally, you will want to set Tripwire up on a freshly installed system: Only then can you really be sure that all the files are still in their original state. The keys, policy file, and configuration file should be readable and writable only for root; the following command takes care of this:
# chmod 600 site.key $HOSTNAME-local.key tw.*
The /etc/tripwire
and /var/lib/tripwire/
directories are also intended for root access only (chmod 700
…).
If possible, you should also specially protect the Tripwire database so that the attacker has no chance to change it. For a desktop computer, an external storage medium is a good way of doing this. A server can download the database from another computer before each test using SSH and the public key method or load the database from a read-only medium.
Conclusions
Tripwire lives up to its name. The simple but effective Tripwire HIDS can be set up quickly and provides its service quietly and discreetly. Although the HIDS does not defend against attacks, it does help identify anomalies in good time. Admins often have little chance of detecting modified files left behind by attackers, but Tripwire serves up the evidence by email, reducing search and removal overhead.
The rules can also be adapted easily retroactively. The report files are usually fairly small, and the risk of slowly but surely using up all your disk space is virtually non-existent. By allowing intended changes that update or change configuration files, you can adapt the database in an uncomplicated way.
Infos
- Tripwire: http://www.tripwire.org
- Purdue University: http://www.purdue.edu
- Tripwire, Inc.: http://www.tripwire.com
- OpenSUSE security repos: http://download.opensuse.org/repositories/security/
- Tripwire download: http://sourceforge.net/projects/tripwire/files/latest/download
- Code for this article: ftp://ftp.linux-magazin.com/pub/listings/magazine/163
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Endless OS 6 has Arrived
After more than a year since the last update, the latest release of Endless OS is now available for general usage.
-
Fedora Asahi 40 Remix Available for Macs with Apple Silicon
If you've been anticipating KDE's Plasma 6 for your Apple Silicon-powered Mac, then you're in luck.
-
Red Hat Adds New Deployment Option for Enterprise Linux Platforms
Red Hat has re-imagined enterprise Linux for an AI future with Image Mode.
-
OSJH and LPI Release 2024 Open Source Pros Job Survey Results
See what open source professionals look for in a new role.
-
Proton 9.0-1 Released to Improve Gaming with Steam
The latest release of Proton 9 adds several improvements and fixes an issue that has been problematic for Linux users.
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.