Tripwire

By on

 

Image showing file with fingerprint.


In this blog:
  • What is Tripwire?
  • Mirrors.
  • Installation.
  • Initialise Tripwire.
  • Edit twpol.txt.
  • File integrity check.
  • Securing our system.
  • Email notifications. 
See my blog on Intrusion Detection systems here.



What is Tripwire?

Tripwire is a popular open-source Linux IDS that's used for file integrity monitoring -- Basically checking for unauthorised changes to your files. 

I will be using Kali Linux, which is a Debian based distro.

Tripwire is part of the default repository in Ubuntu and Debian, meaning we can install it using commands in the terminal.




Mirrors


Image showing broken hand mirror.



Before installing the tool, we must update the list of packages in the repos, which is used by the apt tool to determine the URL of the package to install. 

Run ➡️ sudo apt-get update

Without updating, the download manager might not be able to find the URL as the list could be out of date. 

This is not a requirement if you know that the specific package you want has not been altered (no new version of the package or its dependencies have been made available on the mirrors). 

A mirror is just a server which holds copies a master server and its repositories in various locations around the world for faster connections and greater reliability. 



Image showing Linux command.
updating our system.


To find your nearest mirror, go to kali.download/kali/ and click README at the bottom. 



Image showing Kali Linux mirrors.
Kali linux mirrors.


Go to the highlighted link in the download file and you will be able to see more mirror information including your nearest mirrors. 


Image showing nearest mirrors.
Nearest mirrors link.




Installation


Type the command ➡️ sudo apt install tripwire
Type 'y' to approve to install.


Image showing Tripwire installation.
Installing Tripwire.


You will be shown this screen ➡️ 


Image showing Tripwire installation.
Tripwire configuration page.

 

Select yes to create your site key passphrase during installation.

Then select yes to create a local key passphrase. 


Image showing Tripwire configuration.
Passphrase configuration.


Select yes to rebuild Tripwire config file. 


Image showing Tripwire configuration.
Rebuilding configuration files.

When asked to rebuild policy files, select yes. 


Image showing Tripwire configuration.
Selecting a passphrase.


Create a site key passphrase and confirm. Remember this passphrase, you’ll need this later.

Then create a local key passphrase when prompted.

You’ll be shown this page for a few minutes. 



Image showing Tripwire configuration.
Generating local key.



Select OK.


Image showing Tripwire installation confirmation.
Tripwire has been installed.


Type tripwire --check --help to find tripwire options. 


Image showing Tripwire options.
Tripwire options.




To initialise Tripwire, use the command tripwire --init

Remember to be in sudo mode as this may not work without adequate permissions. 

To get into sudo mode type sudo su and type in your root password.

This may take some time.


Image showing Tripwire initialisation.
Initialising Tripwire.


You should get this output. 

Copy and paste this output into a text editor to reference for the next part. 



Image showing database file being generated.
Generating database file.

You now want to open the twpol.txt file in nano so that you can edit it. 

Type nano twpol.txt. This is a configuration file for Tripwire. These are the directories that Tripwire has in its database and that its going to monitor. 


Image showing database file.
twopol.txt file.


Some of these files we don’t have. You must comment out (#) the default config files that Tripwire has that we don’t use. 

Otherwise, this can pull up errors when we run Tripwire, saying certain files have been removed, deleted or tampered with (false positives). 

When you open it in nano it might say the file has no write permissions.

By running ls -l we can see the file permissions. 

As you can see, the root user owns the folders and files. So go back to the terminal and type sudo nano twpol.txt and type In your root password. 


Image showing file permissions.
Checking permissions.



I’ve opened the twpol.txt file in nano and the tripwire database in libre office.


Image showing policy file comparison.
Comparing policy files.


Now go through the database file to see what files and directories Tripwire has saved and remove the ones you don’t have / use over in the nano editor.

As you can see for example, rc.boot and /root/mail don’t exist so we will need to go in to the nano editor and comment out (#) those files, to prevent a false positive.

Comment out /var/lock/var/run, /proc and /etc.rc files too. /var/lock changes all the time – it says at the end #daemon PIDS – which commonly change and can produce a lot of false positives. 


Image showing policy file being edited.
Commenting out files.


Image showing policy file being edited.
Commenting out more files.


Image showing policy file being edited.
Commenting out rc.boot files.




Once you’re done, save the file and exit.

To commit the changes made to the twpol.txt file, type ➡️    

twadmin -m P /etc/tripwire/twpol.txt as shown below.


Image showing changes to a file being saved.
Committing changes to new file.




Before you can run a --check command, you need to run tripwire --init again to generate the new database using the policy we just created. This can take a while. 


Image showing Tripwire initiation.
Generating a new database with the new policy file.


The database has now been successfully created.

Running the tripwire --init command now will produce our integrity check.


Image showing Tripwire integrity check.
Tripwire integrity check done.



Securing our systems


The files created in this process are quite sensitive and can be removed from our system for added security. 

First, we can remove the copy of the original configuration we made as a reference when commenting out files that we did not need Tripwire to check. 

Image showing files being removed.
Removing policy files.



Moving the file


We can also remove the plain text configuration file. Don’t worry about losing anything as the file can be regenerated from the encrypted files using our password whenever we need.

To do so, pass the encrypted file to twadmin and pipe it into a plain text file.

We can test this by moving the plain text file to a different location and regenerating the plain text file in the original location and see if it reappears.

Moving the file ➡️

Type sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak

Image showing configuration file being deleted.
Removing configuration file.



Regenerating the plaintext file


Type the command sudo sh -c ‘twadmin -print-polfile > /etc/tripwire/twpol.txt’

sh -c runs the quoted string as a script. 

Image showing file being regenerated.
Regenerating the file.


We pass the policy file to twadmin and store the output in the twpol.txt file like before.

Now that its worked, we can confidently remove the plain text files.

We can run ls twpol.txt* to see all the files that start with ‘twpol.txt’. Theres only two (the two we want to remove).

So we can then run the command sudo rm /etc/tripwire/twpol.txt* to remove all files with the said prefix quickly and easily. 


Image showing files being removed.
Removing files.



Email notifications


We can set up email notifications for every time a tripwire check command is run. 

We will use the mail utility. 

To install it type sudo apt-get install mailutils and type ‘y’ when prompted. 


Image showing program installation in Linux.
Installing mailutils.

Run the command ➡️

sudo tripwire --check | mail -s “tripwire report for <your name>” <youremail@domain.com>.


Image showing mail report.
Example mail report.

The mail utility will run the tripwire report and pipe it into the mail command which sends the results of the check to our email.

Keep in mind, the mail service cannot send emails to remote domains which means it will only send emails to your user account in Linux or another user account that you can specify.

As I found out when checking the mail that came through (or didn’t come through). 


Image showing email error in Linux.
Email not sent to remote domain.


To view the tripwire report email, CD to /var/mail/<name of account>.

Here you can see the subject that I typed in the mail command. The Tripwire report will begin below this screen. 


Image showing email.
Opening report email.



What's next


This blog only goes through the basics of Tripwire and barely touches on its vast capabilities. 

There are many more options available in Tripwire and can be explored online. 


Shone is a Cyber Security student at the Manchester Metropolitan University. Shone started writing blogs to document his own learning and help others along the way.

Comments

Post a Comment

Popular posts from this blog

Connecting Metasploitable to Kali Linux

By on
Image
  In this blog: Pre-text. Setting up NAT Network. Connected. What's next? This blog is one of a 4 part series in Metasploitable. Click here to see how to run a DOS attack on Metasploitable. Click here to see how to deface Metasploitable's webpage. Click here to see how to fix a common timer error that occurs during bootup .  Pre-text This blog comes after the tutorial on creating a Metasploitable virtual machine and solving the kernel timer error. Setting up a NAT Network In our Linux machine, I checked the network interfaces on the system and I have a tunnel connection that I set up earlier for Openvpn access.  To terminate this connection, type ➡️  sudo killall openvpn . Killing Openvpn connections. Now to connect the metasploitable machine to the kali Linux machine we must create a NAT Network.  We want to make sure that the machine is not able to communicate with connections outside the host. Go to file ➡️...
Read more

Fixing kernel timer error in Metasploitable

By on
Image
In this blog: Disclaimer. Fixing the kernel timer error. What's next? This blog is one of a 4 part series in Metasploitable. Click here to see how to run a DOS attack on Metasploitable. Click here to see how to deface Metasploitable's webpage. Click here to see how to set up a Metasploitable lab . Click here to see how to connect Metasploitable with Kali Linux . Disclaimer The solution given in this blog is for the kernel timer error that is caused by a misconfiguration in the kernel boot settings in the BIOS. The solution is not permanent and you must complete the steps each time you start a new session. Fixing timer errors To start the virtual machine, go back to VirtualBox and click start. When starting, if you get this kernel panic – not syncing error message, follow these steps ➡️  Kernel panick error message. Go to settings, system and double the base memory to 2048MB. Doubling base memory. Provide the machine with two processors instead of one and click OK.  Doubling p...
Read more

Wireshark alternative ➡️ tcpdump (Linux)

By on
Image
In this blog: What is tcpdump? Installation. Usage. Saving captures to a file. Filtering output. Expressions. Understanding the output. Packet content.   The end? See my Wireshark blog here. See my blog on uncovering network attacks using Wireshark here.                                   What is tcpdump? Tcpdump is a command line alternative to Wireshark and runs natively on Linux based operating systems.  The tool is not as feature rich as Wireshark but can be faster and more efficient in capturing and displaying packets, hence why many network admins and security professionals like using tcpdump for quick analysis.  Being a command line tool allows it to be run on remote servers to troubleshoot networks where a gui may not be available. The .PCAP files can then be analysed with Wireshark later. Most Linux distributions come with tcpdump installed, so your distro might already have it d...
Read more