Chapter 19. Tripwire

Tripwire data integrity assurance software monitors the reliability of critical system files and directories by identifying changes made to them. It does this through an automated verification regimen run at regular intervals. If Tripwire detects that a monitored file has been changed, it notifies the system administrator via email. Because Tripwire can positively identify files that have been added, modified, or deleted, it can speed recovery from a break-in by keeping the number of files which must be restored to a minimum. These abilities make Tripwire an excellent tool for system administrators seeking both intrusion detection and damage assessment for their servers.

Tripwire works by comparing files and directories against a database of file locations, dates they were modified, and other data. This database contains baselines — which are snapshots of specified files and directories at a specific point in time. The contents of the baseline database should be generated before the system is at risk of intrusion, meaning before it is connected to the network. After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions.

While Tripwire is a valuable tool for auditing the security state of Red Hat Enterprise Linux systems, Tripwire is not supported by Red Hat, Inc. If you need more information about Tripwire, a good place to start is the project's website located at http://www.tripwire.org.

19.1. How to Use Tripwire

The following flowchart illustrates how Tripwire works:

Figure 19-1. Using Tripwire

The following describes in more detail the numbered blocks shown in Figure 19-1.

1. Install Tripwire and customize the policy file.

Install the Tripwire RPM (see Section 19.2 Installing the Tripwire RPM). Then, customize the sample configuration and policy files (/etc/tripwire/twcfg.txt and /etc/tripwire/twpol.txt respectively), and run the configuration script, /etc/tripwire/twinstall.sh. For more information, see Section 19.3 Customizing Tripwire.

2. Initialize the Tripwire database.

Build a database of critical system files to monitor based on the contents of the new, signed Tripwire policy file, /etc/tripwire/tw.pol. For more information, see Section 19.4 Initialize the Tripwire Database.

3. Run a Tripwire integrity check.

Compare the newly-created Tripwire database with the actual system files, looking for missing or altered files. For more information, see Section 19.5 Running an Integrity Check.

4. Examine the Tripwire report file.

View the Tripwire report file using /usr/sbin/twprint to note integrity violations. For more information, see Section 19.6.1 Viewing Tripwire Reports.

5. If unauthorized integrity violations occur, take appropriate security measures.

If monitored files have been altered inappropriately, you can either replace the original files from backup copies, reinstall the program, or completely reinstall the operating system.

6. If the file alterations are valid, verify and update the Tripwire database file.

If the changes made to monitored files are intentional, edit Tripwire's database file to ignore those changes in subsequent reports. For more information, see Section 19.7 Updating the Tripwire Database.

7. If the policy file fails verification, update the Tripwire policy file.

To change the list of files Tripwire monitors or how it treats integrity violations, update the supplied policy file (/etc/tripwire/twpol.txt), regenerate a signed copy (/etc/tripwire/tw.pol), and update the Tripwire database. For more information, see Section 19.8 Updating the Tripwire Policy File.

Refer to the appropriate sections within this chapter for detailed instructions on each step.