Configuring basic Tripwire server
Configuring basic Tripwire server
Tripwire keys
Tripwire uses two types of keys, site key and local key. Site key can be used to protect files which are common across site like configuration file and policy file. Local key is used to protect files which are specific to a machine, like tripwire database.
Generating tripwire keys
To generate keys we can use:
twadmin --generate-keys --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/<hostname>-local.key
For example:
twadmin --generate-keys --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/labpc-local.key
Note that it is not necessary that we generate both type of keys. We can generate just one type of key if we want. Tripwire would ask us to enter passphrase for keys that we are trying to generate. These passphrase would be required whenever we want to sign something with these keys.
Tripwire configuration file
Tripwire configuration file contains locations of key files, tripwire database, whether reports should be mailed etc. configuration parameters. To create tripwire configuration file we specify all parameters in a text file, typically 'twcfg.txt' and then sign this with site key to create signed configuration file, typically 'tw.cfg'.
Tripwire configuration file uses 'variable=value' format and we can use value of a variable to define values of other variables using $(variable) syntax. All variables defined in this file are case-sensitive.
Required variables are:
Variable Name | Description and default value |
POLFILE | Tripwire encrypted policy file location. Default: /etc/tripwire/tw.pol |
DBFILE | Tripwire database file location. Default: /var/lib/tripwire/$(HOSTNAME).twd |
REPORTFILE | Tripwire report file location. Default: /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr |
SITEKEYFILE | Site key to be used to sign policy and configuration files. Default: /etc/tripwire/site.key |
LOCALKEYFILE | Local key to be used to sign database and reports. Default: /etc/tripwire/$(HOSTNAME)-local.key |
Note: If we use above values in our configuration file then we should ensure directory '/var/lib/tripwire/report' exists. Also we should do 'chmod -R 700 /var/lib/tripwire'
In CentOS 5.5 it makes sense to define these additional variables
Variable name | Description and example value |
TEMPDIRECTORY | Directory where tripwire should create temporary files while it is working. The default value is '/tmp' which is not very secure. We should create a directory with 700 permissions and set value of this variable to that directory. Example value: '/etc/tripwire/temp'. We have to ensure that we create this directory and also exclude it being checked in tripwire policy file. |
GLOBALEMAIL | Email address where tripwire reports are sent when we run check with '--email-report' option. Example value: 'saurabh.barjatiya@iiit.ac.in' |
MAILMETHOD | Mail method to be used to send email. It can be either SMTP or SENDMAIL. In case of SENDMAIL the local sendmail should have been configured properly so that it can send emails to emails address specified in policy file or in GLOBALEMAIL. If MAILMETHOD has value SMTP then we need to define two additional variables SMTPHOST and SMTPPORT. In case it is SENDMAIL, then we need to define MAILPROGRAM variable. Unless we define this variable in configuration file, the email feature will not work. Example value: 'SENDMAIL' |
MAILPROGRAM | Location of program which can take email data along with headers and send email. The program should not stop reading if a line containing only dot(.) is encountered. Example : '/usr/sbin/sendmail -oi -t' |
SMTPHOST | Specifies the domain name or IP address of the SMTP server used for email notification. Example value : 'students.iiit.ac.in' |
SMTPPORT | Specifies the port number used with SMTP. Example value: '25' |
Creating signed tripwire configuration file
We can create signed tripwire configuration file using:
twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Printing configuration file
We can print tripwire configuration file using:
twadmin --print-cfgfile --cfgfile /etc/tripwire/tw.cfg
Tripwire policy
Same as in case of tripwire configuration file, we have two tripwire policy files. We first create plain-text policy file, typically 'twpol.txt' and then encode/sign it with site key file to get signed and encoded policy file, typically 'tw.pol'. We can learn about tripwire policy file format from 'man twpolicy' page. We can also learn from default policy file 'twpol.txt' to learn about tripwire policy file format. This default file also serves as good starting point for creating our own custom tailored policy files.
Note that in case we have specified our own temporary files location in tripwire configuration other than the default '/tmp' then we should exclude that directory from being monitored by tripwire for changes. To do that we can add following line under section with name rulename="Tripwire Data Files"
$(TWPOL)/temp -> (Temporary) (recurse=0) ;
Creating policy file
To create signed tripwire policy file from plain-text policy file, we can use:
twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt
Printing policy file
To print tripwire policy file we can use:
twadmin --print-polfile --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key
- Refer to 'man twadmin' to learn how to encrypt files, decrypt files or check their encryption status. It can also be used to change passphrase of local and site key files.