Differences

This shows you the differences between two versions of the page.

--- tripwire:configure_tripwire [2016/11/20 12:50] – peter
+++ tripwire:configure_tripwire [2019/12/04 21:52] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Tripwire - Configure Tripwire ======
-The default configuration should be adjusted.
-Run a check and place the files listed into a file called test_results in our tripwire config directory:
-<code bash>
-cd /etc/tripwire
-tripwire --check | grep Filename > test_results
-</code>
-If we view this file, we should see entries that look like this:
-<code bash>
-less /etc/tripwire/test_results
-</code>
-result
-<code>
-Filename: /etc/rc.boot
-Filename: /root/mail
-Filename: /root/Mail
-Filename: /root/.xsession-errors
-. . .
-</code>
-===== Configure the Policy File to Match Your System =====
-Now that we have a list of files that are setting off tripwire, we can go through our policy file and edit it to get rid of these false positives.
-Open the plain text policy in your editor with root privileges:
-<code bash>
-sudo vi /etc/tripwire/twpol.txt
-Do a search for each of the files that were returned in the test_results file.  Comment out all of the lines that you find that match.
-In the **"Boot Scripts"** section, you should comment out the **/etc/rc.boot** line, since this isn't present in an Ubuntu system:
-<file bash /etc/tripwire/twpol.txt>
-(
-  rulename = "Boot Scripts",
-  severity = $(SIG_HI)
-)
-{
-        /etc/init.d             -> $(SEC_BIN) ;
-        <color red>#/etc/rc.boot            -> $(SEC_BIN) ;</color>
-        /etc/rcS.d              -> $(SEC_BIN) ;
-</file>
-There were a lot of files in the /root home directory that needed to be commented out on my system. Anything that is not present on your system should be commented out:
-<file bash /etc/tripwire/twpol.txt>
-(
-  rulename = "Root config files",
-  severity = 100
-)
-{
-        /root                           -> $(SEC_CRIT) ; # Catch all additions to /root
-        #/root/mail                     -> $(SEC_CONFIG) ;
-        #/root/Mail                     -> $(SEC_CONFIG) ;
-        #/root/.xsession-errors         -> $(SEC_CONFIG) ;
-        #/root/.xauth                   -> $(SEC_CONFIG) ;
-        #/root/.tcshrc                  -> $(SEC_CONFIG) ;
-        #/root/.sawfish                 -> $(SEC_CONFIG) ;
-        #/root/.pinerc                  -> $(SEC_CONFIG) ;
-        #/root/.mc                      -> $(SEC_CONFIG) ;
-        #/root/.gnome_private           -> $(SEC_CONFIG) ;
-        #/root/.gnome-desktop           -> $(SEC_CONFIG) ;
-        #/root/.gnome                   -> $(SEC_CONFIG) ;
-        #/root/.esd_auth                        -> $(SEC_CONFIG) ;
-        #/root/.elm                     -> $(SEC_CONFIG) ;
-        #/root/.cshrc                   -> $(SEC_CONFIG) ;
-        /root/.bashrc                   -> $(SEC_CONFIG) ;
-        #/root/.bash_profile            -> $(SEC_CONFIG) ;
-        #/root/.bash_logout             -> $(SEC_CONFIG) ;
-        /root/.bash_history             -> $(SEC_CONFIG) ;
-        #/root/.amandahosts             -> $(SEC_CONFIG) ;
-        #/root/.addressbook.lu          -> $(SEC_CONFIG) ;
-        #/root/.addressbook             -> $(SEC_CONFIG) ;
-        #/root/.Xresources              -> $(SEC_CONFIG) ;
-        #/root/.Xauthority              -> $(SEC_CONFIG) -i ; # Changes Inode number on login
-        #/root/.ICEauthority                -> $(SEC_CONFIG) ;
-}
-</file>
-The last part of my check was complaining about file descriptors in the /proc filesystem. These files change all of the time, so will trigger false positives regularly if we leave the configuration as is.
-In the "Devices & Kernel information" section, you can see that the /proc filesystem is listed to be checked.
-<file bash /etc/tripwire/twpol.txt>
-(
-  rulename = "Devices & Kernel information",
-  severity = $(SIG_HI),
-)
-{
-        /dev            -> $(Device) ;
-        /proc           -> $(Device) ;
-}
-</file>
-However, this will check every file under it. We don't particularly want that. Instead, we will remove this specification, and add configuration options for all of the directories under /proc that we do want to check:
-<file bash /etc/tripwire/twpol.txt>
-{
-        /dev                    -> $(Device) ;
-        #/proc                  -> $(Device) ;
-        /proc/devices           -> $(Device) ;
-        /proc/net               -> $(Device) ;
-        /proc/tty               -> $(Device) ;
-        /proc/sys               -> $(Device) ;
-        /proc/cpuinfo           -> $(Device) ;
-        /proc/modules           -> $(Device) ;
-        /proc/mounts            -> $(Device) ;
-        /proc/dma               -> $(Device) ;
-        /proc/filesystems       -> $(Device) ;
-        /proc/interrupts        -> $(Device) ;
-        /proc/ioports           -> $(Device) ;
-        /proc/scsi              -> $(Device) ;
-        /proc/kcore             -> $(Device) ;
-        /proc/self              -> $(Device) ;
-        /proc/kmsg              -> $(Device) ;
-        /proc/stat              -> $(Device) ;
-        /proc/loadavg           -> $(Device) ;
-        /proc/uptime            -> $(Device) ;
-        /proc/locks             -> $(Device) ;
-        /proc/meminfo           -> $(Device) ;
-        /proc/misc              -> $(Device) ;
-}
-</file>
-While we are in this portion of the file, we also want to do something with the /dev/pts filesystem. Tripwire will not check that location by default because it is told to check /dev, and /dev/pts is on a separate filesystem, which it will not enter unless specified. To get tripwire to check this as well, we can explicitly name it here:
-<file bash /etc/tripwire/twpol.txt>
-{
-        /dev                    -> $(Device) ;
-        /dev/pts                -> $(Device) ;
-        #/proc                  -> $(Device) ;
-        /proc/devices           -> $(Device) ;
-        /proc/net               -> $(Device) ;
-        /proc/tty               -> $(Device) ;
-        . . .
-</file>
-The last thing we will comment out are the /var/run and /var/lock lines so that our system does not flag normal filesystem changes by services:
-<file bash /etc/tripwire/twpol.txt>
-(
-  rulename = "System boot changes",
-  severity = $(SIG_HI)
-)
-{
-        #/var/lock              -> $(SEC_CONFIG) ;
-        #/var/run               -> $(SEC_CONFIG) ; # daemon PIDs
-        /var/log                -> $(SEC_CONFIG) ;
-}
-</file>
-Save and close the file when you are finished editing.
-Now that our file is configured, we need to implement it by recreating the encrypted policy file that tripwire actually reads:
-<code bash>
-sudo twadmin -m P /etc/tripwire/twpol.txt
-</code>
-After this is created, we must reinitialize the database to implement our policy:
-<code bash>
-sudo tripwire --init
-</file>
-shows
-<code>
-Please enter your local passphrase:
-Parsing policy file: /etc/tripwire/tw.pol
-Generating the database...
-*** Processing Unix File System ***
-Wrote database file: /var/lib/tripwire/tripit.twd
-The database was successfully generated.
-</code>
-All of the warnings that you received earlier should be gone now.  If there are still warnings, you should continue editing your /etc/tripwire/twpol.txt file until they are gone.