Table of Contents

Ubuntu - Tripwire - Verify the Tripwire Configuration

Check to see what the tripwire report looks like and if there are truly no warnings:

The basic syntax for a check is:

sudo tripwire --check

You should see a report output to your screen specifying that there were no errors or changes found on your system.

shows

Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
The object: "/dev/hugepages" is on a different file system...ignoring.
The object: "/dev/mqueue" is on a different file system...ignoring.
The object: "/dev/shm" is on a different file system...ignoring.
The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.
Wrote report file: /var/lib/tripwire/report/server1.sharewiz.net-20161126-110710.twr


Open Source Tripwire(R) 2.4.2.2 Integrity Check Report

Report generated by:          root
Report created on:            Sat 26 Nov 2016 11:07:10 GMT
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    server1.sharewiz.net
Host IP address:              192.168.1.2
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/server1.sharewiz.net.twd
Command line used:            tripwire --check 

===============================================================================
Rule Summary: 
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Other binaries                  66                0        0        0        
  Tripwire Binaries               100               0        0        0        
  Other libraries                 66                0        0        0        
  Root file-system executables    100               0        0        0        
  Tripwire Data Files             100               0        0        0        
* System boot changes             100               16       0        3        
  (/var/log)
  Root file-system libraries      100               0        0        0        
  (/lib)
  Critical system boot files      100               0        0        0        
  Other configuration files       66                0        0        0        
  (/etc)
  Boot Scripts                    100               0        0        0        
  Security Control                66                0        0        0        
  Root config files               100               0        0        0        
  Devices & Kernel information    100               0        0        0        
  Invariant Directories           66                0        0        0        

Total objects scanned:  121417
Total violations found:  19

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/log)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/log/psad/59.27.80.177"
"/var/log/psad/59.27.80.177/danger_level"
"/var/log/psad/59.27.80.177/192.168.1.2_email_alert"
"/var/log/psad/59.27.80.177/192.168.1.2_signatures"
"/var/log/psad/59.27.80.177/192.168.1.2_start_time"
"/var/log/psad/59.27.80.177/192.168.1.2_packet_ctr"
"/var/log/psad/59.27.80.177/email_ctr"
"/var/log/psad/59.27.80.177/59.27.80.177_whois"
"/var/log/psad/220.164.163.75"
"/var/log/psad/220.164.163.75/danger_level"
"/var/log/psad/220.164.163.75/192.168.1.2_email_alert"
"/var/log/psad/220.164.163.75/192.168.1.2_signatures"
"/var/log/psad/220.164.163.75/192.168.1.2_start_time"
"/var/log/psad/220.164.163.75/192.168.1.2_packet_ctr"
"/var/log/psad/220.164.163.75/email_ctr"
"/var/log/psad/220.164.163.75/220.164.163.75_whois"

Modified:
"/var/log/psad"
"/var/log/psad/top_ports"
"/var/log/psad/top_sigs"

===============================================================================
Error Report: 
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.

Notice the following lines near the top of the report. These indicate that tripwire is not monitoring these, so it would be best to update the Tripwire configuration by including these missing objects. See Configure Tripwire.

The object: "/dev/hugepages" is on a different file system...ignoring.
The object: "/dev/mqueue" is on a different file system...ignoring.
The object: "/dev/shm" is on a different file system...ignoring.
The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.

Do an interactive check

sudo tripwire --check --interactive

This will run the same tests as normal, but at the end, instead of outputting the report to the screen, it is copied into a text file and opened with the default editor.

This report goes into quite a lot of detail about each file that changed. In fact, on my machine, the report generated was 2,275 lines long. This amount of information is extremely helpful in the event of a real security problem, but in our case, it's generally probably not too interesting for the most part.

The important part is near the top. After some introductory information, you should see some lines with check boxes for each of the added or modified files:

Rule Name: Other binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Added:
[x] "/usr/sbin/maidag"

Modified:
[x] "/usr/sbin"
. . .

These check boxes indicate that you want to update the database to allow these changes. You should search for every box that has an “x” in it and verify that those are changes that you made or are okay with.

If you are not okay with a change, you can remove the “x” from the box and that file will not be updated in the database. This will cause this file to still flag tripwire on the next run.

After you have decided on which file changes are okay, you can save and close the file.

At this point, it will ask for your local passphrase so that tripwire can update its database files.


Do an interactive check

sudo tripwire --check --interactive

This will run the same tests as normal, but at the end, instead of outputting the report to the screen, it is copied into a text file and opened with the default editor.

This report goes into quite a lot of detail about each file that changed. In fact, on my machine, the report generated was 2,275 lines long. This amount of information is extremely helpful in the event of a real security problem, but in our case, it's generally probably not too interesting for the most part.

The important part is near the top. After some introductory information, you should see some lines with check boxes for each of the added or modified files:

Rule Name: Other binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Added:
[x] "/usr/sbin/maidag"

Modified:
[x] "/usr/sbin"
. . .

These check boxes indicate that you want to update the database to allow these changes. You should search for every box that has an “x” in it and verify that those are changes that you made or are okay with.

If you are not okay with a change, you can remove the “x” from the box and that file will not be updated in the database. This will cause this file to still flag tripwire on the next run.

After you have decided on which file changes are okay, you can save and close the file.

At this point, it will ask for your local passphrase so that tripwire can update its database files.

If we accepted all of the changes, and if we re-run this command, the report should be much shorter now and list no changes.