Linux Intrusion Detection with Tripwire – How To

Linux intrusion detection tripwire outputWhilst malware has certainly focused more on the Windows platform (over 250,000 new malicious code samples a day in SophosLabs) there are every day more instances of malicious code on Linux, Mac OS X and mobile platforms. Whats more, Linux systems have certainly become more of a target for cyber criminals and hacktivists via hacking. One of the controls you can implement to help mitigate this threat is integrity checking on the file system to notify you in the event files are modified. This is one of the ways you can do Linux intrusion detection but very useful for detection of a wide range of attacks. Userland rootkits might for example may modify /bin/login or /bin/ps to hide the presence of malicious code on the system. Alternatively, you may pick up an unexpected change to the DNS zone files you are serving on your system. I hate to drop the buzzword but this is also a very useful strategy for identifying the artefacts dropped by potential APT attackers which may have been tested against security solutions .
Selective file system monitoring can be incredibly useful from a security perspective to identify suspicious items which can be further investigated. On a low change system even complete file system monitoring with regular checks could be useful. There are tonnes of tools which can do Linux intrusion detection, but Tripwire is a classic tool I still use on lots of my systems (particularly on my honepots). I’ll do a series of update articles on this and how to configure for more advanced user cases but for now here is a brief primer to get tripwire basically up and running. These instructions work on lots of Linux distributions though depending on package/version your file paths may vary. Let’s do some setup. The below is provided as a code block with comments.

# First we need to install Tripwire. We could do this with a package or from source. In this instance we are going to do it via a package with apt. Note that this will ask you to install Postfix locally by default so you can e-mail reports.
sudo apt-get install tripwire
# Next we want to check our configuration files and paths. Read both of these files and edit if you want to make any changes. Pay particular note of the local and site key variables which we will generate in a second. Mine is local.key but some systems are $HOSTNAME-local.key or alike. The format is nice and simple to edit and fairly self explanatory.
cd /etc/tripwire; ls
twcfg.txt twpol.cfg
# Now we need to generate a site and local key which will be used to protect the configuration files and as part of the integrity checking. This will require two passphrases (which should be different)for each key.
sudo twadmin -m -G -S site.key
sudo twadmin -m -G -L local.key
# We may want to set the permissions so that only the owner (typically root) can access these sensitive files.
sudo chmod 0600 twcfg.txt twpol.txt site.key local.key
# Now we need to generate a new encrypted version of the configuration file. You can re-run this at any time to generate a new copy if you need to. The second command will print a copy of the encrypted file to validate that the configuration is as you expect.
sudo twadmin --create-cfgfile --cfgfile tw.cfg -S site.key twcfg.txt
sudo twadmin --print-cfgfile -c tw.cfg
# Getting close now. We are going to initialise the Tripwire database using the files we just generated. You will get a series of errors and warnings - don't panic that is pretty normal. You will note some of them are errors accessing files or paths that don't exist or when permissions are wrong. You should check through for any that don't exist or aren't relevant and then edit your policy file and regenerate the encrypted copy.
sudo tripwire --init --cfgfile tw.cfg --polfile tw.pol
# OK it is time to check the whole system!
sudo tripwire -m c -v -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol
# Now we can go and read our basic report and see what we found. The file name here is based off my demo system. The report is fairly self explanatory, though processing the results and known what is good, bad or normal requires training and expertise. More on that in follow on articles - this is just the basics!
cd /var/lib/tripwire/report; ls -alh
sudo twprint -m r -r ubuntu-20131022-083848.twr | less
# A few extra cool commands. You may want to see a copy of the database (perhaps for forensics purposes) of information on files on the system based on your policy. You can do that like this, though be warned the database is typically pretty large.
sudo twprint -m d --print-dbfile | less
sudo twprint -m d --print-dbfile /etc/pam.conf
Property: Value:
------------- -----------
Object Type Regular File
Device Number 2049
Inode Number 655555
Mode -rw-r--r--
Num Links 1
UID root (0)
GID root (0)
Size 552
Modify Time Fri May 17 22:28:12 2013
Blocks 8
CRC32 Bv8shR
MD5 CH/HbxjpjufThI9rgbM5Hl

Hopefully this helps you get a basic installation up and working so you can play with the policy files and the reports. You can of course now schedule tripwire to run on a regular basis with a crontab or your preferred scheduler. To make this a really useful Linux intrusion detection system you will need to do some more configuration and so I will be producing a series of more detailed articles ranging from reporting, to notifications, rootkit detection and sample templates shortly. Enjoy :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>