|
-
November 8th, 2003, 10:38 AM
#1
Member
 The Tripwire Tutorial 1.0 part2 by: Gigabite
-Hello all, Well here is the second part of my Tripwire tutorial. Am realy sorry, it had to come earlier than this but due to time constraints i was not able to. Hope you find it helpfull and as usual all comments/suggestions are welcomed.
-THere will be a third part (final) for this tutorial.
-For the first part of the tutorial you can find it here: Part 1
-So lets go to the tutorial
***BOF ***
----- cut here -------------------------------------------------------------------------------------------
COPYRIGHT
Copyright (C) 2003 Gigabite All rights reserved.
You may distribute this tutorial freely, as long as no changes are made to the document. The copyright, disclaimer and the signature MUST be included with the document.
DISCLAIMER
Although I have taken every precaution in the preparation of this tutorial, I will assume no responsibility for errors or omissions. Neither is any liability assumed for the information contained herein.
------------------------------------------------------------------------------------------------------------
THE TRIPWIRE TUTORIAL 1.0 PART2 BY: Gigabite
==================================
NOTE: I assume that you have gone through the part 1 of this tutorial.
- Tripwire defines several built in variables that hold standard property sets for different types of objects. For example, readOnly lists standard properties for a file or directory that should have read only access. The Dynamic built in is used for monitoring files that tend to change (check properties that tend not to change like permissions and users, and ignore the properties that tend to change like size and MD5 values). IgnoreAll will simply check if a file exists or not, ignoring all other properties. IgnoreNone will apply all properties to a file(this provides a high security level).
/usr/bin –> readOonly;
-you can further qualify rules with attributes. Attributes are entered within parentheses following the rule. Separate several attributes with commas.
You can also group rules together and apply the same attributes to them all. In this case, the rules are encased in braces and the attributes are listed in preceding parentheses. With this feature you can avoid having to repeat attributes for several files. Also, you can easily add an attribute for several files at once.
-There are four attributes: rulername , emailto , severity and recurse .
rulename is used to group rules under a title that will then be used in the Tripwire reports to list any violations in that group. emailto is used to specify an email address to which a message is sent in case of violation. severity is used to indicate the severiy of a violation and recurse specifies if property checks for a directory are also applied to its subdirectories (the default is true and a false value will not check any files in the directory). example:
(
rulname = “Gigabite’s files”,
severity = 70,
emailto = gigabitepower@hotmail.com
)
{
/Gigabite/myfile -> +ps;
/gigabite/mytutorial -> +sM (recurse = false);
-Tripwire also supports directives in which you can define variables or rules for certain hosts or file systems, as well as global variables. This allow an administrator to create a single policy file to be used on different hosts.
A directive begins with @@section.
on a standard policy file, you will have a directive for the global variables, GLOBALS and one for the Linux file system, FS .
The GLOBALS section defines locations of Tripwire files and directories. The FS section sets the variables used for different property sets, such as SEC_INVARIANT that is assigned the properties +tpug to check type, permissions, user and group. This is used for files and directories that should not be changed. You will find the following entry in the twpol.txt file:
SEC_INVARIANT = +tpug;
-A variable is evaluated by encasing it in parentheses and preceding it with the $ operator.
$(SEC_INVARIANT) would be used as the property mask in different rules. The following example says that the /home directory itself should never be changed (note recurse = 0, which means directories under /home can be changed):
/home -> $(SEC_INVARIANT) (recurse = 0);
Even the built in variables, are also assigned to variables, some with certain qualifications.
In the following example, the properties for ReadOnly are assigned to the SecBin value:
SEC_BIN = $(ReadOnly); # binaries that should not change
Dynamic is used for configuration files, and Growing for log files.
SEC_CONFIG = $(Dynamic); # configuration files
SEC_LOG = $(Growing); # Files that grow (log files)
In addition variables are set for security values. These include SIG_LOW , SIG_MED and SIG_HIGH for noncritical, moderately critical and severely critical violations.
-The Tripwire configuration file, twcfg.txt is often already set up for your distribution's Linux installation. It will contain a number of Tripwire variables that you can modify if you wish. The DBFILE variable holds the directory that contains the database file. REPORTFILE specifies the directories where reports are stored and POLFILE contains the policy file. SITEKEYFILE and LOCALKEYFILE specify the location of your local and site key files.
The twinstall.sh script will create digitally signed configuration and policy files. To do this, it will prompt you for local and site passphrases. The passphrases are passwords you will need to create a Tripwire database and to access Tripwire reports. You are then prompted to enter the site and local passphrases to generate the configuration and policy files:
/etc/tripwire/twinstall.sh
twinstall.sh actually runs a siggen command to create your passphrases and then the twadmin command to create your policy and configuration files. If you later want to change the configuration or policy files, you can run twadmin directly, without changing your passphrases. If you want to just change your passphrases, run the siggen command to replace both files and both passphrases, you can just run twinstall.sh again.
-If you want to make changes to the Tripwire configuration file, you can edit the /etc/tripwire/twcfg.txt file and use it with the twadmin command to create a new signed tw.cfg file, as shown below:
Twadmin --create–cfgfile /etc/tripwire/twcfg.txt
Gigabite 
----- cut here -------------------------------------------------------------------------------------------
****EOF*****
-Ok, this is the end of part2 of this tutorial.
-Part3 to follow soon (It will include changing the policy file).
The FACT that people ignore FACTS
doesnt mean that FACTS are not FACTS
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote