The Tripwire Tutorial 1.0 part 1 by: Gigabite
Results 1 to 6 of 6

Thread: The Tripwire Tutorial 1.0 part 1 by: Gigabite

  1. #1
    Member
    Join Date
    Oct 2003
    Posts
    85

    Post The Tripwire Tutorial 1.0 part 1 by: Gigabite

    Helloo every1.
    I was learning about Tripwire and though to share what i havelearnt with you.
    All suggestions and comments are welcomed.
    Hope that it will be usefull for you.
    So lets start the tutorial.

    ***BOF ***

    ----- cut here -------------------------------------------------------------------------------------------

    COPYRIGHT

    Copyright (C) 2003 Gigabite All rights reserved.

    You may distribute this tutorial freely, as long as no changes are made to the document. The copyright, disclaimer and the signature MUST be included with the document.

    DISCLAIMER

    Although I have taken every precaution in the preparation of this tutorial, I will assume no responsibility for errors or omissions. Neither is any liability assumed for the information contained herein.

    PLEASE IF YOU FIND THE TUTORIAL USEFULL, GIVE ME CREDIT BY GIVING ME GREENIES

    ------------------------------------------------------------------------------------------------------------

    THE TRIPWIRE TUTORIAL BY: Gigabite
    ==========================

    Introduction

    -When someone breaks into a system, they will usually try to gain control by making their own changes to system administration files, such as password files. They could simply change the root user password or replace entire programs, such as the login program, with their own version. One method of detecting such actions is to use an itegrity checking tool like Tripwire to detect any changes to seystem administration files.

    -An integrity checking tool works by first creating a database of unique identifiers for each file or program to be checked. These can include features as permissions and file size, but also, more importantly, checksum numbers generated by encryption algorithms from the file's contents. For example, in Tripwire, the default identifiers arechecksum numbers created by algorithms like the MD5 modification digest algorithm and Snefru (xerox secure hash algorithm).
    An encrypted value that provides such a unique identification of a file is known as signature. In effect, a signature provides as accurate snapshot of the contents of a file. Files and programs are then periodically checked by generating their identifiers again and matching them with those in the database. Tripwire will generate signatures of the current files and programs and match them against the values previously generated for its database. Any differences are noted as changes to the file, and Tripwire then notifies you of the changes.

    Tripwire Configuration

    -For Tripwire configuration, you have to generate a configuration file and a policy file. These files are generated by the twinstall.sh script. If you just want to use the standard configuration, you can generate the files immediately by running the twinstall.sh script.

    -If you want to customize your configuration and policy files, youwill have to first modify their editable versions in the /etc/tripwire directory. There are two versions of these files. One is a .txt file that you can edit, and the other is generated by twinstall.sh script using the .txt file. The configuration file specifies the Tripwire application directories and files, such as the directory where the Tripwire database is placed and reports are stored.
    twcfg.txt is the editable version of the configuration file. This file will already include the standard administrative files. you can editthis file to add any files of your own. The policy file holds the files, programs and directories that you want Tripwire to check. The twpol.txt file is its editable version. Once you have made the changes you want, you can then use the twinstall.sh script to generate the tw.cfg and tw.pol files.

    - The Tripwire polic file holds rules used to determine what files and programs to monitor and how they are checked. Rules consist of an object and a property mask. An object is either a directory or file and and its entry in the rule consists of the full pathname for that file or directory. The property mask is a list of the object's properties to be checked, such as size permissions, or a checksum valuelike MD5. The object and property mask are seperated by
    a -> symbol, and the entire rule is terminated by a semicolon. You can only have one rule per object. The property mask is a series single-character codes denoting different file and directory features, such as p for permissions, s for size, t for type and M for MD5 value. You can specify whether a property is to be checked or not with the + and - signs. +p says to check an object's permissions, -p say not to. For example, the /Gigabite/myfile will have its permissions and size checked by the following:

    /Gigabite/myfile -> +ps;

    Tripwire Commands and Files

    tripwire Initializes and performs integrity checking.
    twadmin Administrates Tripwire configuration and policy files, as well
    as Tripwire encryption keys.
    twprint Prints and displays Tripwire database and reports.
    siggen Generates new passphrases.
    twinstall.sh Generates keys and encrypted configuration and policy files.
    /etc/tripwire/tw.cfg Encrypted Tripwire configuration file.
    /etc/tripwire/tw.pol Encrypted Tripwire policy file.
    /etc/tripwire/twcfg.txt Plain text Tripwire cinfiguration file (Editable).
    /etc/tripwire/twpol.txt Plain text Tripwire policy file (Editable).
    /var/lib/tripwire/report Holds Tripwire reports.
    /var/lib/tripwire Holds Tripwire databases.

    Gigabite

    ----- cut here -------------------------------------------------------------------------------------------

    *** EOF ***

    Hope you enjoyed the tutorial and learnt something.
    Part two to follow soon.

    The FACT that people ignore FACTS
    doesnt mean that FACTS are not FACTS

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    [edit]
    -For Tripwire configuration, you have to generate a configuration file and a policy file. These files are generated by the twinstall.sh script. If you just want to use the standard configuration, you can generate the files immediately by running the twinstall.sh script.
    or how to check it
    I didn't know that it was generated by default. I was always going back and doing the tripwire --init.
    Cool! One less step.

    [/edit]

    check your system

    tripwire --check

    how to update the database

    tripwire --update

    how to update the tripwire policy

    tripwire --update-policy

    to test it

    tripwire --test --emailaddress

    ------------------------------------------

    Good tutorial on the basics though. I use it too. Its very useful.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Member
    Join Date
    Oct 2003
    Posts
    85
    That was to come in part two of the tutorial, neways thanx for the comment.

    The FACT that people ignore FACTS
    doesnt mean that FACTS are not FACTS

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Ah, I read it so quickly that I didn't see you had a part two coming....

    Sorry bout that.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Nice tut...I wanted to add I found some older versions still available:

    http://www.alltheweb.com/search?avkw...&q=tripwire+nt



  6. #6
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    352
    Can't wait to read part II......
    "Serenity is not the absence of conflict, but the ability to cope with it."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •