Tripwire has lot of modes which include
- Database initialization mode
- Test mode
- Check mode (report mode or interactive update mode)
- Database update mode
- Policy update mode
Before we can start using tripwire for intrusion detection, we have to create baseline database against which it will compare filesystem parameters when run in check mode and report violations. Hence once we have configured tripwire we need to intialize its database.
To intialize tripwire and to create a new database based on current filesystem state we can use:
tripwire --init --cfgfile /etc/tripwire/tw.cfg
This mode is used to check whether MAILMETHOD defined in configuration file is working properly and whether tripwire is able to send email or not. To check if tripwire is able to send emails we can use:
tripwire --test --email email@example.com
Once tripwire database has been intialized we can use tripwire in check mode to compare current state of filesystem and compare it with parameters stored in database. If mismatches are found then tripwire can report them as violations.
When we run tripwire in check mode we have option of updating database interactively when the check finishes so that we can specify which changes are legitimate and not intrusion and that they can be saved in database so that they do not get reported again in future checks. When we use this mode we have to specify editor which we would like to use to specify which changes are ok, if we have not specified an editor in configuration file. This option is really useful so that, if out of 10 violations we are sure about only 8 being legitimate, then we can commit only these 8 changes to database and leave the other 2 to be reported again unless proper analysis has been done.
To run tripwire so that it just reports problems and does not prompts us for updating database, we can use:
tripwire --check --cfgfile /etc/tripwire/tw.cfg --signed-report --email-report
This would also ensure that report gets emailed to address specified in GLOBALEMAIL parameters in configuration file.
- Do not use --verbose when running check otherwise it tries to print each file being checked which may reduce speed considerably as terminal I/O is very expensive (especially in GUI login) in terms of CPU usage.
When we run tripwire in check mode it generates a tripwire report file with extension '.twr' in location specified in configuration file. This report is very important and is required if we want to update database using database update mode so that same changes are not reported again.
Note that since we have asked tripwire to generate signed report it will prompt us for local key passphrase so that it can sign the report with local key.
Interactive database update mode
We can run tripwire so that after reporting problems it prompts user to specify which of the reported problems are not intrusion, so that those changes can be committed to database. When we use this mode tripwire will open report in a text editor and put '[x]' against each reported violation. If we are ok with the violation and do not want tripwire to report it again, we can leave it as it is. If we are not sure about it and we do not want the new filesystem state to be committed to database we can remove the 'x' letter to make file like '[ ]'.
Command to run tripwire in this mode is:
tripwire --check --cfgfile /etc/tripwire/tw.cfg --signed-report --email-report --interactive --visual /bin/vi
- Since we have asked tripwire to generate signed report and also update database, it will prompt us for local key passphrase so that it can sign the report with local key and also the sign the updated database.
- Tripwire also has option of checking only files that belong to particular section, rulename, have specific severity level, given path, etc. Please refer to 'man tripwire' to learn about these other options provided by tripwire.
Database update mode
If after running tripwire in check mode we feel the report changes are fine or if some of the reported changes are fine and not a security threat and we want to commit those changes to database, so that they do not get reported again then we can use this mode. Hence we will require a output report '.twr' file from last check so that we can specify which of the reported errors can be committed to database. Note that this ensures that if intrusion happens between check and update then we would not end up accidentally updating database, without getting notified of event.
Even during this we have two security-mode options. Suppose we are monitoring permissions of a file and in current database permissions are stored as 700. But someone changed the permission to 770 and hence they got reported as violation and this information is presented in report file. Now after I have run the check and before we update the database, if someone changes the permission again to say 777 and we update database with this new value then we will not get informed of this problem.
So to avoid this types of intrusions or risks tripwire asks for parameter called 'secure-mode' which takes two parameters 'low' and 'high'. If secure mode is high and while updating database tripwire finds that file has against changed after last check and the new change was not reported in the current report file being used to update database then it will quit without updating database and show error message. However if we use tripwire with '--secure-mode low' option then it would ignore the fact that change to some other parameter of the file has not been reported in last report and add the current filesystem information of the file to current database.
To run tripwire so that all changes reported in a report file get committed without being prompted we can use:
tripwire --update --cfgfile /etc/tripwire/tw.cfg --accept-all --secure-mode high --twrfile <path_of_last_report>
However, if we want to commit only few of the changes that were reported and not all of them we can use:
tripwire --update --cfgfile /etc/tripwire/tw.cfg --visual /bin/vi --secure-mode high --twrfile <path_of_last_report>
Policy update mode
When we update tripwire policy, we not only need to create new signed policy file 'tw.pol' we also need to update tripwire database so that it contains the values for parameters that the new policy tries to monitor, and also at the same time the values of parameters/files which are not configured to be monitored in new policy have to be pruned/removed from database.
Here also we have two security modes, low and high. In high mode if changes are detected in filesystem in comparison to values stored in current database then the database is not updated as per new policy and changes are first reported as violations, so that we can first commit those changes to database and then go about updating policy. However if we use low security mode, then such changes get ignored and only a warning is generated.
To update tripwire policy and correspondingly its database, we can use:
tripwire --update-policy --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --secure-mode high /etc/tripwire/twpol.txt
Complete information about tripwire is present in man pages with names 'twintro', 'tripwire', 'twconfig', 'twpolicy', 'twadmin', etc. One can go through these pages to ensure that information present here matches with version of tripwire being used on the system.
We can print tripwire reports generated during previous tripwire checks using:
twprint --print-report --twrfile <path_to_report_file> --local-keyfile /etc/tripwire/<host>-local.key