1

(Originally posted on SE's SuperUser. Wrong platform and I removed post from SU.)

I configured Tripwire(TM) 2.4.2.2.2 on a Lx box (Ubuntu trusty), using default folder and file locations. I relied on an old but still up-to-date article from Linux Journal, and a myriad of other internet-references, but I couldn't find anything beyond a plain-vanilla config.

Everything works as intended, but I want to move site.key and local.key, config files and database to a read-only removable media I set aside for that purpose at mount point /mnt/TW_bd-bin.

Can someone help me through the proper modifications of twcfg.txt and `twpol.txt ? How should I modify my configuration ?

Header of report summary :

$ sudo tripwire --check

Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
Report generated by:          root
Report created on:            Fri Sep 25 19:15:58 2015
Database last updated on:     Never
===========================================================
Report Summary:
===========================================================
Host name:                    my_host
Host IP address:              127.0.1.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/my_host.twd
Command line used:            tripwire --check

Current /etc/tripwire/twcfg.txt:

$ cat /etc/tripwire/twcfg.txt

ROOT          =/usr/sbin
POLFILE       =/etc/tripwire/tw.pol
# DBFILE        =/var/lib/tripwire/$(HOSTNAME).twd
DBFILE        =/mnt/TW_db-bin/$(HOSTNAME).twd
# REPORTFILE    =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
REPORTFILE    =/etc/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE   =/etc/tripwire/site.key
LOCALKEYFILE  =/etc/tripwire/$(HOSTNAME)-local.key
# /usr/bin/editor is set to vim.gnome as of 2015.09.24
EDITOR        =/usr/bin/editor
# LATEPROMPTING =false
LATEPROMPTING =true 
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL   =3
SYSLOGREPORTING =true
MAILMETHOD    =SMTP           # see PostFix settings
SMTPHOST      =smtp.gmail.com
# SMTPHOST      =localhost
SMTPPORT      =587            # SSL/TLS
# SMTPPORT      =25
#TEMPDIRECTORY =/tmp 
# chmod for /etc/tripwire/tmp is 700 and chown is root:root
TEMPDIRECTORY =/etc/tripwire/tmp
Cbhihe
  • 2,549
  • 2
  • 21
  • 30

1 Answers1

1

Working solution tested on Ubuntu 14.04.3, but probably applies to other Debian-based Linux flavors and most certainly to Red Hat.
If you apply it satisfactorily on an yet untested platform, add a short comment to that effect.
'Probably' above means reports on the net show equivalent steps on RH Linux and I think on Lubuntu too.
Steps start after completion of a regular tripwire package install from yr favorite repo.

References:
Man pages at TRIPWIRE(8) and TWADMIN(8), the Official Red Hat Linux Reference Guide, the Linux Security Cookbook.

$ uname -sivr
Linux 3.16.0-50-generic #67~14.04.1-Ubuntu SMP [...] x86_64
$ tripwire --version | head -1
Open Source Tripwire(R) 2.4.2.2.2 built for x86_64-unknown-linux-gnu

After installation of the package, the /etc/tripwire/ directory is created on the system. It contains at least 2 default files: twcfg.txt and twpol.txt. Additionally it may contain a local key, ${HOSTNAME}-local.key or just local.key, and a site key, site.key, if you elected to create them by choosing appropriate pass-phrases at installation time.

First pick your new location for local and site keys, configuration and policy files as well as as reports and database files. Say you decide to change the default /etc/tripwire/ install location to a mountable device at mount point /mnt/TW-mount/:

$ sudo mkdir -p /mnt/TW-mount
$ sudo mount /dev/sdZZ /mnt/TW-mount && sudo mkdir -p /mnt/TW-mount/report
$ sudo mv /etc/tripwire/*.{txt,key} /mnt/TW-mount/

Replace sdZZ in the mounting instruction above with the correct device info.
In choosing a new location, bear in mind that the TW database for a typical Debian based Linux desktop will occupy anywhere from 1.5 to 4MB. Also TW reports are produced at every run and accumulate. Do not expect them to nicely start rotating on their own for your sake. Albeit small at less than 10kB a piece (after the policy file has been suitably modified to conform to your system's configuration ), those accumulating reports will eventually require intervention in the form of rotation or cleanup after a few months of daily TW checks.

Second, modify /etc/tripwire/twcfg.txt as follow:
(Default setting are commented out. New settings are placed directly beneath them. Relevant lines extend from POLFILE to LOCALKEYFILE. Other flag and global variable values may differ for you.)

# /etc/tripwire/twcfg.txt --> moved to: /mnt/TW-mount/twcfg.txt
ROOT          =/usr/sbin
# POLFILE       =/etc/tripwire/tw.pol
POLFILE       =/mnt/TW-mount/tw.pol
# DBFILE        =/var/lib/tripwire/$(HOSTNAME).twd
DBFILE        =/mnt/TW-mount/$(HOSTNAME).twd
# REPORTFILE    =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
REPORTFILE    =/mnt/TW-mount/report/$(HOSTNAME)-$(DATE).twr
# SITEKEYFILE   =/etc/tripwire/site.key
SITEKEYFILE   =/mnt/TW-mount/site.key
# LOCALKEYFILE  =/etc/tripwire/$(HOSTNAME)-local.key
LOCALKEYFILE  =/mnt/TW-mount/$(HOSTNAME)-local.key
# /usr/bin/editor points to vim.gnome -- check yr own symlink
EDITOR        =/usr/bin/editor
# LATEPROMPTING =false
LATEPROMPTING =true 
# LOOSEDIRECTORYCHECKING =false
LOOSEDIRECTORYCHECKING =true
# MAILNOVIOLATIONS =true
MAILNOVIOLATIONS =false
EMAILREPORTLEVEL =3
REPORTLEVEL   =3
SYSLOGREPORTING =false
MAILMETHOD    =SMTP
# SMTPHOST      =localhost
SMTPHOST      =smtp.gmail.com
# SMTPPORT      =25
 SMTPPORT      =587
TEMPDIRECTORY =/tmp

Third, /mnt/TW-mount/twpol.txt actually overrides certain paths set above; you also need to modify it: ( Only relevant lines are shown. )

# Standard Debian Tripwire configuration - twpol.txt
# ....
# Global Variable Definitions
#
@@section GLOBAL
TWBIN = /usr/sbin;
# TWETC = /etc/tripwire;
TWETC = /mnt/TW-mount;
# TWVAR = /var/lib/tripwire;
TWVAR = /mnt/TW-mount;

Fourth, if you have already created your key files, skip to the fifth section; if not, do so now:

$ sudo twadmin -m G -S /mnt/TW-mount/site.key   # to create yr site key
$ sudo twadmin -m G -L /mnt/TW-mount/${HOSTNAME}-local.key   # to create yr local key

Fifth, create and sign your configuration and policy file: tw.cfg, tw.pol at /mnt/TW-mount/:

$ cd /mnt/TW-mount
$ sudo twadmin -m F -c /mnt/TW-mount/tw.cfg -S site.key twcfg.txt
$ sudo twadmin -m P -c /mnt/TW-mount/tw.cfg -p tw.pol -S site.key twpol.txt

Note: The configuration file tw.cfg is referenced with its absolute path in the above. If not twadmin will actually create it in its default location, /etc/tripwire/, and also refer to it as being at that same default location. This is probably a hard coded bug that affects no other relevant files such as tw.pol, *.key and *.tw{d,r} files. Fixing the source code probably involves sed in-place string manipulations before compiling. I chose to work from an already packaged resource and did not get to that.

Sixth, create or "initialize yr database:

$ sudo tripwire -m i -c /mnt/TW-mount/tw.cfg -p tw.pol -S site.key -L ${HOSTNAME}-local.key

and run yr first (interactive) check:

$ sudo tripwire -m c -c /mnt/TW-mount/tw.cfg -I

Note that, normally, the (interactive) check is run so: sudo tripwire -m c -I where the -I flag ensures interactivity. If you change default location for your tripwire ressources, and because of the purported bug referenced above, you will always need to declare where the signed config file to be used is located. For that you use the short option -c /mnt/TW-mount/tw.cfg. If omitted, you get the default location behavior:

$ sudo tripwire -m c -I
### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting...
$

Last, before opening for business:

$ sudo rm -i /mnt/TW-mount/*txt
$ sudo chmod 600 /mnt/TW-mount/*.key
$ sudo umount /mnt/TW-mount && sudo mount /dev/sdZZ /mnt/TW-mount -o ro,nouser,...

HTH.

Cbhihe
  • 2,549
  • 2
  • 21
  • 30
  • 1
    Thanks! This works great on Debian too. The main difference I made was to also copy /var/lib/tripwire/ to /mnt/TW-mount (to a different directory than /etc/tripwire) and updated the paths in the second step accordingly – Beau Jun 11 '20 at 13:12
  • @Beau: thanks for your comment. Will you give the precise version of Debian and kernel as well as that of `tripwire` in your case. It should help others who come later. Cheers. – Cbhihe Jun 11 '20 at 20:27
  • @Beau: Be aware that the problem with changing `/var/lib/tripwire/`to the same externally mounted device as your key files (as was my case too) is that that external device, being the one housing your `site.key`, `local.key` and `tw.pol` files, should be read-only for safety. For maximum security, one should use a separate storage with write permissions for reports and a read-only externally mounted device for the keys and policy. It really depends what your use case is and how punctilious you want to be about it. For me it was only a trial that lasted about 18 months in prod. – Cbhihe Jun 11 '20 at 20:45
  • Sorry for the slow reply, lots going on these days.To answer your questions: `Linux 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) unknown` and `Open Source Tripwire(R) 2.4.3.7.0 built for x86_64-pc-linux-gnu` respectively. In my case I have physical access to the server and am unmounting the external device when not running tripwire. I know that's not foolproof but it's good enough for my needs I think. Thanks again for all the help! – Beau Jun 17 '20 at 05:24