35 System Hardening – Tripwire HIDS

Tripwire is a Host-based Intrusion Detection System (HIDS) that can monitor for unauthorized file and directory modification on local systems. By recording specific aspects of a file (such as its hash, timestamp of last modification, and permissions), Tripwire will create an encrypted database to use as a baseline reference when cross-checking files for changes. If any discrepancies are found, this program will generate a report of its findings and alert the administrator.

In this chapter, you will learn how to integrate Tripwire on a stand-alone Ubuntu server environment, set up custom rulesets, monitor for intrusion attempts, and finally automate the process with scheduled scans. In the context of cybersecurity, Tripwire should be considered a last line of defense in a well-layered security environment. It is intended to work in unison with other security measures such as firewalls and backup servers. Remember, HID systems can only alert to suspicious activity, they cannot prevent damage from taking place.

Estimated time for completion: 50 minutes

Learning Objectives

• Successfully  install Tripwire and Postfix
• Modify and integrate Tripwire configuration on a Linux Host
• Write policy files to protect critical systems
• Detect modifications to critical systems
• Automate timed scans using Crond

PREREQUISITES

• Chapter 7-Create a Linux Server

DELIVERABLES

• Screenshot of Tripwire database
• Screenshot of Tripwire scan showing no errors
• Screenshot of Tripwire scan working showing a policy violation
• Screenshot of crontab with scheduled Tripwire job

RESOURCES

• Tripwire is a very well documented program. If you are interested in learning more about it beyond what this lab offers, consider looking through its man pages. This is also a good resource to use for troubleshooting!
  • twintro Linux man page – https://linux.die.net/man/8/twintro
  • twfiles Linux man page – https://linux.die.net/man/5/twfiles
  • tripwire Linux man page – https://linux.die.net/man/8/tripwire
  • twpolicy Linux man page – https://linux.die.net/man/4/twpolicy
  • twadmin Linux man page – https://linux.die.net/man/8/twadmin
  • twconfig Linux man page – https://linux.die.net/man/4/twconfig
  • twprint Linux man page – https://linux.die.net/man/8/twprint

CONTRIBUTORS AND TESTERS

• Kyle Wheaton, Cybersecurity Student, ERAU-Prescott
• Mahalia Phillips, Cybersecurity Student, ERAU-Prescott

1. Start a Ubuntu Server VM and log as root

   NOTE: Ensure your VM has internet connection by modifying the the network settings in VirtualBox. Ensure that it is attached to NAT and that Cable Connected is selected.

   

2. From the terminal, update your package list and install the Tripwire

   > apt update && apt install tripwire -y

   1. In the Postfix Configuration page, use the arrow keys to highlight No configuration and press Tab to select Ok (Figure 2)

      NOTE: Since Tripwire has a built-in email notification system used to send updates when reports are generated, the Postfix mail server will also be installed. However, email configuration is beyond the scope of this lab (for now).

   2. When prompted if you wish to create your site key passphrase, press Tab to select No (Figure 3)

      NOTE: We do not want to create the keys at this stage, for they will temporarily be stored, unencrypted, in memory.

   3. When prompted if you wish to create you local key passphrase, press Tab to select No (Figure 4)
   4. Enter Ok after Tripwire has been installed (Figure 5)

      NOTE: At any time you may use the following command to return to the Tripwire configurator:

      > dpkg-reconfigure tripwire

3. To confirm Tripwire was successfully installed, you should now see the following files in the newly created /etc/tripwire directory
   

   

4. By default, processes in Linux typically use /tmp to store short-lived data. For enhanced security, it is recommended to create a new directory with more restrictive permissions for Tripwire to use
   1. Create directory called tmp in /var/lib/tripwire

      > mkdir /var/lib/tripwire/tmp

   2. Modify its default permissions such that only the owner (root) has read, write, and execute (rwx) privileges

      > chmod 700 /var/lib/tripwire/tmp

      

5.  Navigate back to the primary Tripwire configuration directory

   > cd /etc/tripwire

6. Since we didn’t do this during installation, create new encryption keys
   1. Generate a new local key

      > twadmin -\-generate-keys -L $HOSTNAME-local.key -K 2048

      Switch	Description
      –generate-keys	Sets twadmin to “generate keys” mode.
      -L	Specifies the file name and location of the local key.
      -K	Specifies the key size to 2048 bits.

   2. Generate a new site key

      > twadmin -\-generate-keys -S site.key -K 2048

   3. Secure both files such that only root has read and write (rw-) permissions

      > chmod 600 /etc/tripwire/*.key

      

1. Ensure that you are still in the /etc/tripwire directory
2. Create a new Tripwire configuration file
   1. Modify the information in the file twcfg.txt with the following changes
      

      

   2. Using our site key and twcfg.txt, create, encode, and save a new configuration file

      > twadmin -\-create-cfgfile -S site.key twcfg.txt

3. Create a new policy file to monitor /etc/passwd and /etc/shadow

   NOTE: Although Tripwire provides us with a pre-made policy file (twpol.txt) that works pretty well out of the box, it’s too complicated for the scope of this lab. Therefore, we will create a new, smaller policy file with rules that will specifically monitor /etc/password and /etc/shadow. These files are critical to Linux security and should never be changed unless an administrator adds or removes users from the system, which makes them perfect for testing.

   1. Open a new text file called new_policy.txt
   2. Populate the file with the following information
      

      

   3. Using our site key and new_policy.txt, create, encode, and save a new policy file

      > twadmin -\-create-polfile -S site.key new_policy.txt

4. Now that everything is setup, you should now have the following files listed in /etc/tripwire
   

   

   NOTE: When wanting to update or edit the config the same command can be used. When editing the policy file a different command must be used

   > tripwire -\-update-policy policy.txt

1. Initialize a new Tripwire database

   NOTE: The database is stored as a .twd file in the /var/lib/tripwire directory.

   > tripwire -\-init

2. Verify that the database was created and monitoring the correct files
   1. Print the database in plaintext format

      > twprint -\-print-dbfile | less

   2. Database Summary

      Under Database Summary, you should see information such as the configuration files used to generate it, the command used to initialize it, and some basic data about the host machine.

      

   3. Object Summary

      The Object Summary section gives a general overview of the objects to monitor. You should have two entries here.

      

   4. Object Detail

      Finally, Object Detail lists every attribute (property) that is recorded for each monitored object. When an integrity check is performed, these same attributes are compared against the expected values, as shown in the right column.

      

1. Perform an integrity check on the machine

   > tripwire -\-check

   1. View the report that was generated in /var/lib/tripwire/report
      

      NOTE: As specified in our configuration file, reports are labeled based on the machine’s hostname and time the scan was conducted.

      > twprint -\-print-report -r ubuntuserver-20240530-210804.twr | less

   2. You should notice in the Rule Summary section that both files were scanned with no (hopefully) violations
      

      

2. Test Tripwire’s intrusion detection capabilities
   1. To simulate a malicious breach on our system, modify the permissions of /etc/password so that everyone has read and write access to the file

      > chmod 777 /etc/passwd

      

   2. Use Tripwire to re-scan the system

      NOTE: The interactive switch allows us to go through potential violations and choose whether or not to update the database with the new values. In this example, since we set the EDITOR value to /usr/bin/vi in the configuration file in Phase II, the editor program will be vi.

      > tripwire -\-check -\-interactive

   3. Under Rule Summary, we should see that 1 violation was found
      

      

   4. Under Object Detail, we can see exactly what properties have changed. Notice how the Inode number, mode (privileges), and modify timestamps are all marked with an asterisk (*), denoting that the observed values are different from the expected
      

      

   5. Under Object Summary, remove the X next to /etc/passwd to prevent the database from updating its “excepted values” with the new “observed values”

      NOTE: Leave the X there if you want to update the database with acceptable changes.

      

   6. Save and exit the editor
3. Fix the violation and update the database
   1. Change the permissions of /etc/passwd back its default value

      > chmod 644 /etc/passwd

   2. Re-scan the system

      > tripwire -\-check -\-interactive

   3. Now that the permissions are fixed, there will (hopefully) be no further violations
      

      

   4. Save and exit the editor

Phase V – Automating Tripwire Scans with Cron

Now that we know how to configure Tripwire, set policies, and scan for violations of those policies, let’s automate the process with cron! This is a simple program that is pre-installed on most Linux distributions and can run scheduled tasks (e.g. commands and scripts) at user-defined times. To quickly summarize the jargon here, tasks in cron are called jobs which is stored in a cron table (or crontab). Each user can have their own crontabs, including root.

Jobs in cron are fairly easy to setup. The basic format is:

* * * * * username command

As illustrated in the figure below, each asterisk represents a specific time or date.

For example, this task can be translated to “At 5:01 on Monday in April, print ‘Hello World’ to the screen.” A good resource to use for properly scheduling jobs is https://crontab.guru.

1 5 * 4 1 root echo “Hello world”

1. Still logged in as root, list your current crontab

   > crontab -l

   

2. Edit your crontab to add a new job

   > crontab -e

   NOTE: You may be prompted to select an editor. Choose whichever you feel the most comfortable using.

   1.  Schedule Tripwire to execute an integrity scan 2 minutes from now

      NOTE: At the time of writing this, the current time is 23:32, so the command below is for 23:34. You can use the date command to determine your system’s current time.

      34 23 * * * tripwire -\-check

   2. Save and exit the editor
3. Reprint your crontab to verify it was saved (Figure 23)

   > crontab -l

4. Check your tripwire report folder to verify that cron is working

   > ls -l /var/lib/tripwire/report

   NOTE: Notice how the report shown below has the time marked as 23:34.01.

   

Congratulations! You were successfully able to implement and automate a host-based intrusion detection system!

End of Lab

Figures for printed version