Tripwire on FreeBSD

As a way to increase the overall level of security , I  added the tripwire port  to my FreeBSD system.  Tripwire detects changes to system files and directories by maintaining a database of the systems baseline, then by making comparisons to that baseline.  It employs one-way hash functions to fingerprint the objects in the baseline.  A hash will change if even a single bit is changed – for example, even if the file size remains the same, a change could be detected.  Tripwire calls this auditing capability integrity checking.  This has applications in intrusion detection, and also for configuration management of the system. For example, an intruder might want to change a file in /bin.  If a file in that location changes, I might want to know about it.  More to the point however, I’m likely to be the one changing files, and it’s good to watch a system to see what I changed, especially should the system go south…

Here’s an example… I have just updated the apache22 port, and with it changes to pcre, perl, and apache.  tripwire integrity check recorded 333 file modifications in /usr/local, 260 changes in X11R6  and 5 changes to /etc.   Most of the time, you don’t care, but it does provide an immediate overview how much change can go on.  There are environments where real-life auditors lurk about who demand to know that you know if a file change on the system, the name of the file, and when it changed.  They don’t care about the file.  What they want to know is whether you can answer the question.  This is where an anal retentive program like Tripwire comes in.  The ultimate question is whether it is good enough send the auditors off to go pound some sand elsewhere.

Installation is one thing.  Then how do you work it?  Testing.  Practical day to day implementation.  We’ll get to it.


Operations Loop
while ($forever) {
1) update / init the database to baseline –>  changes occur
2) change change change — wait for some period of time
3) integrity check –> validate that the new baseline and take appropriate action

portmaster security/tripwire

After installation I tried an edit of the policy file, then updated the policy.  I got errors for reasons I don’t totally understand.  However I could get the policy reset consitently by setting the -secure-mode to low during a policy update.  So edit the policy file and update the policy .  This tunes the dirs and files  tripwire monitors for changes.  The policy file has a rather complex format which bears a read of available documentation, which seems to be somewhat meager.

tripwire -m p –secure-mode low policy.txt

To run an integrity check – produces a report:

tripwire -m c

jasraFreeBSD# tripwire -m c
Parsing policy file: /usr/local/etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check…
Wrote report file: /var/db/tripwire/report/jasraFreeBSD.peteraiea.hi-20120216-231845.twr

Open Source Tripwire(R) Integrity Check Report

Report generated by:          root
Report created on:            Thu Feb 16 23:18:45 2012
Database last updated on:     Never

Report Summary:

Host name:                    jasraFreeBSD.peteraiea.hi
Host IP address:    
Host ID:                      None
Policy file used:             /usr/local/etc/tripwire/tw.pol
Configuration file used:      /usr/local/etc/tripwire/tw.cfg
Database file used:           /var/db/tripwire/jasraFreeBSD.peteraiea.hi.twd
Command line used:            tripwire -m c

Rule Summary:

  Section: Unix File System

  Rule Name                       Severity Level    Added    Removed  Modified
  ———                       ————–    —–    ——-  ——–
  Invariant Directories           66                0        0        0        
  Tripwire Data Files             100               0        0        0        
  Temporary directories           33                0        0        0        
  Local files                     66                0        0        0        
  Tripwire Binaries               100               0        0        0        
  System Administration Programs  100               0        0        0        
  User Utilities                  100               0        0        0        
  Libraries, include files, and other system files
                                  100               0        0        0        
  X11R6                           100               0        0        0        
  NIS                             100               0        0        0        
  /etc                            100               0        0        0        
  Security Control                100               0        0        0        
* Root’s home                     100               0        0        1        
  FreeBSD Kernel                  100               0        0        0        
  Linux Compatibility             100               0        0        0        

Total objects scanned:  26966
Total violations found:  1

Object Summary:

# Section: Unix File System

Rule Name: Root’s home (/root)
Severity Level: 100


Error Report:

No Errors

*** End of report ***

To initialize the database — which I think resets the baseline.   So after a bunch of changes are detected (e.g. you updated the ports or patched),  re-init so that this becomes the new baseline.

tripwire -m i  

I’m not sure what the updating mode does.  I get an error in updating

tripwire -m u

jasraFreeBSD# tripwire -m u
### Error: File could not be opened.
### Filename:
### /var/db/tripwire/report/jasraFreeBSD.peteraiea.hi-20120216-231207.twr
### No such file or directory
### Exiting…



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: