Tag: Debian

It’s pretty simple really.

Just run this:

sudo twadmin -m p > twpol.txt

OK, only waited a few months before adding this!

I’d recommend not doing this as root, as if you do, the root directory modification time will change as you modify twpol.txt. Also twpol.txt will change as you modify it.

All of this means you’ll have to run 1-3 before you can run 4. And tripwire takes ages to run. Besides you should be using sudo anyway (you are right?!).

1. Validate current policy

sudo tripwire -m c

2. Find the latest tripwire log

sudo ls -lt /var/lib/tripwire/report/*.twr | head -1

3. Use that to update the database

sudo tripwire -m u -r <above file>

4. Then update policy

sudo tripwire -m p twpol.txt

You should see this:

Parsing policy file: twpol.txt
Please enter your local passphrase:
Please enter your site passphrase:
========
Policy Update: Processing section Unix File System.
========
Step 1: Gathering information for the new policy.
The object: \"/lib/init/rw\" is on a different file system...ignoring.
The object: \"/dev/.static/dev\" is on a different file system...ignoring.
The object: \"/dev/pts\" is on a different file system...ignoring.
The object: \"/dev/shm\" is on a different file system...ignoring.
The object: \"/proc/bus/usb\" is on a different file system...ignoring.
========
Step 2: Updating the database with new objects.
========
Step 3: Pruning unneeded objects from the database.
Wrote policy file: /etc/tripwire/tw.pol
Wrote database file: /var/lib/tripwire/web-proxy.twd

5. After the policy is accepted you need to run steps 1-3
This is because if you don\’t and want to make further changes you\’ll see stuff like this:

========
Policy Update: Processing section Unix File System.
========
Step 1: Gathering information for the new policy.
The object: \"/lib/init/rw\" is on a different file system...ignoring.
The object: \"/dev/.static/dev\" is on a different file system...ignoring.
The object: \"/dev/pts\" is on a different file system...ignoring.
The object: \"/dev/shm\" is on a different file system...ignoring.
The object: \"/proc/bus/usb\" is on a different file system...ignoring.
### Error: Policy Update Added Object.
### An object has been added since the database was last updated.
### Object name: /etc/tripwire/tw.pol.bak
### Error: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object /etc/tripwire
### > Size
### > Modify Time
### Error: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object /etc/tripwire/tw.pol
### > Modify Time ### > CRC32
### > MD5
========
Step 2: Updating the database with new objects.
========
Step 3: Pruning unneeded objects from the database. Policy update failed; policy and database files were not altered.

This is because tripwire hasn\’t capture changes caused by the policy change.

This might also be useful (I login as a normal user to do administration, so I want to do all of these sudo\’d). This script allows me to run a report, and then use that generated report to update the database.

I call the script update_tripwire.bash

#!/bin/bash
sudo tripwire -m c
sudo tripwire -m u -r $(/bin/ls -t /var/lib/tripwire/report/*.twr | head -1)

I have finally gotten around to configure the Tripwire setup on my Debian installation, after having it bleat at me for the last 3 years! I found details on http://articles.techrepublic.com.com/5100-10877_11-6034353.html which pointed me in the correct direction. My installation is Debian based, so it fitted the “no twinstall.sh” case shown most closely.

I have had to tweak what the linked article says, slightly to make it work. I have also included the output that I saw, so you should know that you are in the correct place when you run the command (my principle is that sample output gives you the warm feeling that things are going well).

First we should generate the site key:
twadmin --generate-keys -S site.key
(When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...
Key generation complete.

Then generated the local key:
twadmin --generate-keys -L ${HOSTNAME}-local.key
(When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.)
Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...
Key generation complete.

Then had to edit the config template, before generating the configuration file:
twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg

Then generated the policy file:
twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

Set file permissions:
chown root:root site.key $HOSTNAME-local.key tw.cfg tw.pol
chmod 600 site.key $HOSTNAME-local.key tw.cfg tw.pol

Finally, initialized the database:
tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /var/lib/tripwire/.twd
### No such file or directory
### Continuing... Wrote database file: /var/lib/tripwire/.twd
The database was successfully generated.

Then deleted the source file: rm twcfg.txt twpol.txt

Haven’t run it for very long, so might update this if I have problems.