What is File Integrity Checking (FIC) and why do we need it?
File Integrity checking is the process of checking illegal or authorized modifications of files whether they be OS or application files.
There are a number of scenarios where file integrity checking plays an important parts. Two scenarios are listed below:
1. Detecting Rootkit - Rootkits is software which would hide the presence of itself and other software. Depending on the type of rootkits, they may hide the presence of other malicious files on the system. As part of installation, rootkit may modify system files.
2. Detecting Viruses - Viruses typically have a Replication state. As viruses replicate, they will attach themselves to host applications and execute when the host app execute. Once again, important system files would be modified if viruses
How does File Integrity Check work?
In simple terms, File Integrity Checking creates a unique value calledhashof files and its attributes (last modified date, file name, permissions, etc.) and stores them.
At a later date, the hashis recalculated for each file and checked.
If the hash matches, then the modification took place.
If the hash doesn't match, then a file or its associated attributes were modified. These discrepancies may be either intentional, unintentional (accidental) or malicious. A system admin familiar with the tool may be able to validate discrepancies.
Common hash algorithms currently used are SHA-256 or MD-5 (this is now known to have collisions, but is still commonly used).
So, what is Tripwire?
Tripwire is a popular file integrity health checking tool. It is open source and is supported on LINUX/UNIX systems.
How does Tripwire work?
At a high level, Tripwire works as follows: -
1.Installation at Introduction:Generally, Tripwire is installed on the system when it is commissioned.2.Building a baseline: The Tripwire Database is "initialised" by calculating the hash of important files - this now behaves as system baseline.
3. Comparing current with baseline: After sometime, the system admin will "check" tripwire and execute tripwire commands to re-calculate tripwire database and compare it with the baseline. 4. Re-baselining and validating discrepancies: The discrepancies are reconciled by a system admin and after reconciliaton the current baseline
How does Tripwire work?
Tripwire consist of the following components apart from the Tripwire Database: 1. Configurations: define the settings which is used by the tripwire to function. These include location of tripwire executables, policies file, key files, etc. These are discussed in greater detail below.2. Policies: defines the scope of tripwire - what to check, what not to check. If the policies are too liberal, then susceptible files may not be checked. If the policies are too stringent, then FIC may take too long to run. 3. Encryption Keys: for encrypting Tripwire configuration, policies and database. Tripwire data must be kept as securely if not more than the the data it protects. Hence, all configuration, policies and encryption data is typically and access controls are applied such that only root (or root-like thru sudo) user can modify the files. There are two types of keys:
a. Site Key - This is generated from a site passphrase which the sys admin needs to provide when installing Tripwire. It is used to protect the configuration, policies files.
b. Local Key - This is generated from a local passphrase which the sys admin needs to provide when installing Tripwire. It is used to encrypt the tripwire db when calculated.Generally, for deployment on multiple systems or for multiple users on the same system, single site key is used although a different local key may be used.
How do I install Tripwire?
On Linux, the simplest way to install Tripwire is through apt-get
$ sudo apt-get install tripwire
As part of installation, you will be asked to provide: 1. Email alert mailbox: For demonstration, you can choose not to configure email. 2. Setup site key phrase: this will encrypt the config and policy files3. Setup local key phrase: this will encrypt the tripwire db when initialization or check is performed. These are explained further below.
Once installed, what is the next step?
The next is to modify the configuration and policy files to suit the monitoring needs.
How do I modify the configuration file?
By default, the configuration file is located in /etc/tripwire/tw.cfg.
As this configuration file is encrypted with the site key, this file must be decrypted with site key, and its output must be piped to a text file. The following command will print the configuration file in plain-text format to the command line, and also pipe the output with tee command to twcfg.txt.
$ sudo twadmin --print-cfgfile -c tw.cfg | sudo tee twcfg.txt
The configuration file contains parameters that are used by the tripwire executable for initialisation, database updating, etc. The standard config file settings are explained below:
$ less twcfg.txt
# Tripwire Configuration file
ROOT =/usr/sbin # A variable ROOT is defined here
POLFILE =/etc/tripwire/tw.pol # Location of the policy file
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd # Location of the database file. HOSTNAME is the env variable.
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr # Report generated from local key
SITEKEYFILE =/etc/tripwire/site.key # Location of the site key file - to d ecrypt configuration/policies files
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key # Location of local key file - to decrypt the db/report
EDITOR =/usr/bin/editor # interactive mode used for reconciling the files after integrity check is performed
LATEPROMPTING =false # Delays prompting to reduce password storage time
LOOSEDIRECTORYCHECKING =false # If file is added to a dir, should a change in the dir also be reported?
MAILNOVIOLATIONS =true # If violations/discrepancies found, then still send an email? EMAILREPORTLEVEL =3 # TBD
REPORTLEVEL =3 # TBD
SYSLOGREPORTING =true # Should actions taken with tripwire be written to syslog?
MAILMETHOD =SMTP # the method to send notifications – SMTP or SENDMAIL are allowed options
SMTPHOST =localhost # IP/domain of the server with SMTP server
SMTPPORT =25 # network port on which SMTP runs
TEMPDIRECTORY =/tmp # Tripwire's location to write temp files which are used when program is running
Information on other parameters can be obtained on other twconfig options from: man twconfig
Generally, the default configuration as obtained with sudo apt-get install tripwireis sufficient. Once the twcfg.txt config file has been suitably modified, then we need to encode and overwrite tw.cfg with the modified twcfg.txt file.
The following cmd takes the site key file and encodes the twcfg.txt file with it, and writes the output to tw.cfg file.
$ sudo twadmin --create-cfgfile -S /etc/tripwire/site.key -c /etc/tripwire/tw.cfg twcfg.txt
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg
Then, delete the twcfg.txt file to prevent anyone else from reading this file
$ sudo rm /etc/tripwire/twcfg.txt
How do I modify the policy file?
By default, the configuration file is located in /etc/tripwire/tw.pol.
The configuration file contains parameters that are used by the tripwire executable for initialisation, database updating, etc.Once again the policy file is encoded with the site key. To decode the policy file, we need to check that the SITEKEYFILE parameter is defined in the tripwire config file.
Then, the tripwire policy file can be generated into twpol.txt file as follows:
$ sudo tripwire --print-polfile -p tw.pol | sudo tee twpol.txt
Note that the tee command is used because sudo privileges are required to create files in the /etc/tripwire dir. However, the first sudo in the command does not apply to redirected outputs via >>,>. Hence tee command should be used with sudo to allow privilege escalation.
A long policy file will then appear:
$ less twpol.txt # Global Variable Definitions
#
# These definitions override those in to configuration file. Do not
# change them unless you understand what you're doing.
@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;The tripwire policy file syntax can be easily understood from the following page: man twpolicy
The most common stanza used in the policy file is:
var = value
([attribute list: rulename, recurse, emailto, severity]) { dir -> +/-properties [attribute list]; ! dir }Note '[]' imply optional parameters.
The attribute list describes the rule (rulename), how a rule will be run (recurse), what to do if a rule violation is detected (emailto) and how a rule violation will be detected (severity).
An example of a rule stanza is:
(rulename='check tripwire settings
', severity = 40, emailto:admin@t0pazg3m.com)
{
/etc/tripwire -> +aspS (recurse=1);
! /etc/tripwire/donotscan;
}
The stanza above does the following:
In attributes list:
1. Sets the rulename to 'check tripwire settings'
2. Sets the severity with which to report the violation/change to any of these files
3. Emails any policy violations to
admin@t0pag3m.com In directories list:
4. Checks the /etc/tripwire files and recursively one folder in that directory.
In property masks list:
5. Checks for 'a' - if last time access has changed, 's' - file size has changed, 'p' - file permissions have changed, 'S' - SHA hash value i.e. content has changed.
In stop points rule:
6. With '!', the donotscan folder in the /etc/tripwire is not scanned.
There are also other pre-defined variables also present that tripwire can use e.g. ReadOnly (for files which should be readonly), Growing (for files which grow).
Once the plain-text policy file has been updated, we now to need to encode this file with the site key and rewrite the tw.pol policy file.
$ sudo twadmin --create-polfile -c tw.cfg -p tw.pol twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
How to initialize the tripwire baseline?Once the policy and config files have been modified, initialise the database using the command:$ sudo tripwire --initThis will generate a .twd database file in the location specified in tw.cfg file (typically /var/lib/tripwire) which can be viewed as follows:
$ sudo twprint --print-dbfile -c /etc/tripwire/tw.cfg -d <location of .twd file> -L /etc/tripwire/local.keyHow to check the baseline with tripwire database?
When the baseline database has been created, a tripwire database check can be performed as follows:
$ sudo tripwire --check
When complete, a report file will be generated and stored in the folder specified by tw.cfg file (typically /var/lib/tripwire/report).
This report can be viewed by running the following command:
sudo twprint --print-report -L t0pazg3m-local.key -r /var/lib/tripwire/report/t0pazg3m-20150329-125635.twr | lessThis will print a report file which contains a summary displaying the differences from the baseline and further info about individual files: Note: Report is not encrypted.Open Source Tripwire(R) 2.4.2.2 Integrity Check ReportReport generated by: rootReport created on: Sun Mar 29 12:56:35 2015Database last updated on: Never====================================================Report Summary:====================================================Host name: t0pazg3mHost IP address: 127.0.1.1Host ID: NonePolicy file used: /etc/tripwire/tw.polConfiguration file used: /etc/tripwire/tw.cfgDatabase file used: /var/lib/tripwire/t0pazg3m.twdCommand line used: tripwire --check =============================================Rule Summary: =============================================------------------------------------------------------------------------------- Section: Unix File System-------------------------------------------------------------------------------
