How to catch Linux system intruders


After installing the Tripwire packages, you'll be presented with the Tripwire configuration wizard. The first question asks whether you want to create or use your site passkey. This is the unique encryption key that's used to generate the checksum information for your files, and Tripwire uses two – one for files that are only going to be used on the installation machine (such as the Tripwire configuration files themselves), and another for files that may be accessed and used on other machines across a network. The next page of the wizard will ask you for these.

However, there is a caveat. If someone else has a copy of the same keys, they can potentially create files that appear authentic. There's a slight security risk with keys generated by the Debian installer, so if you're in any doubt about the security of your system, you should generate the keys manually (see the next paragraph for how to do this). Otherwise, continue with the next page of the wizard, enter long phrases that you can easily remember for both configuration keys and let the set-up wizard generate the configuration file.

To generate both the local and server keys manually, open a terminal and switch to using the System Administrator's account. Type the following (Ubuntu users should precede both lines with 'sudo'):

twadmin -m G -S /etc/Tripwire/site.key
twadmin -m G -L /etc/Tripwire/ hostname-local.key

You should replace 'hostname' in the second command with your machine's hostname. In Ubuntu, this is the word that comes after the 'username@' symbol in the command line. In both cases, you'll be asked for a passphrase to generate the key. You need to use these keys to encrypt the two configuration files used by Tripwire, both of which reside in the '/etc/Tripwire' directory in plain text – which is why they have the '.txt' extension. Encrypt the first by typing the following command:

cd /etc/Tripwire
twadmin -m F -S site.key twcfg.txt
Enter pass phrase:

As you can see in the above commands, you will be asked for your passkey, and you will need to enter the passphrase that you used to generate the server-side key earlier. The second configuration file that we need to encrypt is called 'twpol.txt' . This is Tripwire's policy file, and it contains all of the policies and rules used by Tripwire to govern its file protection. Debian/Ubuntu creates a default set of policies that should be more than adequate for most installations. If you take a look at the policies themselves, you will see small sections of code that look like the example given below:

rulename = "Critical system boot files",
severity = $(SIG_HI)

The syntax above is relatively straightforward, if a little verbose. The section above is protecting critical system boot files, as explained in the rule name. You can see which directories specifically in the lower section.

The boot directory contains both Grub and the Linux boot loader. A rootkit or trojan that changes any files here could cause serious damage. The '/lib/modules' directory contains all the kernel drivers for your system. A subtle change to the modules here could cause all kinds of subtle and not so subtle havoc. For this reason, both directories have been given a severity of SIG_HI, which is the strongest possible signal from Tripwire that something is wrong.

Earlier on in the configuration file, SIG_HI is given a point score of 100. If you have directories and files that aren't part of a standard Ubuntu installation, and these need to be protected, then you'll need to create your own policies for those locations. After you've finished looking at the policy file, it's time to encrypt it as we did the first one. Just type the following: