oreilly.comSafari Books Online.Conferences.


Tools of the Trade: Part 2
Pages: 1, 2, 3


Tripwire is a unique tool in that it doesn't really stop an attacker from compromising your system. However, Tripwire can tell you which files have been changed or replaced since the last run.

Tools such as Tripwire are often used on a honey pot system. You can see and log what the intruder changes this way very easily. Tripwire uses a database that includes all the information about your system that you want to log. This database is created the first time you run Tripwire. Then, it's used in successive audits to compare what has changed and what has not.

In many configurations, there are files that change all the time, such as those found in user's home directories so you don't want to include those in the audit. However, files that rarely change such as the programs in /usr, /sbin, /bin, and so forth, are prime targets for inclusion in the database. It depends on your needs and the programs you run.

Installing Tripwire

You can install Tripwire in one of two ways. You can either download the source code and compile it yourself (recommended for any security tool) or you can download the RPM or Debian packages and install that way. As I write this, the latest version of Tripwire is 2.3.1-2.

Place the source in an accessible location such as /usr/local/src. Then uncompress it in the normal way:

$ cd /usr/local/src
$ tar -xzvf tripwire-2.3.1-2.tar.gz
$ cd tripwire/src

Compiling Tripwire from source is different from most Linux applications, there's no config script for example. Before compiling Tripwire, look over the makefile and make any changes you need. The makefile is well documented, so take your time reading. You'll learn a lot in the process. Be sure you also have gtcc 2.95.2 or greater as well or Tripwire will not compile properly. The makefile makes many references to gmake, which on Linux systems at least is the same as make. In fact you may find both commands with one sym-linked to the other.

Tripwire can be compiled in one of two configurations, debug or release. Debug is useful if you are a developer and want to know more about the internals of Tripwire and such or if you're testing out a new version before putting on a production system. Release is the mode you'll use on a production system and the one we'll concentrate on here. Once you've made the modifications you want to the makefile, you compile tripwire with the following command:

$ make release

Once finished, you actually install Tripwire using the supplied install script. You must be root to run it:

$ su

# cd /usr/local/src/tripwire-2.3.1-2/install
# ./

The install script copies all the Tripwire programs, libraries, and man pages to their proper places on the system. It also places the default policy and configuration files in /etc/tripwire/. The install script will also prompt you for site key passwords and local key passwords, compile the default policy and configuration files, and finally sign these files with the site key. Remember these passphrases as they cannot be recovered. You have been warned!

Tripwire's files

Tripwire uses four files in the working of its magic: the policy file, the configuration file, the database file, and the report files. Some of these files exist in two formats: binary and text.

The text version is what you edit to configure how you want Tripwire to work. Then, you run twadmin to compile the text files into the binary files it uses. You should then move the text files to a floppy or CD media and delete them from the system. This way, an intruder cannot change what Tripwire reports to cover his tracks.


The policy file /etc/tripwire/tw.pol is used by you as the administrator to specify how Tripwire checks the system. The policy file consists of various rules, each of which specify a system object that Tripwire monitors, and describe what changes to that object should be reported or ignored.

The configuration file /etc/tripwire/tw.cfg stores system-specific information such as the location of the Tripwire data files and the settings used for notification via email when violations occur.

A good sample policy and configuration file comes with the Tripwire source code. In the beginning, you can use them as a starting point instead of trying to create your own until you become more familiar with how Tripwire works.

The database file /var/lib/tripwire/$(HOSTNAME).twd is central to the integrity assessment strategy. Tripwire uses the rules specified in the policy file to create a "snapshot" of the system. Ideally, this snapshot should be of a clean install so you are guaranteed of being in a known secure state. The database file is then used as a "baseline" during integrity checks. The current state of the system is compared against this database to determine if any changes have been made since the database was created.

The report files /var/lib/tripwire/$(HOSTNAME)-$(DATE).twr are produced every time the integrity check is run. Usually, you run an integrity check at a set interval using the cron facility. The results of that check, including any changes (additions, deletions, or modifications) that violate the policy file rules, are stored in a report file. Summary results of the integrity check are stored in the report file which can be viewed in a variety of formats at varying levels of detail.


Web sites:

HoneyNet Project

The SANS Institute

Security Portal

Linux Administrator's Security Guide

Root Prompt

Linux System Administrator's Guide


Network Intrusion Detection, 2nd Ed. (New Riders) ISBN: 0-7357-1008-2

Intrusion Signatures & Analysis (New Riders) ISBN: 0-7357-1063-5

Maximum Linux Security (SAMS) ISBN: 0-672-31670-6

Linux Network Administrator's Guide, 2nd Edition (O'Reilly) ISBN: 1-56592-400-2

Practical Unix and Internet Security (O'Reilly) ISBN: 1-56592-148-8

Running Linux, 3rd Edition (O'Reilly) ISBN: 1-56592-469-X

Linux System Security (Prentice Hall) ISBN: 0-13-015897-0

Using Tripwire

Once everything is set up, you're ready to begin using Tripwire. Tripwire consists of a few different applications: twadmin compiles the text files into binary files used by Tripwire while twprint allows you to take a binary config file and get the ASCII text out of it. Because these programs are administrative, you'll want to remove them from your system once everything is set up. Removing them will prevent an intruder from using the admin programs to change what Tripwire looks for and so forth.

The main application is called tripwire. Use tripwire to create your initial database like this:

# tripwire -m i

The -m tells Tripwire what mode to use, in this case, initialization mode. Now that the database is created, you run comparisons on your system with the following command:

# tripwire -m c

You should put this into a crontab or shell script file. How often you run Tripwire depends on your level of paranoia. If you are really paranoid, you might run it every couple hours. If you're not that paranoid, once a day may be sufficient. Remember, you have to look over the reports generated by Tripwire, so if you do it too often, the task may become too daunting. But again, that's entirely up to you. What do the reports look like you ask? Like this.

There is more to it than this, but the files can be large depending on your system. If you find that you are changing some files that Tripwire compares (new versions of applications for example) you can always update Tripwire's database with the command:

# tripwire -m u


There are many things you can do to avoid use of some tools like tcpdump and Ethereal. You can use a switched network for a start to avoid "broadcasting" your packets to every workstation on your network. Note: This doesn't stop somone from sniffing traffic going from your network to the Internet, or from capturing data from the Internet (such as a remote user) destined for your network. But it does narrow down the ability to use such tools internally, unless they are being run on the source or destination machine (such as one of your servers).

Another thing to do, is get rid of any network protocol that transmits text in the clear. This means telnet and FTP to start. You should also look at getting rid of the Berkley "R commands" such as rdist, rlogin, et al. You should be using SSh for all remote access and server to server synchronization. If you really need the Berkley "R commands," consider running them over an encrypted SSh session instead.

Tripwire is a great tool for tracking changes to your system. Depending on how "paranoid" you are and how often you run it, you can find a change very quickly, hopefully before the intruder has a chance to stop Tripwire from running and trash any logs. But hey, that's where tools like syslog come in. We'll take at look at this tool next week along with the venerable snort.

Carl Constantine works for Open Source Solutions, Inc. ( as a Linux Trainer and Programmer.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: