Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Install and configure Tripwire from source UNIX
Tripwire is a set of open-source Unix command line utilities, spun off by the company of the same name that sells a more-capable commercial prodct; you can use it to verify the integrity of your system files, detect intrusions, and monitor what files get added or changed by your computer's software processes. For the slightly paranoid, it can have a calming effect.

Fortunately, it is relatively easy to run under OS X. Installing it, however, can be another story. Back in 2003, a member named frodo published a hint here on how to install Tripwire with a precompiled package that he had developed. Sadly, his website is no longer operational, so Mac OS X users who wish to use Tripwire have to muddle through the generic installation process for Unix boxes. This can be quite confusing, so I thought that it would be useful to document it in a step-by-step fashion. The following is based on the sources currently available.

The first step is to install the XCode tools so that you can perform compilation of the source; you don't need the latest and greatest, so you can simply install XCode from the CD or DVD that has your operating system install on it. Alternatively, you can join the Apple Developer Connection (free) and download XCode.

Next you need the source for Tripwire. Paul Herman's web site still has the portable Tripwire tarball available, so download tripwire-portable-0.9.tar.gz from there. Move the downloaded file to a convenient place (like Documents) in your user's folder hierarchy, and then double-click the downloaded file; it should expand into a folder of sources.

Open Terminal, and cd to the Documents/tripwire-portable-0.9 directory: cd ~/Documents/tripwire-portable-0.9. Acting as root using sudo, make some directories for tripwire:
sudo mkdir /private/etc/tripwire
sudo mkdir /usr/local
Tripwire uses hardcoded paths that are compiled into the program, so configure the installation and specify where you want tripwire to look for and store files:

sudo ./configure --prefix=/usr/local --sysconfdir=/private/etc/tripwire --mandir=/usr/local/share

configure will grind away checking for the development environment items it needs, and then return you to a Terminal prompt. Now you compile the actual source using the simple sudo make command. This will generate lots of warnings, but ultimately, it should succeed in creating executable binaries. However, you're not done yet; there is an install step: sudo make install

This last command will put the binaries in the correct directories, force you to read and accept the GNU license, and prompt you to create site and local passwords. It's a good idea to open Keychain Access at this point, and record the passwords that you just created in a new keychain entry. At this point, you technically have a working Tripwire system, and you can start issuing Terminal prompt commands to work with Tripwire. However, I find it easier to make simple-to-understand shell scripts to accomplish the common tasks (see end of hint).

Before we go further, you will need a little background on how Tripwire works. Tripwire has two important files, a policy file (tw.pol) and a database file (tw.db). The policy file is an encrypted (non-human-readable) file that specifies which directories are to be checked, to what level, and using which check methods. The database file (also encrypted) contains the results of the last saved check. Neither of these two files are directly accessible, except through the Tripwire binaries -- you can't edit the policy file directly with vi, for instance.

For security reasons, the way it works is that you must edit a text file called twpol.txt that corresponds to what you want the policy file to be, and then submit the text file to Tripwire for signing. The signing process results in a new encrypted policy file that you can't read or touch directly. Similarly, when you run Tripwire, it will often find changes have been made between the file system as it currently exists and the checksum data it has stored in its database. Tripwire then provides a way for you to review the differences, and optionally update the database.

For a general overview of how to use tripwire, type man twintro in Terminal, or consult this useful article on Tripwire, from the Linux Productivity Magazine.

The first useful thing you have to do with tripwire is initialize the database. The command to perform this step is: sudo /usr/local/sbin/tripwire -m i

You will find that this will generate a lot of warnings about file or directories missing -- you should take note of these and go back to edit the text version of the policy file (twpol.txt) to get rid of them, and then update the policy file. You need to do this as root, so use this command: sudo vi /private/etc/tripwire/twpol.txt.

Some of the changes I made on a stock Leopard install were:
  • Comment out /usr/local/etc by adding # in front of line (not present)
  • Uncomment /usr/local/sbin by removing # at front of line (Tripwire binaries live there)
  • Comment out /private/var/db/netinfo/local.nidb/Store.384 (not present)
  • Comment out /private/var/db/prebindOnDemandBadFiles (not present)
  • Comment out /private/var/root/Library/Caches (not present)
  • Comment out /private/var/spool/lock (not present)
  • Comment out /mach.sym (not present)
  • Comment out /Applications (Mac OS 9) (not present in Leopard)
  • Comment out Everything having to with Classic environment (not present in Leopard)
  • Comment out /private/etc/cups/certs
You should probably keep Tripwire from descending into the User directories until you have more experience with the policy file; to accomplish this, put a ! in front of the /Users entry so that it reads !/Users;. When you have made all the changes that you think will clean up the missing file warnings, save and quit vi. Now you must run tripwire to update the policy file, specifying the key to be used and template policy file you just edited:

sudo /usr/local/sbin/tripwire -m p -L /private/etc/tripwire/local.key -Z low /private/etc/tripwire/twpol.txt

To run tripwire in check mode, type:

/usr/bin/sudo /usr/local/sbin/tripwire -m c

You may find that tripwire will report changes that are OK. If that's the case, you will want to update the database. You can do that with the following Terminal command, which will find the latest report file and submit it as the file to use in a database update command:

/usr/bin/sudo /usr/local/sbin/tripwire -m u -r `(ls /usr/local/lib/tripwire/report/*.twr | tail -n 1)`

You may also find that tripwire is reporting certain files that change as part of the normal course of events, and these show up all the time. You can go back and make changes to the policy file that take this into account; you might, for instance, want to check the permissions but not the size on log files, since they grow over time.

By the way, I find it useful to put all the common Tripwire tasks (like update database) into little shell scripts with descriptive names. That way I can simply type something like ./update_database.sh instead of the much longer command above. Here are all the scripts that I've developed for tripwire:
init_database.sh
#!/bin/sh
/usr/bin/sudo /usr/local/sbin/tripwire -m i

run_tripwire.sh
#!/bin/sh
/usr/bin/sudo /usr/local/sbin/tripwire -m c

update_database.sh
#!/bin/sh
/usr/bin/sudo /usr/local/sbin/tripwire -m u -r `(/usr/bin/sudo find /usr/local/lib/tripwire/report -name "*.twr" -print | tail -n 1)`

update_policy.sh
#!/bin/sh
sudo vi /private/etc/tripwire/twpol.txt
sudo /usr/local/sbin/tripwire -m p -L /private/etc/tripwire/local.key -Z low /private/etc/tripwire/twpol.txt

idsplay_last.sh - displays the last report in the report directory
#!/bin/sh
sudo /usr/local/sbin/twprint -m r -r /usr/local/lib/tripwire/report/`(sudo ls /usr/local/lib/tripwire/report | fgrep twr | tail -n 1)` | more
To make these work, copy and paste them into an editor that understands Unix line feeds (I recommend TextWrangler, which is free from BareBones Software). Then make each one executable using chmod:

chmod u+x init_database.sh run_tripwire.sh update_database.sh update_policy.sh display_last.sh

[robg adds: I haven't tested this one, and any mistakes above are probably mine, due to editing mistakes. Please let me know if you see any. I believe this was used by the author in Leopard; I don't know if it works in Snow Leopard or not.]
    •    
  • Currently 2.00 / 5
  You rated: 1 / 5 (14 votes cast)
 
[18,212 views]  

Install and configure Tripwire from source | 9 comments | Create New Account
Click here to return to the 'Install and configure Tripwire from source' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Install and configure Tripwire from source
Authored by: winfred on Jan 12, '10 09:32:15AM
Wow, extensive howto, thanks.
If you don't like installing from scratch, there is a MacPorts compiled version available as well:
  • install MacPorts: http://www.macports.org
  • install Tripwire: port install tripwire
$ port info tripwire
tripwire @2.4.1.2, Revision 1 (security)
Variants:             universal

Description:          Tripwire software is a tool that checks to see what has changed on your system. The program monitors key attributes of
                      files that should not change, including binary signature, size, expected change of size, etc. Tripwire is originally
                      known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change
                      management, policy compliance and more.
Homepage:             http://sourceforge.net/projects/tripwire/

Build Dependencies:   autoconf, automake, libtool
Library Dependencies: openssl
Platforms:            darwin
License:              unknown
Maintainers:          nomaintainer@macports.org


[ Reply to This | # ]
Install and configure Tripwire from source
Authored by: Blomma on Jan 12, '10 12:21:46PM

Wonderful hint with one exception, the version of tripwire that you link to seems to be based of tripwire-2.3.1 while the latest tripwire from the tripwire website is 2.4.1.2. I would advice to either go the macport route or just download the newer source from the tripwire site http://sourceforge.net/projects/tripwire/files/

What you have there is essentially a fork that seems to have been halted in development, the latest update being in 2004 to the site.

*Edit Dooh, not sure how i managed to make it a reply to the parent instead of making a new.

Edited on Jan 12, '10 12:26:35PM by Blomma



[ Reply to This | # ]
Install and configure Tripwire from source
Authored by: JPry on Jan 12, '10 10:11:09AM
I'm running 10.6.2, and everything seemed to be working fine until I tried the "sudo make install" command. It will probably work on 10.6, but with some modification. I haven't checked to see what I need to do to fix it yet, but here's the output that followed that command, if anyone else would like to take a look at it:

$ sudo make install
Making install in man
Making install in man4
make[3]: Nothing to be done for `install-exec-am'.
test -z "/usr/local/share/man4" || /bin/sh ../../mkinstalldirs "/usr/local/share/man4"
mkdir /usr/local/share/man4
 /usr/bin/install -c -m 644 './twconfig.4' '/usr/local/share/man4/twconfig.4'
 /usr/bin/install -c -m 644 './twpolicy.4' '/usr/local/share/man4/twpolicy.4'
Making install in man5
make[3]: Nothing to be done for `install-exec-am'.
test -z "/usr/local/share/man5" || /bin/sh ../../mkinstalldirs "/usr/local/share/man5"
mkdir /usr/local/share/man5
 /usr/bin/install -c -m 644 './twfiles.5' '/usr/local/share/man5/twfiles.5'
Making install in man8
make[3]: Nothing to be done for `install-exec-am'.
test -z "/usr/local/share/man8" || /bin/sh ../../mkinstalldirs "/usr/local/share/man8"
mkdir /usr/local/share/man8
 /usr/bin/install -c -m 644 './siggen.8' '/usr/local/share/man8/siggen.8'
 /usr/bin/install -c -m 644 './tripwire.8' '/usr/local/share/man8/tripwire.8'
 /usr/bin/install -c -m 644 './twadmin.8' '/usr/local/share/man8/twadmin.8'
 /usr/bin/install -c -m 644 './twintro.8' '/usr/local/share/man8/twintro.8'
 /usr/bin/install -c -m 644 './twprint.8' '/usr/local/share/man8/twprint.8'
make[3]: Nothing to be done for `install-exec-am'.
make[3]: Nothing to be done for `install-data-am'.
Making install in src
Making install in cryptlib
make[3]: Nothing to be done for `install-exec-am'.
make[3]: Nothing to be done for `install-data-am'.
Making install in core
make[3]: Nothing to be done for `install-exec-am'.
make[3]: Nothing to be done for `install-data-am'.
Making install in db
make[3]: Nothing to be done for `install-exec-am'.
make[3]: Nothing to be done for `install-data-am'.
Making install in fco
g++ -DHAVE_CONFIG_H		 -I. -I. -I../.. -I..  -I/usr/local/include   -O -pipe -Wall -c -o fcodatasourceiter.o fcodatasourceiter.cpp
In file included from fcodatasourceiter.h:50,
                 from fcodatasourceiter.cpp:41:
fconame.h:147: error: ISO C++ forbids declaration of ‘cFCOName_i’ with no type
fconame.h:147: error: expected ‘;’ before ‘*’ token
make[2]: *** [fcodatasourceiter.o] Error 1
make[1]: *** [install-recursive] Error 1
make: *** [install-recursive] Error 1


[ Reply to This | # ]
Install and configure Tripwire from source
Authored by: sittered on Jan 12, '10 11:01:29AM

I received the same output after `sudo make install`. Also running 10.6.2.



[ Reply to This | # ]
Install and configure Tripwire from source
Authored by: parraccourci on Jan 12, '10 02:11:58PM

Me too.



[ Reply to This | # ]
use AIDE instead of Tripwire
Authored by: killee on Jan 26, '10 09:41:48PM

It's better to use AIDE (Advanced Intrusion Detection Engine) as a more modern variant of the freeware Tripwire. Find it at http://sourceforge.net/projects/aide/. It is not difficult to compile, if you have any problems visit the AIDE mailing list.

Cheers,
kelly

---
http://www.redbeet.com



[ Reply to This | # ]
A small correction
Authored by: klieb2002 on Jan 29, '10 11:40:00AM

Thanks for all who have tried the hint... I did find one error in my listings. In the section on updating the policy (tripwire -m p) the local key file may be different (there is a prefix that corresponds to your machine's network name). You can either use the actual filename that ends in local.key, or copy this longer filename to local.key. The latter is what I do. Other than that the hint seems to work on a clean install of 10.5 (verified this morning).

I'm sorry about the problems that Snow Leopard users seem to run into... my guess is that the compiler in 10.6 is not as forgiving. There is probably a command line switch that you can set to revert back to more tolerant behavior, but unfortunately I'm not running Snow Leopard; you'll have to find look in the XCode docs for some sort of 'allow loose interpretation' sort of compiler switch. Once you find the switch details you'll have to edit the makefile to invoke it.



[ Reply to This | # ]
For those having trouble compiling tripwire under 10.6
Authored by: klieb2002 on Feb 02, '10 01:36:00PM

For those of you having trouble under Snow Leopard, and for the gentleperson who pointed out that my link to download the source was pretty old (2004)... you may want to go to the standard Sourceforge web page for tripwire and get the latest copy of source there. It appears that Paul Herman's portable tripwire was merged into the tree starting at the 2.4.xx level, and from there it has been tweaked to work with gcc 4.0. Perhaps these tweaks will get you past the problem that you've reported here. (It doesn't appear that there have been any changes to the working code itself, just the install procedure, so if you got it to install you're essentially running the latest code).

http://sourceforge.net/projects/tripwire/files/



[ Reply to This | # ]
For those having trouble compiling tripwire under 10.6
Authored by: klieb2002 on Dec 12, '12 10:22:12PM

It appears that if you download the latest source, which is tripwire-2.4.2.2-src as of this writing, it compiles just fine under Snow Leopard once you have done the sudo ./configure step. No fixup is necessary.

In a previous comment I noted the glitch regarding the local.key filename; that is still present in Snow Leopard. One other improvement I would suggest is to change the mandir parameter so that manual files are put directly into the directories where FreeBSD expects them:

sudo ./configure --prefix=/usr/local --sysconfdir=/private/etc/tripwire --mandir=/usr/share/man

Good luck!



[ Reply to This | # ]