Install and configure Tripwire from source

Jan 12, '10 07:30:00AM

Contributed by: klieb2002

Tripwire is a set of open-source Unix command line utilities, spun off by the company of the same name that sells a more-capable commercial prodct; you can use it to verify the integrity of your system files, detect intrusions, and monitor what files get added or changed by your computer's software processes. For the slightly paranoid, it can have a calming effect.

Fortunately, it is relatively easy to run under OS X. Installing it, however, can be another story. Back in 2003, a member named frodo published a hint here on how to install Tripwire with a precompiled package that he had developed. Sadly, his website is no longer operational, so Mac OS X users who wish to use Tripwire have to muddle through the generic installation process for Unix boxes. This can be quite confusing, so I thought that it would be useful to document it in a step-by-step fashion. The following is based on the sources currently available.

The first step is to install the XCode tools so that you can perform compilation of the source; you don't need the latest and greatest, so you can simply install XCode from the CD or DVD that has your operating system install on it. Alternatively, you can join the Apple Developer Connection (free) and download XCode.

Next you need the source for Tripwire. Paul Herman's web site still has the portable Tripwire tarball available, so download tripwire-portable-0.9.tar.gz from there. Move the downloaded file to a convenient place (like Documents) in your user's folder hierarchy, and then double-click the downloaded file; it should expand into a folder of sources.

Open Terminal, and cd to the Documents/tripwire-portable-0.9 directory: cd ~/Documents/tripwire-portable-0.9. Acting as root using sudo, make some directories for tripwire:

sudo mkdir /private/etc/tripwire
sudo mkdir /usr/local
Tripwire uses hardcoded paths that are compiled into the program, so configure the installation and specify where you want tripwire to look for and store files:

sudo ./configure --prefix=/usr/local --sysconfdir=/private/etc/tripwire --mandir=/usr/local/share

configure will grind away checking for the development environment items it needs, and then return you to a Terminal prompt. Now you compile the actual source using the simple sudo make command. This will generate lots of warnings, but ultimately, it should succeed in creating executable binaries. However, you're not done yet; there is an install step: sudo make install

This last command will put the binaries in the correct directories, force you to read and accept the GNU license, and prompt you to create site and local passwords. It's a good idea to open Keychain Access at this point, and record the passwords that you just created in a new keychain entry. At this point, you technically have a working Tripwire system, and you can start issuing Terminal prompt commands to work with Tripwire. However, I find it easier to make simple-to-understand shell scripts to accomplish the common tasks (see end of hint).

Before we go further, you will need a little background on how Tripwire works. Tripwire has two important files, a policy file (tw.pol) and a database file (tw.db). The policy file is an encrypted (non-human-readable) file that specifies which directories are to be checked, to what level, and using which check methods. The database file (also encrypted) contains the results of the last saved check. Neither of these two files are directly accessible, except through the Tripwire binaries -- you can't edit the policy file directly with vi, for instance.

For security reasons, the way it works is that you must edit a text file called twpol.txt that corresponds to what you want the policy file to be, and then submit the text file to Tripwire for signing. The signing process results in a new encrypted policy file that you can't read or touch directly. Similarly, when you run Tripwire, it will often find changes have been made between the file system as it currently exists and the checksum data it has stored in its database. Tripwire then provides a way for you to review the differences, and optionally update the database.

For a general overview of how to use tripwire, type man twintro in Terminal, or consult this useful article on Tripwire, from the Linux Productivity Magazine.

The first useful thing you have to do with tripwire is initialize the database. The command to perform this step is: sudo /usr/local/sbin/tripwire -m i

You will find that this will generate a lot of warnings about file or directories missing -- you should take note of these and go back to edit the text version of the policy file (twpol.txt) to get rid of them, and then update the policy file. You need to do this as root, so use this command: sudo vi /private/etc/tripwire/twpol.txt.

Some of the changes I made on a stock Leopard install were: You should probably keep Tripwire from descending into the User directories until you have more experience with the policy file; to accomplish this, put a ! in front of the /Users entry so that it reads !/Users;. When you have made all the changes that you think will clean up the missing file warnings, save and quit vi. Now you must run tripwire to update the policy file, specifying the key to be used and template policy file you just edited:

sudo /usr/local/sbin/tripwire -m p -L /private/etc/tripwire/local.key -Z low /private/etc/tripwire/twpol.txt

To run tripwire in check mode, type:

/usr/bin/sudo /usr/local/sbin/tripwire -m c

You may find that tripwire will report changes that are OK. If that's the case, you will want to update the database. You can do that with the following Terminal command, which will find the latest report file and submit it as the file to use in a database update command:

/usr/bin/sudo /usr/local/sbin/tripwire -m u -r `(ls /usr/local/lib/tripwire/report/*.twr | tail -n 1)`

You may also find that tripwire is reporting certain files that change as part of the normal course of events, and these show up all the time. You can go back and make changes to the policy file that take this into account; you might, for instance, want to check the permissions but not the size on log files, since they grow over time.

By the way, I find it useful to put all the common Tripwire tasks (like update database) into little shell scripts with descriptive names. That way I can simply type something like ./update_database.sh instead of the much longer command above. Here are all the scripts that I've developed for tripwire:
init_database.sh
#!/bin/sh
/usr/bin/sudo /usr/local/sbin/tripwire -m i

run_tripwire.sh
#!/bin/sh
/usr/bin/sudo /usr/local/sbin/tripwire -m c

update_database.sh
#!/bin/sh
/usr/bin/sudo /usr/local/sbin/tripwire -m u -r `(/usr/bin/sudo find /usr/local/lib/tripwire/report -name "*.twr" -print | tail -n 1)`

update_policy.sh
#!/bin/sh
sudo vi /private/etc/tripwire/twpol.txt
sudo /usr/local/sbin/tripwire -m p -L /private/etc/tripwire/local.key -Z low /private/etc/tripwire/twpol.txt

idsplay_last.sh - displays the last report in the report directory
#!/bin/sh
sudo /usr/local/sbin/twprint -m r -r /usr/local/lib/tripwire/report/`(sudo ls /usr/local/lib/tripwire/report | fgrep twr | tail -n 1)` | more
To make these work, copy and paste them into an editor that understands Unix line feeds (I recommend TextWrangler, which is free from BareBones Software). Then make each one executable using chmod:

chmod u+x init_database.sh run_tripwire.sh update_database.sh update_policy.sh display_last.sh

[robg adds: I haven't tested this one, and any mistakes above are probably mine, due to editing mistakes. Please let me know if you see any. I believe this was used by the author in Leopard; I don't know if it works in Snow Leopard or not.]

Comments (9)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20100107214531811