1) Unzip and unpack the tripwire source distribution. # cd /usr/local/pkg # gunzip Tripwire-1.3.1-1.tar.gz # tar xvf Tripwire-1.3.1-1.tar x tw_ASR_1.3.1_src, 0 bytes, 0 tape blocks x tw_ASR_1.3.1_src/Changelog, 23945 bytes, 47 tape blocks x tw_ASR_1.3.1_src/COAST.info, 2201 bytes, 5 tape blocks x tw_ASR_1.3.1_src/FAQ, 5441 bytes, 11 tape blocks x tw_ASR_1.3.1_src/Makefile, 4075 bytes, 8 tape blocks x tw_ASR_1.3.1_src/NEWS, 4441 bytes, 9 tape blocks x tw_ASR_1.3.1_src/Ported, 12167 bytes, 24 tape blocks x tw_ASR_1.3.1_src/README, 40285 bytes, 79 tape blocks x tw_ASR_1.3.1_src/Whatsnew, 20370 bytes, 40 tape blocks <> 2) Edit the Makefile to define where the tripwire binay, and man pages are located. You will also need to define which install utility to use. # vi Makefile <> CHANGE: DESTDIR = /usr/local/bin/tw TO: DESTDIR = /usr/local/bin CHANGE: MANDIR = /usr/man TO: MANDIR = /usr/local/man CHANGE: INSTALL= /usr/bin/install # common #INSTALL= /usr/ucb/install # Pyramid DC/OSx (SVR4) TO: #INSTALL= /usr/bin/install # common INSTALL= /usr/ucb/install # Pyramid DC/OSx (SVR4) 3) Edit the include/config.h file to define the tripwire configuration file and database path. This will consolidate all of the tripwire configuration components to the central directory of /var/tripwire for easy administration. There are two "#define CONFIG_PATH" statements in this file. Be sure to edit the bottom one. The top one is enclosed in C style comments. # vi include/config.h <> CHANGE: #define CONFIG_PATH "/usr/local/bin/tw" TO: #define CONFIG_PATH "/var/tripwire" 4) Create the corresponding man page directories if they do not already exist. # mkdir -p /usr/local/man/man5 # mkdir -p /usr/local/man/man8 5) Compile, test, and install tripwire. # make install (cd util; make CC=gcc LDFLAGS="-ldl " CPP="gcc make[1]: Entering directory `/usr/local/pkg/tw_ASR_1.3.1_src/util' ### <> # make test <> === test.update.sh: testing GROWING (safe) files === === test.update.sh: testing GROWING (unsafe) files === === test.update.sh: testing ADDED files === === test.update.sh: testing DELETED files === === test.update.sh: testing CHANGED files === <> 6) Now that tripwire is installed, create a tripwire configuration file for tripwire to generate signatures. # vi /var/tripwire/tw.config /etc/passwd R /var/adm/wtmpx L /usr/bin R 7) Use tripwire to generate a database of signatures. Be sure to be in the /var/tripwire directory. # cd /var/tripwire # tripwire -initialize Tripwire(tm) ASR (Academic Source Release) 1.3.1 File Integrity Assessment Software (c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire Security Systems, Inc. All Rights Reserved. Use Restricted to Authorized Licensees. ### Warning: creating ./databases directory! ### ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Creating file information database <> 8) Run a standard integrity check. You will have to copy the tripwire database up one level from /var/tripwire/databases to /var/tripwire. This is due to the compile time option that placed the database location to /var/tripwire. # cp databases/tw.db_simms . # tripwire Tripwire(tm) ASR (Academic Source Release) 1.3.1 File Integrity Assessment Software (c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire Security Systems, Inc. All Rights Reserved. Use Restricted to Authorized Licensees. ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Creating file information database ### Phase 4: Searching for inconsistencies ### ### All files match Tripwire database. Looks okay! ### 9) Switch personal identities and become a "blackhat." Assume that you have compropmised the server and you are now going to install some backdoors. o Create a duplicate super user account in the /etc/passwd. # vi /ext/passwd root:x:0:1::/: daemon:x:1:1::/: deamon:x:0:1::/: <----------add deamon account with UID of 0 o Make the wtmpx world accessable. # chmod 777 /var/adm/wtmpx o Create an SUID sheel in /bin. # cp /bin/ksh /bin/pageout # chmod 6555 /bin/pageout 10) As a system administrator, run a tripwire integrity check to see if tripwire detected the changes. # tripwire Tripwire(tm) ASR (Academic Source Release) 1.3.1 File Integrity Assessment Software (c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire Security Systems, Inc. All Rights Reserved. Use Restricted to Authorized Licensees. ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Creating file information database ### Phase 4: Searching for inconsistencies ### ### Total files scanned: 624 ### Files added: 1 ### Files deleted: 0 ### Files changed: 2 ### ### Total file violations: 3 ### added: -r-xr-xr-x root 209136 Jul 31 15:56:29 2002 /usr/bin/pageout changed: -r--r--r-- root 878 Jul 31 15:57:09 2002 /etc/passwd changed: -rwxrwxrwx adm 50964 Jul 31 12:18:18 2002 /var/adm/wtmpx ### Phase 5: Generating observed/expected pairs for changed files ### ### Attr Observed (what it is) Expected (what it should be) ### =========== ============================= ============================= /etc/passwd st_size: 878 861 st_mtime: Wed Jul 31 15:57:09 2002 Wed Jul 31 15:55:47 2002 st_ctime: Wed Jul 31 15:57:09 2002 Wed Jul 31 15:55:47 2002 md5 (sig1): 2.64hXGGwl:doDvnCwt6o5 0CNVfQHMeAR6qMeqoljEah snefru (sig2): 3oNDAoWJLLVMWDPJ6rEIbX 2ftXZqVVGfl3r2itqCbuNR /var/adm/wtmpx st_mode: 100777 100644 11) The tripwire utility was able to locate all 3 "blackhat" changes on the system.