Using Tripwire on a Network with LANTrip

If you're like me, you probably have bunch of UNIX machines to take care of.  You are also probably the paranoid type.  Tripwire is a great utility for checking the integrity of files on a system.  Although more advanced file integrity tools exist, Tripwire, specifically Tripwire ASR (Academic Source Release) is already in wide use, and has been around withstanding the test of time.  This makes Tripwire an ideal tool to be used with a network file integrity tool such as LANTrip.
 
Tripwire works by checking to see what has changed on your system by monitoring key attributes of files that should not change, including size, file permissions, and ownership.  It also checks the last access, modification, and change times.
In addition, Tripwire also checks to see whether binary signatures of the files
being monitored has changed.  To scan for all of these possible inconsistencies
Tripwire needs two databases; an initial being the database containing file information for all of the files that need to be monitored, and a comparison database which contains all current file information.  It then compares theses two databases to determine what has changed.  The initial database then ideally needs to be transferred over to read-only media, so that it becomes impossibility for an intruder to alter the initial database in any way.

This is a great system for a single machine or even a handful, but turns into a hassle or infeasibility in time and money when it comes to a few dozen machines or more.  Burning CDs for every system image is not practical, and making changes to these systems requires a new CD to be made.  Write-once hardware for every machine may also be outside your IT budget.  Is there a better way of doing this?  Yes.  This is where LANTrip steps in.

LANTrip works by storing Tripwire binary installations of each OS Architecture combo where Tripwire is to be used on a central host.  We shall call the machine that stores the Tripwire installations and copies them over to other machines for comparison the central host.  Any machine that Tripwire will run on will be called a client.  At a certain time(optionally random), a copy of the Tripwire installation and file integrity databases are copied from the central host over to a random directory on each client to be executed.  The results are recorded, and the tripwire installation is deleted from the random directory.  

Installing LANTrip on the Central Host

The central host should be a machine that is secure, preferably running no services at all.  The central host can even be a primary authentication server, as if that machine is compromised; you are already in big trouble anyway.  Not much in power or RAM is needed.  A simple 133mhz PC or Sparc Station with 64MB will do.  However, a large hard drive may be needed depending on how many LANTrip clients there will be.  Obtain the LANTrip tar ball from:

	http://www.undersea.net/seanm/software/lantrip/lantrip-1.1.tar.gz

Next, decompress it into a directory of choice.  In this article, we will use /opt/lantrip-1.1 as the install directory.  Make sure the directory is located on a partition with plenty of space.  Expect 70MB of room for an installation of just five machines, and at lease a gigabyte of space for a small network.

# gzip -dc lantrip-1.1.tar.gz | tar -xf - 
# cd lantrip-1.1/data

Edit the hosts.conf file.  Entries for this configuration must conform to the following format: 

Hostname	RemoteUser	OS_Architecture

Here is an example hosts.conf file:

damsel		tripwire	Linux_x86
chromis		tripwire	Linux_x86
clownfish	tripwire	OpenBSD_Alpha
trunkfish	tripwire	Tru64_Alpha
electriceel	tripwire	Solaris_SPARC

After you have edited the hosts.conf file, edit the rand_dir.conf file.  This file provides the first layers of randomness in the location where the Tripwire
binaries are to be copied to on the client machines.  Randomness improves the overall security in the system by making it difficult for an intruder to figure out where the Tripwire installation resides, and where it will show up next. The directories listed in this file must exist on all machines, and must be writable by the tripwire user on each machine. Here is an example rand_dir.conf file:

/var/tmp
/tmp

A simple /tmp entry will also suffice, as almost every flavor of UNIX has this directory available.  The more directories available and writeable by the tripwire user, the better in terms of randomness.  Edit lantrip_report.pl located in the parent directory of the current directory you are in and change the values of the e-mail addresses so that the reports are sent to the right people.  Run the following commands after editing these files:

# ./mkdirs
# useradd -d /opt/tripwire tripwire -s /bin/sh
# groupadd tripwire
# mkdir /opt/tripwire
# mkdir /opt/tripwire/.ssh
# chown -R tripwire:tripwire /opt/tripwire

This will create all the necessary directories for each machine's OS and architecture listed in the hosts.conf file.  The parameter syntax of the useradd command may differ on different platforms.  adduser will most probably have to replace useradd and groupadd if your client system is a BSD variant.  If later on you decide to add another machine to your LANTrip network that has a different OS and architecture than that of the OS Architecture listings in hosts.conf, simply run the mkdirs script again.  In these directories, Tripwire binary installations will be stored, along with initial databases for each host.

Configuring the First Client Machine

The system requirements for LANTrip client are no more than the recommended requirements for running Tripwire.  If you plan on running LANTrip on a client machine that is heavily loaded, make sure that the program is executed during off peak hours, as Tripwire can bog down a system at times.  Download the
Tripwire Academic Source Release which can be found at:

http://www.tripwire.com/files/downloads/asr/Tripwire-1.3.1-1.tar.gz

Then run:

# gzip -dc Tripwire-1.3.1-1.tar.gz | tar -xf -

Create a user named tripwire on the client system:

# useradd -d /opt/tripwire tripwire -s /bin/sh
# groupadd tripwire
# mkdir /opt/tripwire
# mkdir /opt/tripwire/.ssh
# chown -R tripwire:tripwire /opt/tripwire
 
Do not proceed to compile the Tripwire source code at this point.  Next, download and install OpenSSH if you don't have it running already.  The latest version as of this article is 3.6.1, and it requires OpenSSH (http://www.openssh.org).  For OpenBSD, sshd can be found at:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.6.1.tgz

For all other platforms, sshd can be found at:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.6p1.tar.gz

As usual, run the following commands to install it

# gzip -dc openssh-3.6p1.tar.gz | tar -xf -
# cd openssh-3.6p1 ; ./configure ; make ; make install

Copy over lantrip-1.1.tar.gz to a directory on the client machine and run:

# gzip -dc lantrip-1.1.tar.gz | tar -xf -
# cd lantrip-1.1
# ./lantrip_client.pl

The last command will prompt you for the location of your Tripwire ASR source tree and the location of your sshd configuration file.  It will edit Tripwire's Makefile and config.h header file and set the location of its configuration files and database files to relative path names so that Tripwire can be executed from any directory.  It will change sshd_config and set RSAHostsAllow to Yes.  Make sure to restart sshd after the configuration changes have been made as sshd needs to be restarted to load them.  The configuration script will also proceed to compile Tripwire.  After it has completed, you will have to copy over your client's Tripwire installation to the central host.  This needs to only be done once for each platform and architecture, and can be completed like so:

# tar -cf - .  | gzip > tw_OS_ARCHITECTURE.tar.gz
# scp tw_OS_ARCHITECTURE.tar.gz \ central_host:/LOCATION_OF_LANTRIP/data/r_databases/OS_ARCHITECTURE/tw_OS_ARCHITECTURE.tar.gz 

OS_ARCHITECTURE should be replaced with its respectful value.  For example, on a Solaris SPARC system, the compressed Tripwire installation should be named tw_Solaris_SPARC.tar.gz.  This name should also match the OS_ARCHITECTURE value in your hosts.conf file.  Failure to name the compressed Tripwire binary package will result in the client machine being skipped over, as LANTrip uses this value to identify the correct binary installation for your client's OS and architecture.  You can skip copying over a Tripwire installation if the next client machine on your list is of the same OS and architecture.

Final Configuration Steps on the Central Host

Back on the central host there are still a few more steps that need to be
completed before the system is operational.  First, the central host's id_dsa.pub key needs to be in the user's ~/.ssh2/authorized_keys2 file that is to run LANTrip on the client machine.  This needs to be done so that passwordless access to the client machine can be allowed.  The client machine's IP address and DSA key fingerprint need to be added to the central host's ~/.ssh/known_hosts.  The easiest way to do all of this is to simply run the following on the central host:

# su - tripwire
$ ssh-keygen -t dsa
$ scp ~/.ssh/id_dsa.pub \
     root@client.example.com:/opt/tripwire/.ssh/new_key
$ ssh -l root client.example.com
  The authenticity of host 'client.example.com (192.168.10.1)' can't be
  established.
  DSA key fingerprint is 9c:0a:9e:7a:74:c5:74:a4:8e:8a:e7:1b:c7:47:59:46.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added 'client.example.com' (DSA) to the list of known
  hosts.
# cd /opt/tripwire/.ssh ; cat new_key >> authorized_keys2 ; rm new_key
# chown -R tripwire:tripwire /opt/tripwire ; exit
$ 

When you are prompted with a question asking whether
you want to store the host's hoskey, answer yes.  

Next we will have to create an initial database for every host.  This can be done by running:

$ ./lantrip.pl -i

If you are prompted for a password, then something is not correctly setup.  Go over the previous steps for setting up passwordless ssh access.  The last step that needs completion is to create a crontab entry for the LANTrip process.  For
a second layer of randomness, we shall add a random crontab entry.  A random run time will even make it more difficult for a potential intruder to defeat the system.  To do this, we will use the at command.  Add the following crontab
entry to your system:

$ crontab -e
  #
  # crontab
  #
  # Run tw_report @ 1:10am every day.
  10 1 * * *   /opt/lantrip-1.1/run_lantrip.pl

The run_lantrip.pl script will create a random at job for the LANTrip system.  Edit run_lantrip.pl if you wish for LANTrip to not run randomly, or for LANTrip to run randomly during a specified interval of time.  Notice in this example crontab entry we specified /opt/lantrip-1.1 as the install directory.  If you installed LANTrip somewhere else, make sure you enter the correct path for run_lantrip.pl in your crontab entry.

Tripwire can be expensive in terms of system resource depending on your
client's system.  Care and consideration should be taken in scheduling what
time LANTrip is to remotely execute Tripwire on the client machines.

The LANTrip reporter requires Mail::Sendmail to be installed.  Install the module by issuing the following command:

# perl -MCPAN -e 'install Mail::Sendmail'

Pros and Cons

This system may even be more effective than having read-only media  to do the file integrity comparison.  An attacker has a very small amount of time to create a false database, analyze it, and place it in /the random directory to fool the central host.  Plus, this system is not even in that wide of use for an attacker to plan for.  Any anomaly in the database comparison report, or receiving no report for a given client should be fully investigated.

One disadvantage in the system is that not all essential files can be  monitored since the user running Tripwire (tripwire in our example) won't have access rights to some files.  Changing the access rights on these files so that the Tripwire user can monitor these files is one solution to this problem.  Some people may be wary to set  RSAHostsAllow to Yes, but if you look at it carefully, it is no greater a threat than allowing keyboard input for authentication.

Analyzing the Data

LANTrip also comes with an output parser that generates an e-mail based report to be sent to a given address.  While looking through your Tripwire reports day-to-day, you may need to update certain host's databases if you have altered, removed, or added any new files to that system.  To update a database (or more precisely re-initialize), run the following as the tripwire user:

$ lan_trip.pl -i <host_name>

To update all hosts databases, run

$ lan_trip.pl -i

The Future of LANTrip

Future additions to LANTrip will be SQL support for the Tripwire databases, and support for database transfers  via different mechanisms other than ssh.  A Java based GUI is also in the works.  LANTrip will also support different file integrity tools such as  AIDE and the Open Source version of Tripwire (www.tripwire.org).  


Conclusion

A file integrity system is a must have if you want solid piece of mind in your system's security.  Combined with other security tools, you can rest assure that you will know whether a system of yours has been compromised.  With the help of LANTrip, file integrity checking becomes a hassle no more.

