 Using
Tripwire on a Network with LANTrip
Sean Mostafavi
Tripwire is a great utility for checking the integrity of files
on a system. Although more advanced file integrity tools exist,
Tripwire, specifically Tripwire ASR (Academic Source Release), is
already in wide use and has withstood the test of time. Tripwire
works by checking to see what has changed on your system by monitoring
key attributes of files that should not change, including size,
file permissions, and ownership. It also checks the last access,
modification, and change times. This makes Tripwire an ideal tool
to be used with a network file integrity tool such as LANTrip.
Tripwire also checks to see whether binary signatures of the files
being monitored have changed. To scan for all possible inconsistencies,
Tripwire needs two databases: a database containing file information
for all of the files that need to be monitored, and a comparison
database containing all current file information. Tripwire then
compares these two databases to determine what has changed. The
initial database then ideally needs to be transferred to read-only
media to prevent it from being altered in any way.
This is a great system for a single machine or even a handful,
but it turns into a hassle in both time and money when it comes
to a few dozen machines or more. Burning CDs for every system image
is not practical, and making changes to these systems requires a
new CD. Write-once hardware for every machine may also be outside
your IT budget. This is where LANTrip comes in.
LANTrip works by storing Tripwire binary installations of each
OS architecture combination where Tripwire is to be used on a central
host. The machine that stores the Tripwire installations and copies
them over to other machines for comparison is referred to here as
the central host. Any machine on which Tripwire will run is called
a client. At a certain time (optionally random), a copy of the Tripwire
installation and file integrity databases are copied from the central
host over to a random directory on each client to be executed. The
results are recorded, and the Tripwire installation is deleted from
the random directory.
Installing LANTrip on the Central Host
The central host should be a machine that is secure, preferably
running no services at all. The central host can even be a primary
authentication server, as if that machine is compromised; you are
already in big trouble anyway. Not much in power or RAM is needed.
A simple 133-MHz PC or Sparc Station with 64 MB will do. However,
a large hard drive may be needed depending on how many LANTrip clients
there will be. You can obtain the LANTrip tarball from the Sys
Admin Web site or from:
http://www.undersea.net/seanm/software/lantrip/LANTrip-1.0.tar.gz
Decompress it into a directory you choose. I will use /opt/lantrip-1.0
as the install directory. Make sure the directory is located on a
partition with plenty of space. Expect 70 MB of space for an installation
of just five machines, and at least a gigabyte of space for a small
network:
# gzip -dc LANTrip-1.0.tar.gz | tar -xf -
# cd lantrip-1.0/data
Edit the hosts.conf file. Entries for this configuration must conform
to the following format:
Hostname RemoteUser OS_Architecture
Here is an example hosts.conf file:
damsel tripwire Linux_x86
chromis tripwire Linux_x86
clownfish tripwire OpenBSD_Alpha
trunkfish tripwire Tru64_Alpha
electriceel tripwire Solaris_SPARC
After you have edited the hosts.conf file, edit the rand_dir.conf
file. This file provides the first layers of randomness in the location
where the Tripwire binaries are to be copied onto the client machines.
Randomness improves the overall security in the system by making it
difficult for an intruder to determine where the Tripwire installation
resides, and where it will show up next. The directories listed in
this file must exist on all machines and must be writable by the Tripwire
user on each machine. Here is a sample rand_dir.conf file:
/var/tmp
/tmp
A simple /tmp entry will also suffice, as almost every flavor of Unix
has this directory available. The more directories available and writable
by the Tripwire user, the better in terms of randomness. Edit lantrip_report.pl
located in the parent directory of the current directory you are in
and change the values of the email addresses so that the reports are
sent to the appropriate people. Run the following commands after editing
these files:
# ./mkdirs
# useradd -d /opt/tripwire tripwire -s /bin/sh
# groupadd tripwire
# mkdir /opt/tripwire
# mkdir /opt/tripwire/.ssh
# chown -R tripwire:tripwire /opt/tripwire
This will create all the necessary directories for each machine's
OS and architecture listed in the hosts.conf file. The parameter syntax
of the useradd command may differ according to platform. adduser
will likely have to replace useradd and groupadd if
your client system is a BSD variant. If you decide later to add another
machine to your LANTrip network with a different OS and architecture
than that listed in hosts.conf, simply run the mkdirs script again.
In these directories, Tripwire binary installations will be stored,
along with initial databases for each host.
Configuring the First Client Machine
The system requirements for the LANTrip client are no more than
the recommended requirements for running Tripwire. If you plan to
run LANTrip on a client machine that is heavily loaded, make sure
that the program is executed during off-peak hours, as Tripwire
can bog down a system at times. Download the Tripwire Academic Source
Release, which can be found at:
http://www.tripwire.com/files/downloads/asr/Tripwire-1.3.1-1.tar.gz
Then run:
# gzip -dc Tripwire-1.3.1-1.tar.gz | tar -xf -
Create a user named "tripwire" on the client system:
# useradd -d /opt/tripwire tripwire -s /bin/sh
# groupadd tripwire
# mkdir /opt/tripwire
# mkdir /opt/tripwire/.ssh
# chown -R tripwire:tripwire /opt/tripwire
Do not compile the Tripwire source code at this point. Instead, download
and install OpenSSH if you don't have it running already. The latest
version (as of this article) is 3.6.1, and it requires OpenSSH, which
can be found at:
http://www.openssh.org
For OpenBSD, sshd can be found at:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.6.1.tgz
For all other platforms, sshd can be found at:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.6p1.tar.gz
As usual, run the following commands to install:
# gzip -dc openssh-3.6p1.tar.gz | tar -xf -
# cd openssh-3.6p1 ; ./configure ; make ; make install
Copy LANTrip-1.0.tar.gz to a directory on the client machine and run:
# gzip -dc LANTrip-1.0.tar.gz | tar -xf -
# cd lantrip-1.0
# ./lantrip_client.pl
The last command will prompt you for the location of your Tripwire
ASR source tree and the location of your sshd configuration file.
It will edit Tripwire's makefile and config.h header file and set
the location of its configuration files and database files to relative
path names so that Tripwire can be executed from any directory. It
will change sshd_config and set RSAHostsAllow to "Yes". Be sure to
restart sshd after making the configuration changes, because sshd
needs to be restarted to load them. The configuration script will
also compile Tripwire. After it has completed, copy over your client's
Tripwire installation to the central host. This needs to only be done
once for each platform and architecture, and can be completed as follows:
# tar -cf - . | gzip > tw_OS_ARCHITECTURE.tar.gz
# scp tw_OS_ARCHITECTURE.tar.gz central_host:/LOCATION_OF_LANTRIP/data/r_databases/ \
OS_ARCHITECTURE/tw_OS_ARCHITECTURE.tar.gz
OS_ARCHITECTURE should be replaced with its respective value. For
example, on a Solaris SPARC system, the compressed Tripwire installation
should be named tw_Solaris_SPARC.tar.gz. This name should also match
the OS_ARCHITECTURE value in your hosts.conf file. Failure to name
the compressed Tripwire binary package will result in the client machine's
being skipped, as LANTrip uses this value to identify the correct
binary installation for your client's OS and architecture. You can
skip copying a Tripwire installation if the next client machine on
your list is of the same OS and architecture.
Final Configuration Steps on the Central Host
Back on the central host, there are still a few more steps that
must be completed before the system is operational. The central
host's id_dsa.pub key must be in the user's ~/.ssh2/authorized_keys2
file that will run LANTrip on the client machine. This needs to
be done so that password-less access to the client machine can be
allowed. The client machine's IP address and DSA key fingerprint
must be added to the central host's ~/.ssh/known_hosts. The easiest
way to accomplish these steps is simply to run the following on
the central host:
# su - tripwire
$ ssh-keygen -t dsa
$ scp ~/.ssh/id_dsa.pub \
root@client.example.com:/opt/tripwire/.ssh/new_key
$ ssh -l root client.example.com
The authenticity of host 'client.example.com (192.168.10.1)'
can't be established.
DSA key fingerprint is 9c:0a:9e:7a:74:c5:74:a6:8e:8a:e7:1b:c7:47:59:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'client.example.com' (DSA) to the
list of known hosts.
# cd /opt/tripwire/.ssh ; cat new_key >> authorized_keys2 ; rm new_key
# chown -R tripwire:tripwire /opt/tripwire ; exit
$
When you are prompted as to whether you want to store the host's hostkey,
answer "Yes".
Next, create an initial database for every host. This can be done
by running:
$ ./lantrip.pl -i
If you are prompted for a password, then something is not set up correctly.
Check the previous steps for setting up password-less ssh access.
The last step that needs completion is to create a crontab entry for
the LANTrip process. For a second layer of randomness, we shall add
a random crontab entry. A random run time will even make it more difficult
for a potential intruder to defeat the system. To do this, we will
use the at command. Add the following crontab entry to your
system:
$ crontab -e
#
# crontab
#
# Run tw_report @ 1:10am every day.
10 1 * * * /opt/lantrip-1.0/run_lantrip.pl
The run_lantrip.pl script will create a random at job for the LANTrip
system. Edit run_lantrip.pl if you do not want LANTrip to run randomly,
or for LANTrip to run randomly during a specified interval of time.
Note that in this sample crontab entry I specified /opt/lantrip-1.0
as the install directory. If you installed LANTrip somewhere else,
make sure you enter the correct path for run_lantrip.pl in your crontab
entry.
Tripwire can be expensive in terms of system resource depending
on your client's system. Care and consideration should be taken
in scheduling what time LANTrip is to remotely execute Tripwire
on the client machines.
The LANTrip reporter requires Mail::Sendmail to be installed.
Install the module by issuing the following command:
# perl -MCPAN -e 'install Mail::Sendmail'
Pros and Cons
This system may even be more effective than having read-only media
to do the file integrity comparison. An attacker has a very small
amount of time to create a false database, analyze it, and place
it in the random directory to fool the central host. Additionally,
this system is not in wide use, so an attacker may not have planned
for it. Any anomaly in the database comparison report or not receiving
a report for a given client should be fully investigated.
One disadvantage in the system is that not all essential files
can be monitored since the user running Tripwire (tripwire in our
example) won't have access rights to some files. Changing the access
rights on these files so that the tripwire user can monitor these
files is one solution to this problem. Some people may be wary of
setting RSAHostsAllow to Yes, but it is no greater threat than allowing
keyboard input for authentication.
Analyzing the Data
LANTrip also comes with an output parser that generates an email-based
report to be sent to a given address. When checking your Tripwire
reports day to day, you may need to update certain host's databases
if you have altered, removed, or added any new files to that system.
To update a database (or more precisely re-initialize), run the
following as the tripwire user:
$ lan_trip.pl -i <host_name>
To update all hosts databases, run:
$ lan_trip.pl -i
The Future of LANTrip
Future additions to LANTrip will be SQL support for the Tripwire
databases, and support for database transfers via different mechanisms
other than ssh. A Java-based GUI is also in the works. LANTrip will
also support different file integrity tools such as AIDE and the
open source version of Tripwire (http://www.tripwire.org).
Conclusion
A file integrity system is a must-have if you want piece of mind
in your system's security. Combined with other security tools, you
can rest assured that you will know whether a system of yours has
been compromised. With the help of LANTrip, file integrity checking
becomes a hassle no more.
Sean Mostafavi has been administering and developing applications
on Unix systems for the past 11 years. He has also worked for a
major security-based software development company. Sean is currently
in his last year finishing a B.S. in Computational Mathematics at
Arizona State University. He can be reached at: seanm@undersea.net.
| 
