Transcription
Tripwire for ServersUser Guide2.4
2001 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc.All rights reserved.Microsoft, Windows, Windows NT, and Windows 2000 are registeredtrademarks of Microsoft Corporation.UNIX is a registered trademark of the Open Group.Linux is a registered trademark of Linus Torvalds.Java and all Java-based marks are trademarks or registered trademarks ofSun Microsystems, Inc. in the U.S. and other countries.All other brand or product names may be trademarks or registeredtrademarks of their respective companies or organizations.This product includes software developed by the OpenSSL Project for usein the OpenSSL Toolkit (http://www.openssl.org).Tripwire, Inc.326 SW Broadway, 3rd FloorPortland, OR 97205tel: 1.877.TRIPWIREfax: re.comTW1005-01
About This Guide
About This GuideDocument ListThe Tripwire Installation Guide describes installation procedures forTripwire Manager and Tripwire for Servers software.The Tripwire for Servers User Guide describes configuration andoperation of Tripwire for Servers software.The Tripwire Manager User Guide describes configuration andoperation of Tripwire Manager software, which is used to managemultiple installations of Tripwire for Servers software.The Tripwire Reference Guide contains detailed information about theTripwire configuration and policy files.The Quick Reference Cards summarize important functionality ofTripwire for Servers software.You can access PDF versions of the Guides from the docs directories onthe Tripwire Manager and Tripwire for Servers CDs.You can access online help from the Tripwire Manager interface.Tripwire for Servers User Guidev
About This GuideConventionsThis Guide uses the following typographic conventions.Boldin regular text indicates FTP and HTTP URLs, andemphasizes important issues.Italicindicates file and directory names.Constantin regular text shows commands and command-lineoptions, and policy file rule attributes, directives, andvariables.Sans Serifin examples shows actual user input on the command line.Sans Serif Italicin examples shows variables which should be replacedwith context-specific values.Wdenotes sections of the text that apply only to Windowsinstallations of Tripwire software. Unless otherwisespecified, all references to Windows refer to bothWindows NT and Windows 2000.Udenotes sections of the text that apply only to UNIX orLinux installations of Tripwire software. Unlessotherwise specified, all references to UNIX also refer toLinux.[options]the command reference section shows optionalcommand-line arguments in brackets.{1 2 3}the command reference section shows sets of possibleoptions in braces, separated by the character. Chooseonly one of the options.Unless otherwise specified, command-line examples assume that theTripwire bin directory is the current working directory.viTripwire for Servers User Guide
About This GuideSupportFor the latest information and support for Tripwire products, visit theTripwire website or contact Tripwire Technical Support.Tripwire Support Website: http://www.tripwire.com/supportTripwire Technical m1.866.TWSUPPORT (6am-6pm Pacific)503.276.7663General information: info@tripwire.comTripwire Professional ServicesTripwire Professional Services provides flexible service and support tomeet your specific technical and deployment needs. If you would likeTripwire software deployment and implementation assistance, oradditional training in using Tripwire software products, visithttp://www.tripwire.com or contact your Tripwire Sales Representative.Tripwire Educational ServicesObtain expert hands-on technical training and experience from a TripwireCertified Instructor. Courses are offered by Tripwire Authorized TrainingCenters, and prepare you to install, configure, and maintain Tripwiresoftware. Visit http://www.tripwire.com or contact your Tripwire SalesRepresentative for more information.Tripwire for Servers User Guidevii
ContentsAbout This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiDocument List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vConventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viSupport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiTripwire Professional Services . . . . . . . . . . . . . . . . . . . . . . viiTripwire Educational Services. . . . . . . . . . . . . . . . . . . . . . . viiIntroduction to Tripwire for Servers . . . . . . . . . . . . . 1Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3How Tripwire for Servers Works . . . . . . . . . . . . . . . . . . . . . . . 3Data and Network Integrity with Tripwire Software . . . . . . . . . . 4Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4System Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Using Tripwire Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Tripwire Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Key Files and Passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Tripwire Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Changes for This Version . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Configuring Tripwire for Servers . . . . . . . . . . . . . . . 13Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Editing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . 15Setting Up E-mail Reporting. . . . . . . . . . . . . . . . . . . . . . . 17Tripwire for Servers User Guideix
ContentsSetting Up Log File Reporting. . . . . . . . . . . . . . . . . . . . . . 17Setting Up SNMP Logging . . . . . . . . . . . . . . . . . . . . . . . . 18Testing E-mail Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Creating the Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Obtaining a Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Tripwire Policy Resource Center Website . . . . . . . . . . . 21Tripwire for Servers CD . . . . . . . . . . . . . . . . . . . . . . . 21Editing the Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Signing and Installing the Policy File . . . . . . . . . . . . . . . . . 23Initializing the Database File . . . . . . . . . . . . . . . . . . . . . . . . . 23Tuning the Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Using Tripwire for Servers . . . . . . . . . . . . . . . . . . . . 29Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Checking Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31E-mailing Integrity Check Reports . . . . . . . . . . . . . . . . . . 33Selective Integrity Checks . . . . . . . . . . . . . . . . . . . . . . . . 34Scheduling Integrity Checks. . . . . . . . . . . . . . . . . . . . . . . 38Viewing Report Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Updating the Database File . . . . . . . . . . . . . . . . . . . . . . . . . . 40Resolving Database Update Problems . . . . . . . . . . . . . . . . 42Updating the Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43The Policy Update Process . . . . . . . . . . . . . . . . . . . . . . . . 44Resolving Policy Update Problems . . . . . . . . . . . . . . . . . . 45Changing Passphrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46xTripwire for Servers User Guide
ContentsTripwire Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Using Tripwire Agent on Windows Systems . . . . . . . . . . . . 49Using Tripwire Agent on UNIX Systems. . . . . . . . . . . . . . . 51Command Reference . . . . . . . . . . . . . . . . . . . . . . . . 55Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Command Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . 57Command-Line Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Wildcards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59tripwire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59tripwire Database Initialization Mode . . . . . . . . . . . . . . . . 60tripwire Integrity Check Mode . . . . . . . . . . . . . . . . . . . . . 61tripwire Database Update Mode . . . . . . . . . . . . . . . . . . . . 64tripwire Policy Update Mode. . . . . . . . . . . . . . . . . . . . . . . 66tripwire Test Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67twprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68twprint Print Report Mode . . . . . . . . . . . . . . . . . . . . . . . . 68twprint Print Database Mode . . . . . . . . . . . . . . . . . . . . . . 70twadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71twadmin Create Configuration File Mode . . . . . . . . . . . . . . 72twadmin Print Configuration File Mode . . . . . . . . . . . . . . . 73twadmin Create Policy File Mode . . . . . . . . . . . . . . . . . . . 73twadmin Print Policy File Mode. . . . . . . . . . . . . . . . . . . . . 75twadmin Remove Encryption Mode. . . . . . . . . . . . . . . . . . 75twadmin Encrypt a File Mode . . . . . . . . . . . . . . . . . . . . . . 77twadmin Examine Encryption Mode . . . . . . . . . . . . . . . . . 78twadmin Generate Keys Mode . . . . . . . . . . . . . . . . . . . . . 79siggen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Tripwire for Servers User Guidexi
Contentstwagent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81twagent Create Agent Configuration File Mode . . . . . . . . . 81twagent Print Agent Configuration File Mode . . . . . . . . . . . 82twagent Start mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82twagent Install Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 83twagent Remove Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 83Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95xiiTripwire for Servers User Guide
1Introduction toTripwire for Servers
Introduction to Tripwire for ServersOverviewThis chapter introduces Tripwire for Servers, an integrity assessment toolthat allows you to monitor data and network integrity. If you are new toTripwire products or to the concepts of data and network integrity, thischapter gives you the necessary background.If you have previous experience with Tripwire software, read about thenew features in this release before moving on to the next chapter.This chapter describes: how Tripwire for Servers works how you can use Tripwire for Servers to maintainData and Network Integrity the components of Tripwire software cryptographic protection for Tripwire files new features for this version of Tripwire for Servers Tripwire Manager, an application for managing multiple installationsof Tripwire for ServersHow Tripwire for Servers WorksTripwire for Servers tells you how your system has changed from aknown, good state. It does this by first scanning your file system, basedupon pre-established rules, and creating a baseline. Once this baseline iscreated, you can run Tripwire for Servers periodically to determine howthe system has changed. If changes are detected, Tripwire for Serversgenerates a report of the changes, and can send alerts via email, syslog, orSNMP.Tripwire for Servers User Guide3
Introduction to Tripwire for ServersTripwire for Servers uses a user-defined policy, which specifies theobjects in a system, and the attributes of those objects, to check. Thepolicy can be tuned to eliminate the noise of day-to-day system changesdue to normal operation, and only report significant, actionable events.The policy also characterizes objects or groups of objects according tofunction and relative severity. When Tripwire software finds multipleintegrity violations, it sorts the output based upon the criteria you define,allowing you to easily see and address the most serious issues first.Tripwire for Servers includes a comprehensive policy for each operatingsystem that it is supported on. These policies can be used out of the box orcustomized by the user.Tripwire for Servers includes software that enables it to connect to one ormore Tripwire Managers. Tripwire Manager allows you to manage andview reports from thousands of Tripwire for Servers machines across yournetwork from a GUI-based console. See page 10 for more information onTripwire Manager.Data and Network Integrity with TripwireSoftwareEffective security, system management, and risk management dependupon the ability to assess the state of Data and Network Integrity (DNI).SecurityMany malicious intrusions involve changes to critical infrastructurecomponents, when intruders replace or modify system files to gaincontrol of systems. Tripwire for Servers detects intrusions and savesadministrators vast amounts of recovery time by quickly showing whichcomponents have changed.4Tripwire for Servers User Guide
Introduction to Tripwire for ServersDetecting intrusions in this way has several advantages. First, Tripwiresoftware detects misuse whether it comes through the firewall ororiginates inside it. Second, Tripwire software does not rely upon attacksignatures, which are based on historical attacks and cannot detectconstantly-evolving methods. Third, reports from Tripwire software canbe used as a forensics tool to establish a chain of evidence whenprosecuting miscreants.Tripwire software is not meant to
27.01.2001 · About This Guide Tripwire for Servers User Guide vii Support For the latest information and support for Tripwire products, visit the Tripwire website or contact Tripwire Technical Support. Tripwire Support Website: http://www.tripwire.com/support Tripwire Technical Support: e-mail: support@tripwire.com toll-free: 1.866.TWSUPPORT (6am-6pm Pacific)
