[crazy4ever]

Defining a Tripwire Rule

Defining a rule is simple. With an appropriate rule, Tripwire can monitor any file on your system in any way you want. As an example, consider a common file for an attacker to modify –/bin/login. This program can be replaced with a version that logs the users' passwords to be used by the attacker at some future time. This file is a good example of a file that should be strictly monitored:

/bin/login -> +pinugtsdrbmcCM-l;

Looking up each of these letters is tedious. This is why it is better to write the rule this way:

/bin/login -> $(IgnoreNone)-SHa;

Now you can quickly determine that all properties of this file will be checked except for an SHA hash, a Haval hash, and the file's last access time. Why should those hashes be ignored? You must remember that Tripwire still performs and stores the md5 and CRC32 checksums. An attacker would be hard-pressed to alter the file without changing either of these checksums (it is virtually impossible). Disabling the other two checksums makes the file checks much quicker with virtually no decrease in security.

Using this rule, Tripwire will not check the file's access time either. This file's access time will virtually always change since it will be updated each time the binary is executed (in this case, each time a user logs in). It is a very special circumstance when you would want to monitor the access time of a file.

If a directory is specified on the left-hand side of a rule, it will be processed by Tripwire. Everything under the directory will also be processed. You can limit this recursion by adding the option (recurse = x) after the properties to check, where x is the maximum number of levels the recursion should follow. If it is set to zero, no recursion occurs (only the base directory is processed).

Even if a directory is recursively processed, you can specify rules for specific files or directories under that directory. Say that you never expect your /etc/hosts file to change, but you expect other files under /etc/ to occasionally change. You could do this:

/etc -> $(Dynamic);
/etc/hosts -> $(ReadOnly);

It is important to remember that a file should not be directly listed twice. This would create an error because Tripwire would not know how to process that particular file.

You can also exclude specific files as follows:

/etc -> $(Dynamic);
!/etc/passwd-;

This causes Tripwire to completely ignore the backup file /etc/passwd-. Here are a few more examples rules:

# Changing configuration file
/etc/passwd -> $(Dynamic);
# Read-only binaries
/usr/bin -> $(ReadOnly) (recurse = 1);
# Watch this setuid binary more closely
/usr/bin/gpasswd -> $(IgnoreNone)-SHa;
# Watch the permissions on these directories
/home -> +tpug (recurse = 0);
/etc -> +tpug (recurse = 0);
/tmp -> +tpug (recurse = 0);