Using Tripwire

As part of our commitment to maintaining the security of the computers in the University, IT Security requires that all servers in zones 10, 20 and 100 have some form of host based intrusion detection; intrusion detection is also recommended for zone 40 servers. For more details see our “Host Configuration” document on the ITS website - Policies webpage. IT Security maintains the University’s site license for Tripwire, a basic host based intrusion detection application, and is also responsible for its management and distribution.

What does Tripwire do?

Tripwire software assures the integrity of critical data by detecting and reporting change.
Tripwire software is configured to monitor the data that is important to you. Based on the configuration, the software creates a baseline snapshot of data in a known good state.
After a baseline is established, regular integrity checks are run to monitor the data. During an integrity check, Tripwire software compares the current state of data to the baseline and reports a violation for any change it detects.

You examine reports to help you evaluate changes to data. To resolve malicious or unauthorized changes, appropriate measures can be taken, such as restoring changed files. If changes are acceptable, the baseline database can be updated to include them so that Tripwire software no longer detects them as violations. Tripwire for Servers, TFS, has a complete, command line management interface and can also be managed with Tripwire Manager, TM.

Installation

1. Obtain the Tripwire for Servers and Tripwire Manager (if you choose to run one) executables for your operating system(s) along with the Quick Guides for the Manager and the Server here.
2. Install Tripwire for Servers on all servers that you want to monitor and choose one machine desktop or server for your Tripwire Manager. During the install you will be asked to create a local key and site key passphrase - please create new ones that are not used on any of your current servers. IT Security maintains a Read-Only version of Tripwire Manager in order to monitor the installations throughout the University. We will be using those passphrases to import your servers to our Tripwire Manager.
3. After installing your Tripwire for Servers and Tripwire Manager you will need to obtain a license from Tripwire. When you reach this point send an encrypted e-mail for a license request to Bill at william.e.little@uth.tmc.edu. Include in the e-mail your passphrases and server IP addresses.
4. Once you receive the e-mail from Tripwire and copy the attached license file to your Tripwire directory then you can use your Manager.

UTH Specific Configurations

After you read the Quick Guides for the Server and Manager here are the settings you will need

to change:

1. Set e-mail notifications:
   
   • From the menu select View > Preferences;
     
   • Check both boxes;
     
   • Server-mail.uth.tmc.edu;
     
   • Port-25;
     
   • To address-“your_email@uth.tmc.edu,its_alerts@uth.tmc.edu”;
     
   • From address-yourserver.uth.tmc.edu.
     
   • Send a test e-mail to make sure it’s working.
     
2. Individual Agent settings:
   
   • Select machine, click on Edit Config;
     
   • Go to E-mail Tab and fill that out the same way you did in #2, choose Level 3- Concise Report for E-mail Report Level and check Mail “No Violations” box.
     
   • If you are running Unix/Linux go to the Logging Tab and check the Syslog Reporting box, for the host enter syslog.zoneXX.uth.tmc.edu, where XX is which zone your server is, i.e., 10, 20, 40 or 100, for example, syslog.zone10.uth.tmc.edu.
     
3. Set up a schedule for Integrity Checks:
   
   • Select machine or Group and click on Edit Schedule. ITS recommends that you run an Integrity Check at least once every 2 weeks, what day and time you run it is up to you.
     

If you have any questions or problems direct them to its@uth.tmc.edu or call Bill at x2267.