Cover V12, I10



Using Tripwire on a Network with LANTrip

Sean Mostafavi

Tripwire is a great utility for checking the integrity of files on a system. Although more advanced file integrity tools exist, Tripwire, specifically Tripwire ASR (Academic Source Release), is already in wide use and has withstood the test of time. Tripwire works by checking to see what has changed on your system by monitoring key attributes of files that should not change, including size, file permissions, and ownership. It also checks the last access, modification, and change times. This makes Tripwire an ideal tool to be used with a network file integrity tool such as LANTrip.

Tripwire also checks to see whether binary signatures of the files being monitored have changed. To scan for all possible inconsistencies, Tripwire needs two databases: a database containing file information for all of the files that need to be monitored, and a comparison database containing all current file information. Tripwire then compares these two databases to determine what has changed. The initial database then ideally needs to be transferred to read-only media to prevent it from being altered in any way.

This is a great system for a single machine or even a handful, but it turns into a hassle in both time and money when it comes to a few dozen machines or more. Burning CDs for every system image is not practical, and making changes to these systems requires a new CD. Write-once hardware for every machine may also be outside your IT budget. This is where LANTrip comes in.

LANTrip works by storing Tripwire binary installations of each OS architecture combination where Tripwire is to be used on a central host. The machine that stores the Tripwire installations and copies them over to other machines for comparison is referred to here as the central host. Any machine on which Tripwire will run is called a client. At a certain time (optionally random), a copy of the Tripwire installation and file integrity databases are copied from the central host over to a random directory on each client to be executed. The results are recorded, and the Tripwire installation is deleted from the random directory.

Installing LANTrip on the Central Host

The central host should be a machine that is secure, preferably running no services at all. The central host can even be a primary authentication server, as if that machine is compromised; you are already in big trouble anyway. Not much in power or RAM is needed. A simple 133-MHz PC or Sparc Station with 64 MB will do. However, a large hard drive may be needed depending on how many LANTrip clients there will be. You can obtain the LANTrip tarball from the Sys Admin Web site or from:
Decompress it into a directory you choose. I will use /opt/lantrip-1.0 as the install directory. Make sure the directory is located on a partition with plenty of space. Expect 70 MB of space for an installation of just five machines, and at least a gigabyte of space for a small network:

# gzip -dc LANTrip-1.0.tar.gz | tar -xf -
# cd lantrip-1.0/data
Edit the hosts.conf file. Entries for this configuration must conform to the following format:

Hostname       RemoteUser    OS_Architecture
Here is an example hosts.conf file:

damsel         tripwire    Linux_x86
chromis        tripwire    Linux_x86
clownfish      tripwire    OpenBSD_Alpha
trunkfish      tripwire    Tru64_Alpha
electriceel    tripwire    Solaris_SPARC
After you have edited the hosts.conf file, edit the rand_dir.conf file. This file provides the first layers of randomness in the location where the Tripwire binaries are to be copied onto the client machines. Randomness improves the overall security in the system by making it difficult for an intruder to determine where the Tripwire installation resides, and where it will show up next. The directories listed in this file must exist on all machines and must be writable by the Tripwire user on each machine. Here is a sample rand_dir.conf file:

A simple /tmp entry will also suffice, as almost every flavor of Unix has this directory available. The more directories available and writable by the Tripwire user, the better in terms of randomness. Edit located in the parent directory of the current directory you are in and change the values of the email addresses so that the reports are sent to the appropriate people. Run the following commands after editing these files:

# ./mkdirs
# useradd -d /opt/tripwire tripwire -s /bin/sh
# groupadd tripwire
# mkdir /opt/tripwire
# mkdir /opt/tripwire/.ssh
# chown -R tripwire:tripwire /opt/tripwire
This will create all the necessary directories for each machine's OS and architecture listed in the hosts.conf file. The parameter syntax of the useradd command may differ according to platform. adduser will likely have to replace useradd and groupadd if your client system is a BSD variant. If you decide later to add another machine to your LANTrip network with a different OS and architecture than that listed in hosts.conf, simply run the mkdirs script again. In these directories, Tripwire binary installations will be stored, along with initial databases for each host.

Configuring the First Client Machine

The system requirements for the LANTrip client are no more than the recommended requirements for running Tripwire. If you plan to run LANTrip on a client machine that is heavily loaded, make sure that the program is executed during off-peak hours, as Tripwire can bog down a system at times. Download the Tripwire Academic Source Release, which can be found at:
Then run:

# gzip -dc Tripwire-1.3.1-1.tar.gz | tar -xf -
Create a user named "tripwire" on the client system:

# useradd -d /opt/tripwire tripwire -s /bin/sh
# groupadd tripwire
# mkdir /opt/tripwire
# mkdir /opt/tripwire/.ssh
# chown -R tripwire:tripwire /opt/tripwire
Do not compile the Tripwire source code at this point. Instead, download and install OpenSSH if you don't have it running already. The latest version (as of this article) is 3.6.1, and it requires OpenSSH, which can be found at:
For OpenBSD, sshd can be found at:
For all other platforms, sshd can be found at:
As usual, run the following commands to install:

# gzip -dc openssh-3.6p1.tar.gz | tar -xf -
# cd openssh-3.6p1 ; ./configure ; make ; make install
Copy LANTrip-1.0.tar.gz to a directory on the client machine and run:

# gzip -dc LANTrip-1.0.tar.gz | tar -xf -
# cd lantrip-1.0
# ./
The last command will prompt you for the location of your Tripwire ASR source tree and the location of your sshd configuration file. It will edit Tripwire's makefile and config.h header file and set the location of its configuration files and database files to relative path names so that Tripwire can be executed from any directory. It will change sshd_config and set RSAHostsAllow to "Yes". Be sure to restart sshd after making the configuration changes, because sshd needs to be restarted to load them. The configuration script will also compile Tripwire. After it has completed, copy over your client's Tripwire installation to the central host. This needs to only be done once for each platform and architecture, and can be completed as follows:

# tar -cf - .  | gzip > tw_OS_ARCHITECTURE.tar.gz
# scp tw_OS_ARCHITECTURE.tar.gz central_host:/LOCATION_OF_LANTRIP/data/r_databases/ \
OS_ARCHITECTURE should be replaced with its respective value. For example, on a Solaris SPARC system, the compressed Tripwire installation should be named tw_Solaris_SPARC.tar.gz. This name should also match the OS_ARCHITECTURE value in your hosts.conf file. Failure to name the compressed Tripwire binary package will result in the client machine's being skipped, as LANTrip uses this value to identify the correct binary installation for your client's OS and architecture. You can skip copying a Tripwire installation if the next client machine on your list is of the same OS and architecture.

Final Configuration Steps on the Central Host

Back on the central host, there are still a few more steps that must be completed before the system is operational. The central host's key must be in the user's ~/.ssh2/authorized_keys2 file that will run LANTrip on the client machine. This needs to be done so that password-less access to the client machine can be allowed. The client machine's IP address and DSA key fingerprint must be added to the central host's ~/.ssh/known_hosts. The easiest way to accomplish these steps is simply to run the following on the central host:

# su - tripwire
$ ssh-keygen -t dsa
$ scp ~/.ssh/ \
$ ssh -l root
  The authenticity of host ' (' 
  can't be established.
  DSA key fingerprint is 9c:0a:9e:7a:74:c5:74:a6:8e:8a:e7:1b:c7:47:59:46.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '' (DSA) to the 
  list of known hosts.
# cd /opt/tripwire/.ssh ; cat new_key >> authorized_keys2 ; rm new_key
# chown -R tripwire:tripwire /opt/tripwire ; exit
When you are prompted as to whether you want to store the host's hostkey, answer "Yes".

Next, create an initial database for every host. This can be done by running:

$ ./ -i
If you are prompted for a password, then something is not set up correctly. Check the previous steps for setting up password-less ssh access. The last step that needs completion is to create a crontab entry for the LANTrip process. For a second layer of randomness, we shall add a random crontab entry. A random run time will even make it more difficult for a potential intruder to defeat the system. To do this, we will use the at command. Add the following crontab entry to your system:

$ crontab -e
  # crontab
  # Run tw_report @ 1:10am every day.
  10 1 * * *   /opt/lantrip-1.0/
The script will create a random at job for the LANTrip system. Edit if you do not want LANTrip to run randomly, or for LANTrip to run randomly during a specified interval of time. Note that in this sample crontab entry I specified /opt/lantrip-1.0 as the install directory. If you installed LANTrip somewhere else, make sure you enter the correct path for in your crontab entry.

Tripwire can be expensive in terms of system resource depending on your client's system. Care and consideration should be taken in scheduling what time LANTrip is to remotely execute Tripwire on the client machines.

The LANTrip reporter requires Mail::Sendmail to be installed. Install the module by issuing the following command:

# perl -MCPAN -e 'install Mail::Sendmail'
Pros and Cons

This system may even be more effective than having read-only media to do the file integrity comparison. An attacker has a very small amount of time to create a false database, analyze it, and place it in the random directory to fool the central host. Additionally, this system is not in wide use, so an attacker may not have planned for it. Any anomaly in the database comparison report or not receiving a report for a given client should be fully investigated.

One disadvantage in the system is that not all essential files can be monitored since the user running Tripwire (tripwire in our example) won't have access rights to some files. Changing the access rights on these files so that the tripwire user can monitor these files is one solution to this problem. Some people may be wary of setting RSAHostsAllow to Yes, but it is no greater threat than allowing keyboard input for authentication.

Analyzing the Data

LANTrip also comes with an output parser that generates an email-based report to be sent to a given address. When checking your Tripwire reports day to day, you may need to update certain host's databases if you have altered, removed, or added any new files to that system. To update a database (or more precisely re-initialize), run the following as the tripwire user:

$ -i <host_name>
To update all hosts databases, run:

$ -i
The Future of LANTrip

Future additions to LANTrip will be SQL support for the Tripwire databases, and support for database transfers via different mechanisms other than ssh. A Java-based GUI is also in the works. LANTrip will also support different file integrity tools such as AIDE and the open source version of Tripwire (


A file integrity system is a must-have if you want piece of mind in your system's security. Combined with other security tools, you can rest assured that you will know whether a system of yours has been compromised. With the help of LANTrip, file integrity checking becomes a hassle no more.

Sean Mostafavi has been administering and developing applications on Unix systems for the past 11 years. He has also worked for a major security-based software development company. Sean is currently in his last year finishing a B.S. in Computational Mathematics at Arizona State University. He can be reached at: