Configure Tripwire on CentOS 7

Open Source Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file changes on a range of systems. Open Source Tripwire functions as a host-based intrusion detection system.

Installation

Install Tripwire:

# yum install tripwire

Configuration

Generate the system-specific cryptographic key files:

# /usr/sbin/tripwire-setup-keyfiles

Initialise the Tripwire database file:

# /usr/sbin/tripwire --init

Tripwire Configuration File twcfg.txt

Open the file /etc/tripwire/twcfg.txt for editing and modify as required. The content of our file is listed below for references:

ROOT                   =/usr/sbin
POLFILE                =/etc/tripwire/tw.pol
DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE            =/etc/tripwire/site.key
LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR                 =/bin/vim
LATEPROMPTING          =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS       =false
EMAILREPORTLEVEL       =3
REPORTLEVEL            =3
MAILMETHOD             =SENDMAIL
SYSLOGREPORTING        =false
MAILPROGRAM            =/usr/sbin/sendmail -oi -t
TEMPDIRECTORY          =/tmp
GLOBALEMAIL            [email protected]

Tripwire Policy File twpol.txt

Open the file /etc/tripwire/twpol.txt for editing and configure to match the system Tripwire is installed on. For example, you may want to add monitoring for /etc/nginx if you have Nginx installed, or disable integrity checking for Korn shell /bin/ksh if it’s not present on the system.

When the configuration is done and we’re happy with the files and folders we intend to monitor, we need to implement the rules by recreating the encrypted policy file which Tripwire reads:

# twadmin -m P -S /etc/tripwire/site.key /etc/tripwire/twpol.txt

Reinitialise the Tripwire Database

We must reinitialise the database to implement the policy:

# tripwire --init

Finally, we can run a check for any violations:

# tripwire --check

Housekeeping

In practice, we should delete the plain text policy and the plain text configuration files as we no longer need them:

# rm /etc/tripwire/tw*txt

If we later have to regenerate the plain text policy file, we pass the encrypted file to twadmin:

# twadmin --print-polfile > /etc/tripwire/twpol.txt

The same goes for the plain text configuration file:

# twadmin --print-cfgfile > /etc/tripwire/twcfg.txt

One thing to note, Tripwire will not recognise any configuration changes until the configuration text file is correctly signed and converted to /etc/tripwire/tw.pol with the twadmin command:

# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

The configuration file does not not alter any Tripwire policies, therefore it’s not required to regenerate the Tripwire database.

Crontab

Tripwire should be automatically added to /etc/cron.daily/. If this isn’t suitable, we can remove the configuration and add to the crontab instead, for example:

0 3 * * * /sbin/tripwire --check --email-report --silent --no-tty-output

2 thoughts on “Configure Tripwire on CentOS 7

    • Hi Michael,

      Yes, Tripwire is basically a FIM. There are several tools that I know of which achieve similar goals, AIDE, AFICK, OSSEC, Samhain (there are likely many more).

      I find Tripwire excellent for small decentralised Linux setups, however, I also use other security software depending on a level of monitoring I want to have, or on a system it’s going to be configured on etc. To say that I prefer Tripwire over something wouldn’t be accurate unless we have some specific requirements in mind. It all depends on a use case. Hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *