Open Source Tripwire is a free software security and data integrity tool used for monitoring and alerting on specific file changes on Linux systems.
Tripwire performs intrusion detection functions by taking a snapshot of a known system state and later comparing it with any other, changed, state. Tripwire does it by comparing files’ new signatures with the ones taken when the database was originally created (or later updated).
Installation
Install Tripwire:
$ sudo yum install tripwire
Configuration
Generate the system-specific cryptographic key files:
$ sudo /usr/sbin/tripwire-setup-keyfiles
Initialise the Tripwire database file:
$ sudo /usr/sbin/tripwire --init
Tripwire Configuration File twcfg.txt
Open the file /etc/tripwire/twcfg.txt for editing and modify as required. The content of an example file is listed below for references.
ROOT =/usr/sbin POLFILE =/etc/tripwire/tw.pol DBFILE =/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site.key LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key EDITOR =/bin/vim LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =false EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t TEMPDIRECTORY =/tmp GLOBALEMAIL [email protected]
Tripwire Policy File twpol.txt
Open the file /etc/tripwire/twpol.txt for editing and configure to match your system. For example, you may want to add monitoring for /etc/httpd if you have Apache installed, or disable integrity checking for Korn shell /bin/ksh if it’s not installed on the system.
When the configuration is done and you’re happy with the files and folders you want to monitor, you then need to implement the rules by recreating the encrypted policy file which Tripwire reads:
$ sudo twadmin -m P -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
Reinitialise the Tripwire Database
Reinitialise the database to implement the policy:
$ sudo tripwire --init
Finally, run a check for any violations:
$ sudo tripwire --check
Housekeeping
In practice, you should delete the plain text policy and configuration files that are no longer required:
$ sudo rm /etc/tripwire/twcfg.txt /etc/tripwire/twpol.txt
If you later need to regenerate the plain text policy file, pass the encrypted file to twadmin:
$ sudo twadmin --print-polfile | sudo tee /etc/tripwire/twpol.txt
The same goes for the plain text configuration file:
$ sudo twadmin --print-cfgfile | sudo tee /etc/tripwire/twcfg.txt
One thing to note, Tripwire will not recognise any configuration changes until the configuration text file is correctly signed and converted to /etc/tripwire/tw.pol with the twadmin command:
$ sudo twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
The configuration file does not not alter any Tripwire policies, therefore it’s not required to regenerate the Tripwire database.
Crontab
Tripwire should be added to /etc/cron.daily/ automatically. If this isn’t desired, you can remove the configuration file and add it to the root user crontab instead, for example:
0 3 * * * /sbin/tripwire --check --email-report --silent --no-tty-output