# apt-get install tripwire
Well, the packaged tripwire installation automation on Debian 6.0.7 does not automagically fix everything --not-- for me.
Tripwire keeps its configuration in a encrypted database that is generated, by default, from /etc/tripwire/twcfg.txt
Tripwire keeps its policies on what attributes of which files should be monitored in a encrypted database that is generated, by default, from /etc/tripwire/twpol.txt
The Tripwire binaries are located in /usr/sbin and the database is located in /var/lib/tripwire
Create a site key
# cd /etc/tripwire/ # mkdir nope # mv site.key nope # twadmin --generate-keys --site-keyfile site.key (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: Verify the site keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. # chmod 600 site.key
Create a local key
# cd /etc/tripwire/ # twadmin --generate-keys --local-keyfile `hostname`-local.key # chmod 600 *local.key
Create and sign with site.key the configuration file tw.cfg from the text configuration file twcfg.txt. You may want to change a few things in twcfg.txt (eg: the SMTPHOST ).
# cd /etc/tripwire/ # cp twcfg.txt nope # vi twcfg.txt # twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt Please enter your site passphrase: Wrote configuration file: /etc/tripwire/tw.cfg
Create and sign with site.key the policy file tw.pol from the editable twpol.txt. You may want to adjust twpol.txt to your system and preferences.
# cd /etc/tripwire/ # mv tw.pol nope/ # vi twpol.txt # twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol
Make sure all the configuration files are owned by root and that root is the only one who can read them.
# cd /etc/tripwire/ # chown root.root tw* # chmod 600 tw*You may delete or copy your txt files to another host.
Initialize the tripwire database.
# tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System ***
To change-update your policy
# cd /etc/tripwire/ # vi twpol.txt # twadmin -m P -S site.key twpol.txt Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol
To update your configuration
# cd /etc/tripwire/ # vi twcfg.txt # twadmin -m F -S site.key twcfg.txt Please enter your site passphrase: Wrote configuration file: /etc/tripwire/tw.cfg
Initialize the Tripwire database
# tripwire -m i Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** ... ### Continuing... Wrote database file: /var/lib/tripwire/anydns.twd The database was successfully generated.
Email alerts and reports
Test if tripwire can send email
# /usr/sbin/tripwire --test --email email@example.com
To set email alerts for a rule eg: "Root file-system executables" adjust twpol.txt accordingly sign it and write tw.pol.
# # Critical executables # ( rulename = "Root file-system executables", severity = $(SIG_HI), emailto = firstname.lastname@example.org )You may put more email addresses separated by ';' colons on emailto eg:
# # Critical executables # ( rulename = "Root file-system executables", severity = $(SIG_HI), emailto = email@example.com;firstname.lastname@example.org )Sign and write tw.pol
# twadmin -m P -S site.key twpol.txt
Email a report
# /usr/sbin/tripwire --check --email-report ... ### Continuing... Beginning email reporting... Emailing the report to: email@example.com ...
The report is:
mailed to the email address(es) in the emailto(s)
and saved in /var/lib/tripwire/report/ as well.
To create and email the report regularly put:
/usr/sbin/tripwire --check --quiet --email-reportin a cronjob
The Debian package cronjob
#!/bin/sh -e tripwire=/usr/sbin/tripwire [ -x $tripwire ] || exit 0 umask 027 $tripwire --check --quiet --email-report
You may put the tripwire database on a read-only medium or copy it to another host.
Update the database --exclude valid violations-- after an Integrity Check.
First of all set the system default editor to vi
Enter `exclude mode` :)
# tripwire --update --twrfile /var/lib/tripwire/report/lastest.twrwhere latest.twr is the latest report
Now, remove the "x" from the adjacent boxes [x] to prevent updating the database with the new values for these objects, exit the editor, and enter your local passphrase.
The authorized integrity violations will no longer show up as warnings when the next integrity check is run.
Test --Create a Report and then look at it
# /usr/sbin/tripwire --check # twprint -m r --twrfile /var/lib/tripwire/report/latest.twrwhere latest.twr is the latest report
View the tripwire database
# /usr/sbin/twprint -m d --print-dbfile |less
View information for a file tracked by tripwire eg: the tripwire database
# /usr/sbin/twprint -m d --print-dbfile /var/lib/tripwire/`hostname`.twd