Assuming you trust your repositories, your distribution, etc
# apt-get install tripwireand then click the no, no, and OK buttons.
Ideally, the tripwire binaries and the tripwire database are stored in a read only medium that can be mounted as read-write for updates. I would use an SD card or some other medium that I can set "mechanically" to read-only. Some administrators put the binaries and the DB in an NFS.I think that putting the binaries and the DB in an NFS would increase the attack surface. If you are not in the mood or do not have the resources to take the extra steps to secure further the integrity of the tripwire binaries and the tripwire DB at least save copies of the files and their cryptographically secure checksums in other hosts.
In debian the tripwire binaries are statically linked and located in /usr/sbin and the DB is located in /var/lib/tripwire.
# sha256sum /usr/sbin/tripwire |tee ~/twsums 0e4791bb58dfc4095dba902621b72111d61bf1838d77aff4ae00d3c7432d5739 /usr/sbin/tripwire # sha256sum /usr/sbin/tw* |tee -a ~/twsums bc01ac66aa421d2e5324983150bea573b2e2d3ee004293501b0dcc4ce1560898 /usr/sbin/twadmin e1b097eaf28f3ec54114cba7cc82a1ab4122a9fb82590422d9820711c884e5e9 /usr/sbin/twprint # sha256sum /usr/sbin/siggen |tee -a ~/twsums e5e72b264f9b4fa86aa88e0f893b6031457e30b510f28bcb31ea1296b38566bd /usr/sbin/siggen
Tripwire uses $HOSTNAME a lot in the configuration and policy files. Make sure that you are happy with hostname, if not change the hostname before continuing the tripwire configuration.
Create a site key.
# cd /etc/tripwire/ # twadmin --generate-keys --site-keyfile site.key # chmod 400 site.keyThe site key is used to secure the integrity of the tripwire configuration files.
Create a local key.
# twadmin --generate-keys --local-keyfile `hostname`-local.key # chmod 400 *cal.keyThe local key is used to protect the integrity of the local tripwire database.
Create and sign tw.cfg --the tripwire configuration file.
# stor twcfg.txt # vi twcfg.txt # twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt Please enter your site passphrase: Wrote configuration file: /etc/tripwire/tw.cfg
Create and sign tw.pol --the tripwire policy file.
# stor twpol.txt # vi twpol.txt # twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol
Make the policy and configuration files readable and writable only by the root user.
# chmod 600 *txt # chmod 600 *cfg # chmod 600 *pol
Initialize the tripwire database.
# tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** # ... Wrote database file: /var/lib/tripwire/anaxagoras.twd The database was successfully generated.
Test that tripwire can send email.
# tripwire --test --email example@example.net
Check integrity and produce report.
# tripwire --check
View report.
# twprint -m r --twrfile /var/lib/tripwire/report/hostname-latest.twr |less
It is highly unlikable that you are using all the files in the "Root config files" rulename in the debian default twpol.txt. Also you may want to adjust the "Devices & Kernel information" rulename since /proc (meaning recursive /proc/*) may be too much to track in normal servers.
Adjust the tripwire policy and initialize a new tripwire database.
# stor twpol.txt # vi twpol.txt # twadmin -m P -S site.key twpol.txt # tripwire --init
Check for integrity, create a report and OK changes if any.
Once the editor opens look for [x] and delete the x if you are not OK with that change.
# tripwire --check --interactive Integrity check complete. Please enter your local passphrase: Wrote database file: /var/lib/tripwire/anaxagoras.twd
You may enter an `interactive` mode from a report as well. eg:
# tripwire --update --twrfile /var/lib/tripwire/report/hostname-date-time.twrand again look for [x] and delete the x if you are not OK with that change.
Email alerts.
To email an alert we need to add an emailto definition to at least one rulename.
So we need to update the tripwire policy. eg:
#
# Critical Libraries
#
(
rulename = "Root file-system libraries",
severity = $(SIG_HI),
emailto = root,
emailto = systembot@ares.ipduh.rox
)
{
/lib -> $(SEC_BIN) ;
}
If /lib is changed an alert will be sent to root and systembot@ares.ipduh.rox. Check integrity, produce report and email alerts.
# tripwire --check --email-report
The debian package sets a cronjob that creates reports and emails alerts daily.
#!/bin/sh -e tripwire=/usr/sbin/tripwire [ -x $tripwire ] || exit 0 umask 027 $tripwire --check --quiet --email-report
View the tripwire database.
# twprint -m d --print-dbfile |less
View tripwire information for a file eg:/var/test
# twprint -m d --print-dbfile /lib/test
The system used in this how-to.
ii tripwire 2.4.2.2-2 amd64 file and directory integrity checker # cat /etc/issue /etc/debian_version Debian GNU/Linux 7 \n \l 7.6
Links:
The Design and Implementation of Tripwire: A File System Integrity Checker
Tripwire how-to
