How to Install and Configure Tripwire on CentOS 7

How to Install and Configure Tripwire on CentOS 7

In this tutorial I will show you, how to install and configure Tripwire on CentOS 7 server.

Open Source Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file changes on a range of systems. Open Source Tripwire functions as a host-based intrusion detection system.

Installation

Install Tripwire:

# yum install tripwire

Configuration

Generate the system-specific cryptographic key files:

# /usr/sbin/tripwire-setup-keyfiles

Initialise the Tripwire database file:

# /usr/sbin/tripwire --init

Tripwire Configuration File twcfg.txt

Open the file /etc/tripwire/twcfg.txt for editing and modify as required. The content of our file is listed below for references:

ROOT                   =/usr/sbin
POLFILE                =/etc/tripwire/tw.pol
DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE            =/etc/tripwire/site.key
LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR                 =/bin/vim
LATEPROMPTING          =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS       =false
EMAILREPORTLEVEL       =3
REPORTLEVEL            =3
MAILMETHOD             =SENDMAIL
SYSLOGREPORTING        =false
MAILPROGRAM            =/usr/sbin/sendmail -oi -t
TEMPDIRECTORY          =/tmp
GLOBALEMAIL            =admin@example.com

Tripwire Policy File twpol.txt

Open the file /etc/tripwire/twpol.txt for editing and configure to match the system Tripwire is installed on. For example, you may want to add monitoring for /etc/nginx if you have Nginx installed, or disable integrity checking for Korn shell /bin/ksh if it’s not present on the system.

When the configuration is done and we’re happy with the files and folders we intend to monitor, we need to implement the rules by recreating the encrypted policy file which Tripwire reads:

# twadmin -m P -S /etc/tripwire/site.key /etc/tripwire/twpol.txt

Reinitialise the Tripwire Database

We must reinitialise the database to implement the policy:

# tripwire --init

Finally, we can run a check for any violations:

# tripwire --check

Housekeeping

In practice, we should delete the plain text policy and the plain text configuration files as we no longer need them:

# rm /etc/tripwire/tw*txt

If we later have to regenerate the plain text policy file, we pass the encrypted file to twadmin:

# twadmin --print-polfile > /etc/tripwire/twpol.txt

The same goes for the plain text configuration file:

# twadmin --print-cfgfile > /etc/tripwire/twcfg.txt

One thing to note, Tripwire will not recognise any configuration changes until the configuration text file is correctly signed and converted to /etc/tripwire/tw.pol with the twadmin command:

# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

The configuration file does not not alter any Tripwire policies, therefore it’s not required to regenerate the Tripwire database.

Crontab

Tripwire should be automatically added to /etc/cron.daily/. If this isn’t suitable, we can remove the configuration and add to the crontab instead, for example:

0 3 * * * tripwire --check|mail -s "Tripwire report for $(hostname -f)" root
Was this Tutorial helpful? Help others share on Facebook, Twitter, and Google Plus!
 
Enjoyed this video?
How to Install and Configure Tripwire on CentOS 7
"No Thanks. Please Close This Box!"