How do I quickly set up TripWire on Linux?

Here is my version of a Tripwire Cheat Sheet. I originally wrote this about a year ago, but it is still pretty much the same. It will help you to get Tripwire up-and-going quickly, if only to learn how it all comes together. There are some additional caveats to run it in production, but hey – I can’t give it *all* away for free, can I? 😉

Of course, many things in this document are taken for granted; like that the Tripwire binaries are in your path, and required config files are where they normally are, etc… If not, just use your brain and substitute where necessary.

Just for reference, this was all done on a Opensuse 10 machine, which was before they called it “Opensuse” (but I can’t remember what they called it), and before they removed Tripwire from the standard distribution. Now isn’t that a kick in the pants. Now they include “AIDE”, which I will offer a Cheat Sheet for later… in the meantime, enjoy…

INITIAL SETUP

Genetate new host key (optional):

twadmin -m G -S /etc/tripwire/site.key
twadmin -m G -L /etc/tripwire/<hostname>-local.key

To build the configuration file, find a sample of the plain-text configuration file and edit to taste. Then encode and sign the plain-text file and install it as the new configuration file:

twadmin --create-cfgfile --site-keyfile /etc/tripwire/site.key twcfg.txt

To encode and install a policy file for your system, find a sample of the plain-text policy file and edit to taste, then create the policy with your changes:

twadmin --create-polfile twpol.txt

Consider using a tool like this to create a policy file:

Tripwire Policy File Generator [update: It looks like the link to the Generator tool is lost and I cannot find it on the ‘net anymore. So, I’m up-loading my versions — that I downloaded in 2006 — to this blog for your convenience. Note also, that these files appear to have been created in 2001. Just use the filename/links below. Use at your own risk!]

(download the files, run the policy generator, then update policy as below)

mktrippol.pl  rockadm.pl  rockbasepolicy.txt twinit.sh  twsite.pl

To initialize the database file:

tripwire --init

…examine results, tweak policy file to taste…

To tweak the policy file, open the plain-text policy file and edit to taste. Then update your existing policy file and database file with your changes:

tripwire --update-policy --secure-mode low twpol.txt

Run an initial integrity check:

tripwire --check --interactive

To configure email settings, add:

emailto  = "root",

…to each section after the “rulename” line…

Testing E-mail Settings:

tripwire --test --email user@example.com

Update the Tripwire policy file with the edited text file:

tripwire --update-policy --secure-mode low twpol.txt

Run another integrity check:

tripwire --check --interactive

Update the Tripwire policy file with the edited text file:

tripwire --update-policy --secure-mode low twpol.txt

Create cron job (for example):

0 */1 * * * <TFS_root>/bin/tripwire --check -M

…or…

0 */1 * * * <TFS_root>/tripwire --check --email-report --email-report-level 1

To update the database file immediately after an integrity check:

tripwire --check --interactive

…it is considered good security form to delete all leftover TXT files (leave the key, pol, and cfg files in place!) at this point. You may have to do another interactive check if you delete the TXT files and are tracking that directory. Congratulations, you should be finished!

ONGOING MAINTENANCE

To edit the configuration file, create a plain-text copy of the configuration file:

twadmin --print-cfgfile > twcfgupdate.txt

…edit and save…
Encode and sign the plain-text file and install it as the new configuration file:

twadmin --create-cfgfile --site-keyfile /etc/tripwire/site.key twcfgupdate.txt

To edit the policy file, create a plain-text copy of the policy file:

twadmin --print-polfile > policy.txt

…edit and save…
Update your existing policy file and database file with your changes:

tripwire --update-policy --secure-mode low policy.txt

Since the above changes are likely to be detected, you will need to update the database file:

tripwire --check --interactive

1 Comment

  1. Pingback: Steve

Leave a Comment

Your email address will not be published.