One of the very first posts I wrote on this blog when I started in early 2007 is a tutorial on how to quickly set up Tripwire on “Suse Linux” (before they called it “Opensuse”). But the problem with that post is that I used the Tripwire software that was bundled with the distro at the time, which they stopped including with that very version. This understandably leads to some confusion with some folks.
So now, I’ve put together a modernized version of that post. This time, I’m using the latest version of Opensuse (11.3) and the freely-available Tripwire from SourceForge (2.4.2) at the time of this writing, to make it a little more universal; since this should basically work on many distros and versions. Other than that however, I’m pretty much following the same style, method, and simplicity as my afore-mentioned earlier post; I’m going for crude, fast, quick setup, without any in-depth Tripwire administration… a “cheat-sheet”! Let’s get to it…
Install software
Get supporting software from the distro:
zypper in gcc make libstlport_gcc4-devel gcc45-c++ gcc-c++Get tripwire:
mkdir /tmp/tripwire
cd /tmp/tripwire/
wget http://downloads.sourceforge.net/project/tripwire/tripwire-src/tripwire-2.4.2-src/tripwire-2.4.2-src.tar.bz2?use_mirror=iweb&ts=1280546281
tar -jxvf tripwire-2.4.2-src.tar.bz2
cd tripwire-2.4.2-src…now, compile and install to /usr/local (this is the default, which can be changed), according to the INSTALL instructions:
./configure
make
…Edit the settings as needed in install/install.cfg and run:
make install
…It will prompt you to create and use your “site” and “local” password.
Configure Tripwire
At this point, it has built keys for you, and created sample files for you in /usr/local/etc. You need a “config” file and a “policy” file to use tripwire.
To build the configuration file, you can make a default plain-text configuration file, and just edit it to taste and move forward (you can change it later if needed).
vi /usr/local/etc/twcfg.txt
Then encode and sign the plain-text file and install it as the new configuration file:
/usr/local/sbin/twadmin --create-cfgfile --site-keyfile /usr/local/etc/site.key /usr/local/etc/twcfg.txtA default policy text file is provided for you as well, and you’ll need to edit that to tune it to your system:
vi /usr/local/etc/twpol.txt
To encode that text policy file and install it as a working policy file for your system, build it like this:
/usr/local/sbin/twadmin --create-polfile /usr/local/etc/twpol.txtRock Linux Policy Generator (optional)
However, if you wish to use the “rock linux” policy generator:
mv /usr/local/etc/twpol.txt /usr/local/etc/twpol.txt.bak
cd /tmp/tripwire/
wget http://rocklinux.net/people/pjotr/package/tools/tripwire/mktrippol.pl
wget http://rocklinux.net/people/pjotr/package/tools/tripwire/rockadm.pl
wget http://rocklinux.net/people/pjotr/package/tools/tripwire/rockbasepolicy.txt
wget http://rocklinux.net/people/pjotr/package/tools/tripwire/twinit.sh
wget http://rocklinux.net/people/pjotr/package/tools/tripwire/twsite.plI had to modify the paths in the “Standard settings” section of the mktrippol.pl file to match my /usr/local installation. It looked like this in the end:
my $security = 'normal';
my $basefn = 'rockbasepolicy.txt';
my $twetc = '/usr/local/etc';
my $twsbin = '/usr/local/sbin';
my $twvar = '/usr/local/lib/tripwire';
my $policyfn = "$twetc/twpol.txt";
my $prefix = undef;…Then, execute the mktrippol.pl perl script and it builds the policy file for you. Again, edit it to make sure it is what you want.
Complete the configuration
Now, since you customized the policy, you need to re-bundle it:
/usr/local/sbin/twadmin --create-polfile /usr/local/etc/twpol.txtTo configure email settings, add:
emailto = "root",
…to each section after the “rulename” line…
Test your e-mail capability:
/usr/local/sbin/tripwire --test --email jpavlov@yourlinuxguy.comNow, build the database file:
/usr/local/sbin/tripwire --init…and it writes the db file here:
/usr/local/lib/tripwire/*.twd
If you get any errors, you can edit your policy update the db. To tweak the policy file, open the plain-text policy file and edit to taste. Then update your existing policy file and database file with your changes:
/usr/local/sbin/tripwire --update-policy --secure-mode low /usr/local/etc/twpol.txtNow, run an initial integrity check:
/usr/local/sbin/tripwire --check --interactive…and note that when you “save” at the end of the report viewing, you are acknowledging the notifications in that report, so that they will be silenced for the future.
There will likely be some false positives and other misc things that don’t match up. If so, you’ll need to update the Tripwire policy text file (twpol.txt) again, and rebuild the policy file (you may need to repeat this a few times until you have it just right):
/usr/local/sbin/tripwire --update-policy --secure-mode low /usr/local/etc/twpol.txtThen run a (hopefully) final integrity check:
/usr/local/sbin/tripwire --check --interactive…which will catch the policy file change (if you made any in the previous step), then you’re done.
Create cron job (for example):
crontab -e
…and add something like this:
0 */5 * * * /usr/local/sbin/tripwire --check --email-report --email-report-level 1…of course, since you’re modifying the crontab, you need to do an interactive check yet again, or you’ll get flagged on it…
…and that should do it! You now have a functioning Tripwire setup on your system, that will email you every time a change is detected… You certainly will need to continually tweak the policy a bit as you go forward, as it will likely catch some logs and such. But you are on your way !
😎