{"id":620,"date":"2010-08-16T04:44:41","date_gmt":"2010-08-16T09:44:41","guid":{"rendered":"http:\/\/yourLinuxGuy.com\/?p=620"},"modified":"2010-08-15T08:49:44","modified_gmt":"2010-08-15T13:49:44","slug":"how-do-i-quickly-set-up-tripwire-on-opensuse","status":"publish","type":"post","link":"https:\/\/yourLinuxGuy.com\/?p=620","title":{"rendered":"How do I quickly set up Tripwire on Opensuse?"},"content":{"rendered":"

One of the very first posts I wrote on this blog when I started in early 2007 is a tutorial on how to quickly set up Tripwire on “Suse Linux”<\/a> (before they called it “Opensuse”).\u00a0 But the problem with that post is that I used the Tripwire software that was bundled with the distro at the time, which they stopped including with that very version.\u00a0 This understandably leads to some confusion with some folks.<\/p>\n

So now, I’ve put together a modernized version of that post.\u00a0 This time, I’m using the latest version of Opensuse (11.3) and the freely-available Tripwire from SourceForge (2.4.2) at the time of this writing, to make it a little more universal; since this should basically work on many distros and versions.\u00a0 Other than that however, I’m pretty much following the same style, method, and simplicity as my afore-mentioned earlier post;\u00a0 I’m going for crude, fast, quick setup, without any in-depth Tripwire administration…\u00a0 a “cheat-sheet”!\u00a0 Let’s get to it…<\/p>\n

Install software<\/h3>\n

Get supporting software from the distro:<\/p>\n

zypper in gcc make libstlport_gcc4-devel gcc45-c++ gcc-c++<\/code><\/pre>\n
Get tripwire:<\/p>\n
mkdir \/tmp\/tripwire\r\ncd \/tmp\/tripwire\/\r\nwget http:\/\/downloads.sourceforge.net\/project\/tripwire\/tripwire-src\/tripwire-2.4.2-src\/tripwire-2.4.2-src.tar.bz2?use_mirror=iweb&ts=1280546281\r\ntar -jxvf tripwire-2.4.2-src.tar.bz2\r\ncd tripwire-2.4.2-src<\/code><\/pre>\n
…now, compile and install to \/usr\/local <\/code>(this is the default, which can be changed), according to the INSTALL instructions:<\/p>\n
.\/configure
\nmake<\/code><\/p>\n
…Edit the settings as needed in install\/install.cfg<\/code> and run:<\/p>\n
make install<\/code><\/p>\n
…It will prompt you to create and use your “site” and “local” password.<\/p>\n
Configure Tripwire<\/h3>\n
At this point, it has built keys for you, and created sample files for you in \/usr\/local\/etc<\/code>.\u00a0 You need a “config” file and a “policy” file to use tripwire.<\/p>\n
To build the configuration file, you can make a default plain-text configuration file, and just edit it to taste and move forward (you can change it later if needed).<\/p>\n
vi \/usr\/local\/etc\/twcfg.txt<\/code><\/p>\n
Then encode and sign the plain-text file and install it as the new configuration file:<\/p>\n
\/usr\/local\/sbin\/twadmin --create-cfgfile --site-keyfile \/usr\/local\/etc\/site.key \/usr\/local\/etc\/twcfg.txt<\/code><\/pre>\n
A default policy text file is provided for you as well, and you’ll need to edit that to tune it to your system:<\/p>\n
vi \/usr\/local\/etc\/twpol.txt<\/code><\/p>\n
To encode that text policy file and install it as a working policy file for your system, build it like this:<\/p>\n
\/usr\/local\/sbin\/twadmin --create-polfile \/usr\/local\/etc\/twpol.txt<\/code><\/pre>\n
Rock Linux Policy Generator (optional)<\/h3>\n
However, if you wish to use the “rock linux” policy generator:<\/p>\n
mv \/usr\/local\/etc\/twpol.txt \/usr\/local\/etc\/twpol.txt.bak\r\ncd \/tmp\/tripwire\/\r\nwget http:\/\/rocklinux.net\/people\/pjotr\/package\/tools\/tripwire\/mktrippol.pl\r\nwget http:\/\/rocklinux.net\/people\/pjotr\/package\/tools\/tripwire\/rockadm.pl\r\nwget http:\/\/rocklinux.net\/people\/pjotr\/package\/tools\/tripwire\/rockbasepolicy.txt\r\nwget http:\/\/rocklinux.net\/people\/pjotr\/package\/tools\/tripwire\/twinit.sh\r\nwget http:\/\/rocklinux.net\/people\/pjotr\/package\/tools\/tripwire\/twsite.pl<\/code><\/pre>\n
I had to modify the paths in the “Standard settings” section of the mktrippol.pl<\/code> file to match my \/usr\/local<\/code> installation.\u00a0  It looked like this in the end:<\/p>\n
my $security = 'normal';\r\nmy $basefn   = 'rockbasepolicy.txt';\r\nmy $twetc    = '\/usr\/local\/etc';\r\nmy $twsbin   = '\/usr\/local\/sbin';\r\nmy $twvar    = '\/usr\/local\/lib\/tripwire';\r\nmy $policyfn = \"$twetc\/twpol.txt\";\r\nmy $prefix   = undef;<\/code><\/pre>\n
…Then, execute the mktrippol.pl<\/code> perl script and it builds the policy file for you.\u00a0 Again, edit it to make sure it is what you want.<\/p>\n
Complete the configuration<\/h3>\n
Now, since you customized the policy, you need to re-bundle it:<\/p>\n
\/usr\/local\/sbin\/twadmin --create-polfile \/usr\/local\/etc\/twpol.txt<\/code><\/pre>\n
To configure email settings, add:<\/p>\n
emailto  = \"root\",<\/code><\/p>\n
\u2026to each section after the \u201crulename\u201d line\u2026<\/p>\n
Test your e-mail capability:<\/p>\n
\/usr\/local\/sbin\/tripwire --test --email jpavlov@yourlinuxguy.com<\/code><\/pre>\n
Now, build the database file:<\/p>\n
\/usr\/local\/sbin\/tripwire --init<\/code><\/pre>\n
…and it writes the db file here:<\/p>\n
\/usr\/local\/lib\/tripwire\/*.twd<\/code><\/p>\n
If you get any errors, you can edit your policy update the db.\u00a0 To tweak the policy file, open the plain-text policy file and edit to taste.\u00a0 Then update your existing policy file and database file with your changes:<\/p>\n
\/usr\/local\/sbin\/tripwire --update-policy --secure-mode low \/usr\/local\/etc\/twpol.txt<\/code><\/pre>\n
Now, run an initial integrity check:<\/p>\n
\/usr\/local\/sbin\/tripwire --check --interactive<\/code><\/pre>\n
…and note that when you “save” at the end of the report viewing, you are acknowledging the notifications in that report, so that they will be silenced for the future.<\/p>\n
There will likely be some false positives and other misc things that don’t match up.\u00a0 If so, you’ll need to update the Tripwire policy text file (twpol.txt<\/code>) again, and rebuild the policy file (you may need to repeat this a few times until you have it just right):<\/p>\n
\/usr\/local\/sbin\/tripwire --update-policy --secure-mode low \/usr\/local\/etc\/twpol.txt<\/code><\/pre>\n
Then run a (hopefully) final integrity check:<\/p>\n
\/usr\/local\/sbin\/tripwire --check --interactive<\/code><\/pre>\n
…which will catch the policy file change (if you made any in the previous step), then you’re done.<\/p>\n
Create cron job (for example):<\/p>\n
crontab -e<\/code><\/p>\n
…and add something like this:<\/p>\n
0 *\/5 * * * \/usr\/local\/sbin\/tripwire --check --email-report --email-report-level 1<\/code><\/pre>\n
…of course, since you’re modifying the crontab, you need to do an interactive check yet again, or you’ll get flagged on it…<\/p>\n
…and that should do it!\u00a0 You now have a functioning Tripwire setup on your system, that will email you every time a change is detected… You certainly will need to continually tweak the policy a bit as you go forward, as it will likely catch some logs and such.\u00a0 But you are on your way !<\/p>\n
\ud83d\ude0e<\/p>\n","protected":false},"excerpt":{"rendered":"
One of the very first posts I wrote on this blog when I started in early 2007 is a tutorial on how to quickly set up Tripwire on “Suse Linux” (before they called it “Opensuse”).\u00a0 But the problem with that…
Read more<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[12,94,29],"tags":[],"class_list":["post-620","post","type-post","status-publish","format-standard","hentry","category-advanced","category-opensuse11-3","category-tripwire"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pnjn1-a0","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=620"}],"version-history":[{"count":13,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/620\/revisions"}],"predecessor-version":[{"id":622,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/620\/revisions\/622"}],"wp:attachment":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}