In this blog post, we’ll look at the how to install and configure Tripwire on Ubuntu 18.04. Tripwire is an open source host-based Intrusion Detection System. Tripwire can check for file integrity, it will monitor and alert on file/directory change.
How Tripwire works
A Tripwire check compares the current filesystem state against a known baseline state and alerts on any changes it detects. The baseline and check behavior are controlled by a policy file, which specifies which files or directories to monitor, and which attributes to monitor on them, such as hashes, file permissions, and ownership.
When an expected change occurs, such as upgrading a package, the baseline database can be updated to the new known-good state. The policy can also be updated, for example, to reduce noise or cover a newly installed package.
Install Tripwire on Ubuntu 18.04
Tripwire package for Ubuntu 18.04 is available from the apt repository. Install it by running:
$ sudo apt-get install tripwire
This installation is an interactive process, it will ask you a couple of questions. You’ll now be prompted to enter site passphrase, enter the password of your choice.Retype the passphrase entered above to confirm.You also need to set local passphrase:Re-enter passphrase to confirm and press <Ok>On a successful installation, you’ll get a successful installation message like below:
Create Tripwire keys and initialize the database.
Now that the installation has been successful, we need to generate keys and initialize database so that tripwire can start its work.
$ sudo su - # cd /etc/tripwire/ # ls -1 server-01-local.key site.key tw.cfg tw.pol twcfg.txt twpol.txt
We’ll modify twcfg.txt file REPORTLEVEL to 4 which is a maximum.
Generate a configuration file after the change:
# twadmin -m F -c tw.cfg -S site.key twcfg.txt Please enter your site passphrase: <Enter-your-passphrase> Wrote configuration file: /etc/tripwire/tw.cfg
Optimize Tripwire Policy file
Create a twpolmake.pl file with below content:
# vim twpolmake.pl
# perl twpolmake.pl twpol.txt > twpol.txt.new # twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol
# tripwire -m i -s -c tw.cfg Please enter your local passphrase: ### Warning: File system error. ### Filename: /var/lib/tripwire/server-01.twd ### No such file or directory ### Continuing...
# twprint -m d -d /path/to/database.twd E.g # twprint -m d -d /var/lib/tripwire/server-01.twd
Updating a database
The simplest form of update updates the database with all the changes in a report file:
# tripwire --update --accept-all
# ls /var/lib/tripwire/report/ server-01-20180609-073225.twr
# twprint -m r -t [0-4] -r /path/to/reportfile.twr
# twprint -m r -t 4 -r /var/lib/tripwire/report/server-01-20180609-073225.twr
# tripwire -m u -a -s -c /etc/tripwire/tw.cfg -r /var/lib/tripwire/report/server-01-20180609-073225.twr Please enter your local passphrase:
Updating a policy
Policy update mode modifies the current Tripwire policy without losing existing baselines.
# tripwire --update-policy updated-policy.txt
This will do a check with the new policy as part of the update process. If this check detects changes, the default behavior is to display the changes and exit without updating the policy or database. To accept the changes and continue with the policy update, use the -Z low / –secure-mode low command line option.
Testing the email configuration
To test email configuration:
# tripwire --test --email email@example.com
This sends a test email to the specified address, using the email settings specified in the config file. We’ll cover more Tripwire configurations on our next article.