Open Source Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file changes on a range of systems. Open Source Tripwire functions as a host-based intrusion detection system.
Installation
Install Tripwire:
# yum install tripwire
Configuration
Generate the system-specific cryptographic key files:
# /usr/sbin/tripwire-setup-keyfiles
Initialise the Tripwire database file:
# /usr/sbin/tripwire --init
Tripwire Configuration File twcfg.txt
Open the file /etc/tripwire/twcfg.txt for editing and modify as required. The content of our file is listed below for references:
ROOT =/usr/sbin POLFILE =/etc/tripwire/tw.pol DBFILE =/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site.key LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key EDITOR =/bin/vim LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =false EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t TEMPDIRECTORY =/tmp GLOBALEMAIL [email protected]
Tripwire Policy File twpol.txt
Open the file /etc/tripwire/twpol.txt for editing and configure to match the system Tripwire is installed on. For example, you may want to add monitoring for /etc/nginx if you have Nginx installed, or disable integrity checking for Korn shell /bin/ksh if it’s not present on the system.
When the configuration is done and we’re happy with the files and folders we intend to monitor, we need to implement the rules by recreating the encrypted policy file which Tripwire reads:
# twadmin -m P -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
Reinitialise the Tripwire Database
We must reinitialise the database to implement the policy:
# tripwire --init
Finally, we can run a check for any violations:
# tripwire --check
Housekeeping
In practice, we should delete the plain text policy and the plain text configuration files as we no longer need them:
# rm /etc/tripwire/tw*txt
If we later have to regenerate the plain text policy file, we pass the encrypted file to twadmin:
# twadmin --print-polfile > /etc/tripwire/twpol.txt
The same goes for the plain text configuration file:
# twadmin --print-cfgfile > /etc/tripwire/twcfg.txt
One thing to note, Tripwire will not recognise any configuration changes until the configuration text file is correctly signed and converted to /etc/tripwire/tw.pol with the twadmin command:
# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
The configuration file does not not alter any Tripwire policies, therefore it’s not required to regenerate the Tripwire database.
Crontab
Tripwire should be automatically added to /etc/cron.daily/. If this isn’t suitable, we can remove the configuration and add to the crontab instead, for example:
0 3 * * * /sbin/tripwire --check --email-report --silent --no-tty-output
Hi Tomas,
My understanding is that Open Source Tripwire functions only as a FIM. Is there any reason you prefer it over a HIDS with more features like OSSEC/Wazuh?
Cheers,
Michael Altfield
https://michaelaltfield.net
Hi Michael,
Yes, Tripwire is basically a FIM. There are several tools that I know of which achieve similar goals, AIDE, AFICK, OSSEC, Samhain (there are likely many more).
I find Tripwire excellent for small decentralised Linux setups, however, I also use other security software depending on a level of monitoring I want to have, or on a system it’s going to be configured on etc. To say that I prefer Tripwire over something wouldn’t be accurate unless we have some specific requirements in mind. It all depends on a use case. Hope this helps.