Configure Tripwire on Rocky 9/CentOS 9

Open Source Tripwire is a free software security and data integrity tool used for monitoring and alerting on specific file changes on Linux systems.

Tripwire performs intrusion detection functions by taking a snapshot of a known system state and later comparing it with any other, changed, state. Tripwire does it by comparing files’ new signatures with the ones taken when the database was originally created (or later updated).

Installation

Install Tripwire:

$ sudo yum install tripwire

Configuration

Generate the system-specific cryptographic key files:

$ sudo /usr/sbin/tripwire-setup-keyfiles

Initialise the Tripwire database file:

$ sudo /usr/sbin/tripwire --init

Tripwire Configuration File twcfg.txt

Open the file /etc/tripwire/twcfg.txt for editing and modify as required. The content of an example file is listed below for references.

ROOT                   =/usr/sbin
POLFILE                =/etc/tripwire/tw.pol
DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE            =/etc/tripwire/site.key
LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR                 =/bin/vim
LATEPROMPTING          =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS       =false
EMAILREPORTLEVEL       =3
REPORTLEVEL            =3
MAILMETHOD             =SENDMAIL
SYSLOGREPORTING        =false
MAILPROGRAM            =/usr/sbin/sendmail -oi -t
TEMPDIRECTORY          =/tmp
GLOBALEMAIL            [email protected]

Tripwire Policy File twpol.txt

Open the file /etc/tripwire/twpol.txt for editing and configure to match your system. For example, you may want to add monitoring for /etc/httpd if you have Apache installed, or disable integrity checking for Korn shell /bin/ksh if it’s not installed on the system.

When the configuration is done and you’re happy with the files and folders you want to monitor, you then need to implement the rules by recreating the encrypted policy file which Tripwire reads:

$ sudo twadmin -m P -S /etc/tripwire/site.key /etc/tripwire/twpol.txt

Reinitialise the Tripwire Database

Reinitialise the database to implement the policy:

$ sudo tripwire --init

Finally, run a check for any violations:

$ sudo tripwire --check

Housekeeping

In practice, you should delete the plain text policy and configuration files that are no longer required:

$ sudo rm /etc/tripwire/twcfg.txt /etc/tripwire/twpol.txt

If you later need to regenerate the plain text policy file, pass the encrypted file to twadmin:

$ sudo twadmin --print-polfile | sudo tee /etc/tripwire/twpol.txt

The same goes for the plain text configuration file:

$ sudo twadmin --print-cfgfile | sudo tee /etc/tripwire/twcfg.txt

One thing to note, Tripwire will not recognise any configuration changes until the configuration text file is correctly signed and converted to /etc/tripwire/tw.pol with the twadmin command:

$ sudo twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

The configuration file does not not alter any Tripwire policies, therefore it’s not required to regenerate the Tripwire database.

Crontab

Tripwire should be added to /etc/cron.daily/ automatically. If this isn’t desired, you can remove the configuration file and add it to the root user crontab instead, for example:

0 3 * * * /sbin/tripwire --check --email-report --silent --no-tty-output

Leave a Reply

Your email address will not be published. Required fields are marked *