tw_logoTM_only

Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.

 

Open Source Tripwire functions as a host-based intrusion detection system. Rather than attempting to detect intrusions at the network interface level (as in network intrusion detection systems), Open Source Tripwire detects changes to file system objects.

 

When first initialized, Open Source Tripwire scans the file system as directed by the administrator and stores information on each file scanned in a database. At a later date the same files are scanned and the results compared against the stored values in the database. Changes are reported to the user. Cryptographic hashes are employed to detect changes in a file without storing the entire contents of the file in the database.

 

 

 

install from EPEL

 

# yum –enablerepo=epel -y install tripwire

1

 

 

 

# tripwire-setup-keyfiles

Enter the site keyfile passphrase:# (1) set passphrase
Verify the site keyfile passphrase:# confirm

 

Enter the local keyfile passphrase:# (2) set passphrase
Verify the local keyfile passphrase:# confirm

Please enter your site passphrase: # (1) input passphrase
Please enter your site passphrase: # (1) input passphrase

 

2

# cd /etc/tripwire

 

 

Change options in the file twcfg.txt

# vi twcfg.txt
LOOSEDIRECTORYCHECKING =true
REPORTLEVEL =4

3

 

 

The twadmin utility is used to perform certain administrative functions related to Tripwire files and configuration options. Specifically, twadmin allows encoding, decoding, signing, and verification of Tripwire files, and provides a means to generate and change local and site keys
# twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase:# (1) input passphrase
Wrote configuration file: /etc/tripwire/tw.cfg

 

[-m F ] This switch is used to designates an existing text file as the new configuration file for Tripwire. The plain text configuration file must be specified on the command line. Using the site key, the new configuration file is encoded and saved.
[-c tw.cfg ] Specify the destination of the encoded configuration file.
[ -S site.key ] use the specified site key file to encode and sign the new configuration file.

4

 

 

create Optimization script for policies

# vi twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# —————————————————————-
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111- 1307, USA.
# —————————————————————-
# Usage:
# perl twpolmake.pl {Pol file}
# —————————————————————-
#
$POLFILE=$ARGV[0];

open(POL,”$POLFILE”) or die “open error: $POLFILE” ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_=”HOSTNAME=\”$myhost\”;” ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq ‘/sbin/e2fsadm’ ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = “$sharp#$tpath$cond” if ($ret == 0) ;
}
else {
$_ = “$sharp$tpath$cond” ;
}
}
print “$_\n” ;
}
close(POL) ;

 

5

 
# perl twpolmake.pl twpol.txt > twpol.txt.new

 

# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new
Please enter your site passphrase: # pass-phrase
Wrote policy file: /etc/tripwire/tw.pol

[ -m P ] This switch prints the specified encoded and signed policy file in clear-text form to standard output
[ -p ] Specify the destination of the encoded policy file.

6

Creating a Database

# tripwire -m i -s -c tw.cfg
Please enter your local passphrase:# pass-phrase

 

7

 

 

Run a Integrity checking

# tripwire -m c -s -c tw.cfg

8

 

 

create a new file
# touch sam.txt

Run the Intergrity checker again to see the modified file
# tripwire -m c -s -c /etc/tripwire/tw.cfg