tripwire (Intrusion Detection Program)
Tripwire is an intrusion detection program that runs checksum on your local disks periodically. This section guides you on how to setup tripwire.
Installation
To install tripwire, you need to:
$ apt install tripwire -y
Configurations
Tripwire is an monitoring app with its own database for a machine. Hence, one needs to configure it according to the local specifications. As starter, you must get into root account to proceed. Then, proceed to change current directory to:
$ cd /etc/tripwire
NOTE: all the following steps are operating inside tripwire configuration directory.
Create Site and Local Keys
Since tripwire is a security application, you need to generate 2 unique keys: a site key and a local key. To generate the keys, you execute the following:
$ twadmin --generate-keys --site-keyfile site.key
$ twadmin --generate-keys --site-keyfile local.key
You will be asked for 2 very strong passphrase so please use password manager just in case.
Backup Original Configuration Files
tripwire does not prepare a default configurations in /usr
directory. Therefore, twcfg.txt
and twpol.txt
are the only copy. Therefore, you must make a backup version for the default ones manually.
$ cp twcfg.txt twcfg.txt.bak
$ cp twpol.txt twpol.txt.bak
Configure Tripwire Configuration and Pooling Files
With a backup copy done, the next thing to do is to edit the twcfg.txt
and twpol.txt
.
In twcfg.txt
, you need to ensure the notable stuff likes:
- every pointed locations are valid and exists.
- ensure SITEKEYFILE is pointing to the correct keyfile. Example based on the above, "
SITEKEYFILE =/etc/tripwire/site.key
". - ensure LOCALKEYFILE is pointing to the correct keyfile. Example based on the above, "
LOCALKEYFILE =/etc/tripwire/local.key
".
In twpol.txt
, you need to configure what needs to be monitored. Otherwise, you may leave it as it is to monitor critical filesystem. Some notable stuff are:
- Key must match your key filepath:
# Tripwire Data Files - ...
...
$(TWETC)/site.key
$(TWETC)/local.key
- Remove
/etc/rc.boot
if not used (most deployments no longer use rc.boot):
# Critical System Boot Files
...
/etc/rc.boot
- Remove specific files inside
/root
directory (not the/root
first line) like:
# These files change the behavior of the root account
/root/mail
/root/Mail
/root/.xsession-errors
/root/.xauth
/root/.tcshrc
/root/.sawfish
/root/.pinerc
/root/.mc
/root/.gnome_private
...
NOTE: only keep those you need. Otherwise, this is overly paranoid and noisy because not every OS configurations are the same (e.g. rarely people will use sawfish now a days).
- Remove
/proc
or be specific about it:
# Critical Devices
...
/proc -> $(Device) ;
Encrypt Tripwire Configuration and Pooling Files
The next thing to do is to encrypt both configuration and pooling files. You can do the following:
$ twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt
$ twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt
These will generate the encrypted versions of the tw.cfg
and tw.pol
.
Initialize Tripwire
When completed with no error, you can initialize tripwire:
$ tripwire --init
It takes some times but it should be okay once it's done and running. If you encounters an error then it is most likely the twcfg.txt
or twpol.txt
are mal-configured. Therefore, you need backtrack back to modification step and fix the problems until you can initialize properly.
Remove The Plaintext Config and Pool Files
Now that everything is completed and initialized successfully, you can remove the plaintext version of the configuration and pooling files. You can do that by:
$ rm twcfg.txt
$ rm twpol.txt
You can recover them back by doing the following (but only when you're debugging or doing cryptanalysis):
$ twadmin --print-cfgfile > twcfg.txt
$ twadmin --print-polfile > twpol.txt
Verification
With tripwire running steadily, you can now verify its status from time to time.
Runs A Check
To execute a local check, you can execute the following:
$ tripwire --check --email-report
You should receive an email about the report.
Post Initialized Actions
Here are some post initialized actions you can do.
That's all for tripwire.