tripwire (Intrusion Detection Program)
Tripwire is an intrusion detection program that runs checksum on your local disks periodically. This section guides you on how to setup tripwire.
Installation
To install tripwire, you need to:
$ apt install tripwire -yConfigurations
Tripwire is an monitoring app with its own database for a machine. Hence, one needs to configure it according to the local specifications. As starter, you must get into root account to proceed. Then, proceed to change current directory to:
$ cd /etc/tripwireNOTE: all the following steps are operating inside tripwire configuration directory.
Create Site and Local Keys
Since tripwire is a security application, you need to generate 2 unique keys: a site key and a local key. To generate the keys, you execute the following:
$ twadmin --generate-keys --site-keyfile site.key$ twadmin --generate-keys --site-keyfile local.keyYou will be asked for 2 very strong passphrase so please use password manager just in case.
Backup Original Configuration Files
tripwire does not prepare a default configurations in /usr directory. Therefore, twcfg.txt and twpol.txt are the only copy. Therefore, you must make a backup version for the default ones manually.
$ cp twcfg.txt twcfg.txt.bak$ cp twpol.txt twpol.txt.bakConfigure Tripwire Configuration and Pooling Files
With a backup copy done, the next thing to do is to edit the twcfg.txt and twpol.txt.
In twcfg.txt, you need to ensure the notable stuff likes:
- every pointed locations are valid and exists.
- ensure SITEKEYFILE is pointing to the correct keyfile. Example based on the above, "
SITEKEYFILE =/etc/tripwire/site.key". - ensure LOCALKEYFILE is pointing to the correct keyfile. Example based on the above, "
LOCALKEYFILE =/etc/tripwire/local.key".
In twpol.txt, you need to configure what needs to be monitored. Otherwise, you may leave it as it is to monitor critical filesystem. Some notable stuff are:
- Key must match your key filepath:
# Tripwire Data Files - ...... $(TWETC)/site.key $(TWETC)/local.key- Remove
/etc/rc.bootif not used (most deployments no longer use rc.boot):
# Critical System Boot Files.../etc/rc.boot- Remove specific files inside
/rootdirectory (not the/rootfirst line) like:
# These files change the behavior of the root account/root/mail/root/Mail/root/.xsession-errors/root/.xauth/root/.tcshrc/root/.sawfish/root/.pinerc/root/.mc/root/.gnome_private...NOTE: only keep those you need. Otherwise, this is overly paranoid and noisy because not every OS configurations are the same (e.g. rarely people will use sawfish now a days).
- Remove
/procor be specific about it:
# Critical Devices... /proc -> $(Device) ;Encrypt Tripwire Configuration and Pooling Files
The next thing to do is to encrypt both configuration and pooling files. You can do the following:
$ twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt$ twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txtThese will generate the encrypted versions of the tw.cfg and tw.pol.
Initialize Tripwire
When completed with no error, you can initialize tripwire:
$ tripwire --initIt takes some times but it should be okay once it's done and running. If you encounters an error then it is most likely the twcfg.txt or twpol.txt are mal-configured. Therefore, you need backtrack back to modification step and fix the problems until you can initialize properly.
Remove The Plaintext Config and Pool Files
Now that everything is completed and initialized successfully, you can remove the plaintext version of the configuration and pooling files. You can do that by:
$ rm twcfg.txt$ rm twpol.txtYou can recover them back by doing the following (but only when you're debugging or doing cryptanalysis):
$ twadmin --print-cfgfile > twcfg.txt$ twadmin --print-polfile > twpol.txtVerification
With tripwire running steadily, you can now verify its status from time to time.
Runs A Check
To execute a local check, you can execute the following:
$ tripwire --check --email-reportYou should receive an email about the report.
Post Initialized Actions
Here are some post initialized actions you can do.
That's all for tripwire.