FIM (stands for File Integrity Monitoring) is a security safeguard/tool that validates and monitors the integrity of operating system files and application files. It uses a verification method between the current file state and a known baseline and report the differences. FIM is required by PCI DSS but most of other security compliance frameworks like HIPAA security rules, ISO 27001 or SOX do not ask for such a thing. Based on my experience, you can not easily find FIM implementations in enterprise systems unless the organization is dealing with credit card information.

TripWire Enterprise is the leader in FIM market and is proprietary software. TripWire installation on a Linux box might be a little bit tricky. I recently installed it on a system and documented everything so you can easily follow up the following steps to do the same.

Installation

I assume that you have a RHEL/CentOS 7.x box.

Install mariadb:

# yum install mariadb mariadb-server

Start and enable mariadb service:

# systemctl start mariadb && systemctl enable mariadb

Execute the basic setup:

# mysql_secure_installation

Add the following lines in the [mysqld] section of the /etc/my.cnf

lower_case_table_names=1

max_allowed_packet=1G

Restart the MariDB service:

# systemctl restart mariadb

Open mysql prompt:

# mysql -u root -p

Create the TE database:

> CREATE DATABASE tripwiredb CHARACTER SET utf8 COLLATE utf8_bin;

Create a DB user account for TE Console, and provide access to the TE databas and quite:

> CREATE USER 'tripwireuser'@'localhost' IDENTIFIED BY '<password>';

> GRANT ALL PRIVILEGES ON tripwiredb.* TO 'tripwireuser'@'localhost';

> quit

Download JRE8 rpm from http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html and Install the package:

# rpm -Uvh jre-8uversion-linux-x64.rpm

Delete the rpm package installer to save storage.

Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8 from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html then uncompress and extract the JCE file you downloaded. Copy the extracted local_policy.jar and US_export_policy.jar files to /usr/java/jre1.8.0_144/lib/security, overwriting the existing files with the same names.

Create a user group and user account for the TE:

# groupadd tripwire

# useradd -M -g tripwire tripwire

Download TE from TripWire website and install it: (You need to have an account on TripWire support website and it is not free!)

# chmod +x install-server-linux-amd64.bin

# ./install-server-linux-amd64.bin

Select Oracle/Sun 1.8.0 64-bit /usr/java/jre1.8.0_144/bin/java during installation. TE will be installed in /usr/local/tripwire/te and for successful installations, the installation log file is written to:

/usr/local/tripwire/te/server/data/log/install-8.6.0.log

Remove installer .bin file to save disk space.

Go to the https://xxx.xxx.xxx.xxx web GUI and continue configuration via Web interface.

The server is ready but you need a certificate to access console via https. Otherwise your connection to the web console is not secure.

Creating CSR and Installing the CA-Signed Cert

# cd $TW_JAVA_HOME/bin/

# keytool -genkeypair -alias tomcat -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -keypass <services passphrase> -keystore newtomcat.ks -storepass <services passphrase>

When asked, "What is your first and last name?" enter the TE Console server’s FQDN hostname and use.

Create CSR:

# keytool -certreq -alias tomcat -keystore newtomcat.ks -file certrequest.csr

Send the certrequest.csr file to Certificate Authority (CA)

When you get the CA-signed certificate, open the certmgr.msc program on your Windows machine. Import the certificate in personal area and see the certification path.

Note: To import those high level certs to Tripwire, you need those files. To obtain the cert file, click the View Certificate button in your Windows machine, then click the Details tab when the Certificate window opens, then click the Copy to File button to create a separate certificate file for each.

# keytool -importcert -alias firstcert -file <firstcert_cert_filename> -keystore newtomcat.ks

# keytool -importcert -alias secondcert -file <secondcert_cert_filename> -keystore newtomcat.ks

# keytool -importcert -alias tomcat -file <your_cert> -keystore newtomcat.ks

The run the command line below which will take the newly-created Java keystore and create a Bouncy Castle format keystore:

# keytool -v -importkeystore -srckeystore newtomcat.ks -destkeystore newtomcat.bcfks -srcstoretype jks -deststoretype BCFKS -srcstorepass <services passphrase> -deststorepass <services passphrase> -destprovidername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /usr/local/tripwire/te/server/lib/ext/bc-fips*.jar

Now install the Java Keystore

1. Stop the TE Console by using this command: /usr/local/tripwire/te/server/bin/twserver stop
2. Back up the tomcat.ks located in /usr/local/tripwire/te/server/data/security/
3. Copy the newtomcat.bcfks you created above to /usr/local/tripwire/te/server/data/security/ and rename it to tomcat.ks
4. Start the TE Console.