1. Install Tripwire
2. Configure Tripwire policy for Ubuntu system
3. Verify Tripwire configuration
4. Add new ruleset to Tripwire policy
5. Setup Tripwire notification and cron

• Ubuntu 22.04 Server (use ha1, ha2, u1, u2, u3 – you decide!)
• Root privileges

• The first step is to install tripwire to the system. The tool is available in the official Ubuntu repository - just update your Ubuntu repository and install Tripwire using the following commands.

sudo apt update
sudo apt install -y tripwire

During the installation, you will be asked about Postfix SMTP configuration. Choose 'Internet Site' and click 'OK' to continue with the installation.

For the mail system name, leave default (as shown below), and choose 'OK' to continue.

Next, you'll will be asked about Tripwire configuration. Create new 'site-key' for Tripwire - choose 'Yes' and press Enter to continue.

Now for the 'local-key', choose 'Yes' and press Enter again.

For the Rebuild Tripwire Configuration option, choose 'Yes'.

Same for Rebuild Tripwire Policy option - choose 'Yes'.

Now you will be prompted for the 'site-key' passphrase. Type a password and choose 'OK'.REMEMBER this Password - you will need it to make Global Policy Changes Repeat the 'site-key' passphrase.

Then for the 'local-key' passphrase, type a password and choose 'OK'.REMEMBER this Password too - you will need it for local tripwire changes. It can be the same as site password

Repeat the 'local-key' passphrase.

And now tripwire installation on Ubuntu has been completed.

• In this step, we will configure Tripwire for our Ubuntu system. All Tripwire-related configuration is located - in the '/etc/tripwire' directory.
• After Tripwire installation, we need to initialize the database system. Run the following command for it.

sudo tripwire --init

• You will be asked about your local-key passphrase - type your local-key passphrase and press Enter.
• And you will likely get the error 'No such directory', as shown below.

To solve this error, we need to edit the Tripwire configuration file and regenerate the configuration. Basically, we want to make sure that Tripwire is not tracking changes in directories that don’t exist or are not accessible as it generates lots of warnings in the reports.

Before editing the Tripwire configuration, we need to check which directories don't exist, something that you can do using the following command.

sudo sh -c "tripwire --check | grep Filename > no-directory.txt"

Now you can see all directories and files that do not exist in the following way.

cat no-directory.txt

Next, go to the Tripwire configuration directory and edit the configuration file twpol.txt.

cd /etc/tripwire/
vim twpol.txt

Within the config file, you will comment out (use #) any paths that don’t exist so that Tripwire won’t check them.

The following will likely match your “no directory” findings: Within the 'Boot Scripts' rule, comment the line as below.

(
   rulename = "Boot Scripts",
   severity = $(SIG_HI)
 )
 {
         /etc/init.d             -> $(SEC_BIN) ;
         #/etc/rc.boot           -> $(SEC_BIN) ;
         /etc/rcS.d              -> $(SEC_BIN) ;

On the 'System Boot Changes' rule, comment as below.

(
   rulename = "System boot changes",
   severity = $(SIG_HI)
 )
 {
         #/var/lock               -> $(SEC_CONFIG) ;
         #/var/run                -> $(SEC_CONFIG) ; # daemon PIDs
         /var/log                -> $(SEC_CONFIG) ;

On the 'Root config files' rule, make the following change.

(
   rulename = "Root config files",
   severity = 100
 )
 {
         /root                           -> $(SEC_CRIT) ; # Catch all additions to /root
         #/root/mail                     -> $(SEC_CONFIG) ;
         #/root/Mail                     -> $(SEC_CONFIG) ;
         #/root/.xsession-errors         -> $(SEC_CONFIG) ;
         #/root/.xauth                   -> $(SEC_CONFIG) ;
         #/root/.tcshrc                  -> $(SEC_CONFIG) ;
         #/root/.sawfish                 -> $(SEC_CONFIG) ;
         #/root/.pinerc                  -> $(SEC_CONFIG) ;
         #/root/.mc                      -> $(SEC_CONFIG) ;
         #/root/.gnome_private           -> $(SEC_CONFIG) ;
         #/root/.gnome-desktop           -> $(SEC_CONFIG) ;
         #/root/.gnome                   -> $(SEC_CONFIG) ;
         #/root/.esd_auth                        -> $(SEC_CONFIG) ;
         #/root/.elm                     -> $(SEC_CONFIG) ;
         #/root/.cshrc                   -> $(SEC_CONFIG) ;
         /root/.bashrc                   -> $(SEC_CONFIG) ;
         #/root/.bash_profile            -> $(SEC_CONFIG) ;
         #/root/.bash_logout             -> $(SEC_CONFIG) ;
         /root/.bash_history             -> $(SEC_CONFIG) ;
         #/root/.amandahosts             -> $(SEC_CONFIG) ;
         #/root/.addressbook.lu          -> $(SEC_CONFIG) ;
         #/root/.addressbook             -> $(SEC_CONFIG) ;
         #/root/.Xresources              -> $(SEC_CONFIG) ;
         #/root/.Xauthority              -> $(SEC_CONFIG) -i ; # Changes Inode number on login
         #/root/.ICEauthority                -> $(SEC_CONFIG) ;

On the 'Device and Kernel information' rule, change the line as below.

(
   rulename = "Devices & Kernel information",
   severity = $(SIG_HI),
 )
 {
         /dev            -> $(Device) ;
         /dev/pts        -> $(Device);
         /dev/shm        -> $(Device);
         /dev/hugepages  -> $(Device);
         /dev/mqueue     -> $(Device);
         #/proc          -> $(Device) ;
         /proc/devices           -> $(Device) ;
         /proc/net               -> $(Device) ;
         /proc/tty               -> $(Device) ;
         /proc/cpuinfo           -> $(Device) ;
         /proc/modules           -> $(Device) ;
         /proc/mounts            -> $(Device) ;
         /proc/dma               -> $(Device) ;
         /proc/filesystems       -> $(Device) ;
         /proc/interrupts        -> $(Device) ;
         /proc/ioports           -> $(Device) ;
         /proc/scsi              -> $(Device) ;
         /proc/kcore             -> $(Device) ;
         /proc/self              -> $(Device) ;
         /proc/kmsg              -> $(Device) ;
         /proc/stat              -> $(Device) ;
         /proc/loadavg           -> $(Device) ;
         /proc/uptime            -> $(Device) ;
         /proc/locks             -> $(Device) ;
         /proc/meminfo           -> $(Device) ;
         /proc/misc              -> $(Device) ;
 }

• Save the changes and exit the editor.
• After editing the config file, you must implement the changes by recreating the encrypted policy file using the twadmin command as shown below.

sudo twadmin -m P /etc/tripwire/twpol.txt

Type the 'site-key' passphrase and press Enter. With this, new Tripwire policy will be created. Now, reinitialize the Tripwire database.

sudo tripwire --init

Type your local-key passphrase and make sure you get no error this time.

Tripwire Policy has now been configured for the Ubuntu system

• Tripwire has been installed, and the tripwire policy has been updated and reinitialized. In this step, we will be manually checking the system using Tripwire.
• Verify all system files using the following command.

sudo tripwire --check

And you should get 'No Violation' and 'No Error' in the result/output. If you are still getting “No Filename” errors - you may need to further tweak the twpol.txt file. Remember, if you make changes to the config, repeat the twadmin and tripwire –init commands above.

Next, add a new file in the root directory and then check the system using Tripwire again.

cd ~/
touch YourName_SEC-440.txt
sudo tripwire --check

And in the output, the addition of file and modification of the directory in which the file resides should show up as violations. See result below (in this case, 2 files were added, test2.txt and sec-440.txt)

If Apache is not installed on the server - run “agt install apache2”

In this step, we want to add a new Tripwire Rule to the configuration. To update the tripwire policy, we need to define the rule name, severity, and the type of files. In this step, we will add a new rule named 'Website Data' with severity 'High/SIG_HI' and all files in that directory are critical and cannot be changed. Go to the tripwire configuration directory and edit the configuration file 'twpol.txt'.

cd /etc/tripwire/
vim twpol.txt

Go to the end of the line and paste the sample of Tripwire rule below.

# Ruleset for Website Data
(
  rulename = "Website Data Ruleset",
  severity= $(SIG_HI)
)
{
        /var/www        -> $(SEC_CRIT);
}

Save and exit. Now regenerate the tripwire config file.

sudo twadmin -m P /etc/tripwire/twpol.txt

Type your site-key passphrase. And reinitialize the Tripwire database.

sudo tripwire --init

Type your local-key passphrase.

If all of those configurations are complete, we can try to create a new file and modify a file under '/var/www/' directory. Go to the '/var/www/' directory, create a new file and then modify the index file.

cd /var/www/
touch SEC-440lab.txt

echo "<h1> SEC-440 Tripwire Test</h1>" > html/index.html

Check the system using the tripwire command below.

sudo tripwire --check

And you will get a notification about system violations with security level 100 as below.

NOTE: In our labs - e-mail might not work - but you can still follow through the steps to set it up. In this step, we will configure notifications for specific Tripwire ruleset policy, and configure a cron for automatic system checking.

For email notifications, Tripwire provides a function 'emailto' in the configuration. Tripwire uses Postfix for email notification, and that's automatically installed during the tool's installation.

Before configuring email notifications, test Tripwire notification using the command below.

tripwire --test --email [email protected]

And make sure you have an email from your server, as shown below.

Now go to the '/etc/tripwire' directory and edit the 'twpol.txt' configuration.

cd /etc/tripwire/
vim twpol.txt

Add new line inside the 'Website Data' rule, as shown below.

# Rules for Website Data
 (
   rulename = "Website Data Rule",
   severity = $(SIG_HI),
   emailto = [email protected]
 )

That's it. Save and exit.

Next, regenerate the configuration and reinitialize the Tripwire database.

sudo twadmin -m P /etc/tripwire/twpol.txt
sudo tripwire --init

Type the site-key passphrase to regenerate the configuration, and local-key passphrase to reinitialize. Now, create a new file again in the '/var/www/' directory, and check the system manually using Tripwire and send the report over email.

sudo tripwire --check --email-report

And you should get an email report in your inbox. (NOTE: this might not work without additional Postfix configuration - do not worry if it fails - but this shows you the concept of sending Tripwire alert emails)

Cron for Scheduled checks

• Moving on, for the cron configuration, we just need to define the time at which the tripwire command will run. We will configure Tripwire system checking on a daily basis at midnight (0h 0min).
• Create new cron using crontab command below.

sudo crontab -e -u root

And paste cron configuration below.

0 0 * * * tripwire --check --email-report

Save and exit, and then reload the cron.

systemctl restart cron

Now the system will perform checking every day and send a notification for a 'Website Data' rule violation to your email.

Tripwire Report

• When tripwire -check is run, it creates a report file in /var/lib/tripwire/report/(hostname-day-time).twr The .twr file is encrypted binary, so you can use the twprint command to read it in human readable

Output the binary report to a text file with something like the following:

twprint --print-report --twrfile /var/lib/tripwire/report/ha1-argus-20231114-174603.twr >report.txt

Cat the report file and you should see the info typically sent to stdout.