title: tripwire configuration and operation link: https://onemoretech.wordpress.com/2010/07/23/tripwire-configuration-and-operation/ author: lembobro description: post_id: 138 created: 2010/07/23 17:13:11 created_gmt: 2010/07/23 17:13:11 comment_status: open post_name: tripwire-configuration-and-operation status: publish post_type: post

tripwire configuration and operation

Think of this as a quick setup guide to tripwire on CentOS (or RHEL). My platform, as usual, is CentOS 5.5. The version of tripwire installed is open source 2.4.1.1-1.el5 available from EPEL.

My main sources of information were the tripwire man pages and a blog post entitled Install Tripwire on Fedora 11 (the EPEL package is a port of the Fedora package for RHEL). The especially useful twpol.txt filtering script came from the blog post.

All commands are located in /usr/sbin and must be entered as root.

Here are the steps in abbreviated form (respond to prompts as necessary):

1. Create keyfiles.

tripwire-setup-keyfiles

2. Encrypt policy file.

twadmin -m P /etc/tripwire/twpol.txt

3. Create database.

tripwire -m i

4. Trap exceptions to policy (e.g. files in example policy that do not exist on your system).

tripwire -m c | grep Filename >> ~/twpol_except.txt

5. Either manually trip twpol.txt file or use the following routines:

a. Convert to machine readable paths.

perl -pi -e 's///\\\//g' ~/twpol_except.txt

b. Copy example twpol.txt to working directory.

c. Run following shell script.

#!/bin/sh
 cat ~/twpol_except.txt |
 while read line
 do
 FILE=`echo $line | awk '{ print $2 }'`
 sed -i "/^[ t]*${FILE}/ s/^/#/" ~/twpol.txt
 done

d. Copy resulting twpol.txt back over into /etc/tripwire.

6. Run the following commands, in order given.

/usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
/usr/sbin/tripwire -m i
/usr/sbin/tripwire -m c | grep Filename >> ~/twtest.txt

7. Set up cron job.

0 1 * * * /usr/sbin/tripwire -m c | mail -s "Tripwire Report for [hostname]" [email protected] > /dev/null

Basic maintenance of any tripwire installation includes reviewing the report files generated whenever it runs.

Reports are located under /var/lib/tripwire/report and have a .twr extension.

To view a report use the following command (as root):

twprint -m r --twrfile /var/lib/tripwire/report/[reportname].twr

After verifying that any changes shown are benign (or fixing those that are not), update the database so that those changes will no longer trigger warnings.

tripwire --update --twrfile /var/lib/tripwire/report/[reportname].twr

Some other useful links I found along the way:

http://www.razorsedge.org/~mike/docs/tripwire.html
http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system/
http://articles.techrepublic.com.com/5100-10878_11-1053490.html
http://www.linux4beginners.info/?q=node/tripwire
http://pocake.ivanovonline.net/2009/04/tripwire-installation-and-configuration.html

Copyright 2004-2019 Phil Lembo