Tripwire is a host-based intrusion detection system (HIDS). It works by collecting details about your computer’s file-system and configuration. This software can keep track of many different file system data points in order to detect changes.
Tripwire compares files and directories against a database of file locations, dates modified, and other data. After creating the baseline database, Tripwire compares the current system to the baseline and mail any modifications, additions, or deletions.
Step 1: Install Remi/EPEL repository
CentOS/RHEL 6, 32 Bit (i686):
# rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm
CentOS/RHEL 6, 64 Bit (x86_64):
# rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
CentOS/RHEL 5, 32 Bit (i386):
# rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.i386.rpm
CentOS/RHEL 5, 64 Bit (x86_64):
# rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.x86_64.rpm
Step 2: Install Packages using YUM
After Install EPEL/Remi repository in our server. Use following command to install package:
# yum install bzip2
Step 3: Download tripwire
First we need to download tripwire source code in our system. Use following command to download the tripwire source code:
# wget http://downloads.sourceforge.net/project/tripwire/tripwire-src/tripwire-220.127.116.11/tripwire-18.104.22.168-src.tar.bz2
Step 4: Install Tripwire using below commands:
After adding the source code of Tripwire in our system, use following command to install the Tripwire in our system:
# bunzip2 tripwire-22.214.171.124-src.tar.bz2
# cd tripwire-126.96.36.199-src
# ./configure --prefix=/path/to/install
# make install
Step 5: Initial Tripwire Configuration:
The site key is used to sign Tripwire’s policy and configuration files while the local key is used for signing the database files.
The installation script creates policy and configuration files stored in
/path/to/install/etc as twpol.txt and twcfg.txt.
The policy includes monitoring for a number of files not present on the local system, so it’s important to trim these files out of policy.
The default policy should be installed using the command as root:
# /usr/sbin/twadmin -m P /path/to/install/etc/twpol.txt
Next, generate the initial database using the following command as root:
# /usr/sbin/tripwire -m i
Note: -m switch identifies the mode in which Tripwire is being executed, which is “i” for “initialization” in this case. Later, the “c” mode for “check” will be used.
Step 6: Customizing Tripwire’s Configuration
After the initial database is created, some customization is necessary to prevent a large number of false alarms. These false alarms occur any time there is a difference in the default policy and the local system’s current configuration. To generate a listing of the difference between the local system and the default policy, issue the following command as root:
# /usr/sbin/tripwire -m c | grep twtest.txt
This command will take several minutes to complete. Once twtest.txt file generates , edit the policy file, /etc/tripwire/twpol.txt, and comment out or delete each of the file names listed in twtest.txt.
Step 7: Finalizing the Tripwire Configuration
As, you comment the line listed in twtest.txt, the policy needs to be reinstalled and the database will need to be recreated. As before, these tasks are accomplished by issuing the following commands as root:
# /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
# /usr/sbin/tripwire -m i
Step 8: Scheduling a Nightly Tripwire Analysis
Create the shell script and just placing the command in the crontab because it allows the administrator to perform a filesystem check without needing to remember the exact syntax necessary for doing so.
Create the file “runtw.sh” that has the following contents:
/usr/sbin/tripwire -m c | mail -s "Tripwire Report from HOST" "Email I'd"
Then, schedule the script to execute adding the line:
1 1 * * * /usr/local/bin/runtw.sh (run script at 1:01 am)
Tripwire will now submit nightly reports to the system administrator on the status of the file system’s integrity.
Hence the database must be updated regularly in order to get reports as accurate as possible. We can easily accomplish this by typing following command:
# tripwire -m u
If you want to see the database in its’ current form, twprint comes to the rescue :
# twprint -m d