Hello,
Please use the following installation instruction,
root@server ~]# wget
http://dl.fedoraproject.org/pub/epel...6-8.noarch.rpm
root@server ~]# rpm -ivh epel-release-6-8.noarch.rpm
Now install Tripwire.
root@server ~]# yum install tripwire -y
Creating site and local key file pass-phrases
root@server ~]# tripwire-setup-key files
The Tripwire site and local pass phrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Pass phrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a pass phrase, keep in mind that good pass phrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site key file pass phrase: ## Enter site pass-phrase ##
Verify the site key file pass phrase: ## Re-enter pass-phrase ##
Generating key (this may take several minutes)...Key generation complete.
(When selecting a pass phrase, keep in mind that good pass phrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local key file pass phrase: ## Enter local pass-phrase ##
Verify the local key file pass phrase: ## Re-enter pass-phrase ##
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site pass phrase: ## Enter site pass-phrase ##
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site pass phrase: ## Enter site pass-phrase ##
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The file name for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
Initializing Tripwire Database
root@server ~]# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /dev/kmem
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/ksyms
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/pci
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/sbin/fixrmtab
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/bin/vimtutor
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/local/lib64
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/lib64
### No such file or directory
### Warning: File system error.
### Filename: /sbin/fsck.reiserfs
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /bin/tcsh
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.Xresources
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.esd_auth
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.gnome
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.ICEauthority
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.Xauthority
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /dev/cua0
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /dev/initctl
### No such file or directory
### Continuing...
Wrote database file: /var/lib/tripwire/server.ostechnix.com.twd
The database was successfully generated.
Modifying Tripwire policy file
As per the above result, you may get an error like No such file or directory or File system error. This means that your tripwire scans every files which are mentioned in the tripwire config file. Comment out the files which are doesn’t exist in your system in the tripwire config file.
[root@server ~]# vi /etc/tripwire/twpol.txt
{
# /dev/kmem -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
# /proc/pci -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/driver/rtc -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
Once modifying all the files, update the tripwire policy file.
[root@server ~]# tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
Parsing policy file: /etc/tripwire/twpol.txt
Please enter your local passphrase:
Please enter your site passphrase:
======== Policy Update: Processing section Unix File System.
======== Step 1: Gathering information for the new policy.
### Continuing...
### Warning: Policy Update Added Object.
### An object has been added since the database was last updated.
### Object name: /var/lib/tripwire/server.ostechnix.com.twd
### Continuing...
### Warning: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object /root
### > Modify Time
### > Change Time
### Continuing...
======== Step 2: Updating the database with new objects.
======== Step 3: Pruning unneeded objects from the database.
Wrote policy file: /etc/tripwire/tw.pol
Wrote database file: /var/lib/tripwire/server.ostechnix.com.twd
Checking for any changes in files/directories
[root@server ~]# tripwire --check --interactive
Once you entered this command tripwire will collect all the details and open the result automatically in your vi editor. The report might be too long. Scroll down to view any changes in files or folders. As per the below result the newly Added and Modified files will have check mark(The Added and Modified sections are highlighted in bold). Finally save and quit the report by typing :wq. The Added and Modified files will be automatically updated to Tripwire policy file.
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root
Report created on: Fri 10 May 2013 12:26:58 PM IST
Database last updated on: Fri 10 May 2013 12:23:43 PM IST
===============================================================================
Report Summary:
===============================================================================
Host name: server.ostechnix.com
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/server.ostechnix.com.twd
Command line used: tripwire --check --interactive
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
* Tripwire Data Files 100 1 0 1
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
* Root config files 100 0 0 1
Total objects scanned: 10071
Total violations found: 3
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Added:
[x] "/var/lib/tripwire/server.ostechnix.com.twd.bak"
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/etc/tripwire/tw.pol)
Severity Level: 100
-------------------------------------------------------------------------------
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/etc/tripwire/tw.pol"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/root"
===============================================================================
.
.
.
.
.
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
Please enter your local passphrase:
Wrote database file: /var/lib/tripwire/server.ostechnix.com.twd
Now let us add a new file called sk.
[root@server ~]# touch sk
Now check this file with tripwire –check –interactive command. You may find the file sk under the Added section in the result.
[root@server ~]# tripwire --check --interactive
.
.
.
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Added:
[x] "/root/sk"
.
.
.
Now the new file sk is updated automatically in the tripwire policy file.
Viewing the tripwire report file
All tripwire report files having extension .twr are stored in /var/lib/tripwire/report/ directory. These are not text files, so you can’t view them using any editor. First convert them using the following command to human readable format.
[root@server ~]# twprint --print-report --twrfile /var/lib/tripwire/report/server.ostechnix.com-20130510-124159.twr > /tmp/twrreport.txt
Now open the file using any editor.
[root@server ~]# vi /tmp/twrreport.txt
Note: Report is not encrypted.
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root
Report created on: Fri 10 May 2013 12:41:59 PM IST
Database last updated on: Fri 10 May 2013 12:37:53 PM IST
===============================================================================
Report Summary:
===============================================================================
Host name: server.ostechnix.com
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/server.ostechnix.com.twd
Command line used: tripwire --check --interactive
.
.
.
.
Viewing tripwire configuration and policy file locations
To view the policy file locations enter the following command.
[root@server ~]# twadmin --print-polfile
# policy:
# Global Variable Definitions
@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=server.ostechnix.com;
.
.
.
.
To view the configuration files enter the following command.
[root@server ~]# twadmin --print-cfgfile
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
Scheduling Tripwire Check
You may find a cron file tripwire-check might be created automatically in the /etc/cron.daily/ directory. If it isn’t created, open your crontab file and add lines as shown below. The following example will execute the tripwire daily at 5 am.
[root@server ~]# vi /etc/crontab
# Tripwire Monitor process
00 5 * * * /usr/sbin/tripwire --check
Thats it.
