Linux Help

Tripwire Setup Guide   
Printable Version

Joey's Tripwire Setup Guide
Created on February 22nd, 2000.
Last updated on September 19th, 2003.

If you're interested in Tripwire then let me be the first to welcome you to the world of paranoid system admins. Tripwire can be a vital tool in detecting a comprimise of your system.

Tripwire generates a database of the most common files and directories on your system. Once it is generated, you can then check the current state of your system against the original database and get a report of all the files that have been modified, deleted or added.

This comes in handy if you allow other people access to your machine and even if you don't, if someone else does get access, you'll know if they tried to modify files such as /bin/login etc.

So lets install Tripwire. First you need to download it from http://sourceforge.net/project/showfiles.php?group_id=3130&release_id=26024. At the time of this update the current version is 2.3.1-2.

Once you've downloaded it move the tarball to /usr/local/src (I like to store all my source code there) and untar it by running the following command:

tar -zxvf tripwire-2.3.1-2.tar.gz

Change into the newly created directory and edit the install.cfg with your favorite text editor (nano, pico, joe vi etc). script. You'll want to edit the following:

# The root of the TSS directory tree.
TWROOT="/usr/TSS"

Change this to TWROOT="/usr/local/src/tripwire-2.3.1-2"

# This sets the default text editor for Tripwire.
TWEDITOR="/bin/vi"

You can change this to whatever editor you prefer.

Once you have those changed, save the file and exit. Then run the ./install.sh script. It will list the OSes that Tripwire supports and will ask you if you want to continue with installation. Next up is the License Agreement. Read it and if you accept, type accept.

It will then list all the settings and ask you if you would like to continue, answer yes. Then it installs the files and prompts you for a passphrase to password protect the database. Choose it wisely. It will now generate your keyfile and then prompt you for a local passphrase and a site passphrase.

Once that is done, tripwire will be installed and you're ready to customize the format of the database and finally create it. To customize the database, you will need to edit the /usr/local/src/tripwire-2.3.1-2/policy/twpol.txt file. Make sure you back it upbefore you start changing things in it.

What I would recommend doing is first generating the database using the default policy file. Once the database is generated, use tripwire to check against it and you will get a report of what is missing on your system, for example it checks for /lib/modules/preferred and if you don't have that file it will let you know in the report. If you don't remove useless items from the policy file, you're report will be long and full of garbage that you don't need to look at everyday and you will probably miss the things you should be looking for.

So to generate the database, run:

/usr/local/src/tripwire-2.3.1-2/bin/tripwire --init

It will ask you for your passphrase and once you enter it, it will start to generate the database. This will vary in time depending on how big your installation is, how fast your CPU is etc. Once the database is generated, you will want to check it to find out what you can remove from the policy file. To check the database and have it output to a file, run:

/usr/local/src/tripwire-2.3.1-2/bin/tripwire --check > /tmp/report.txt

It will then proceed to check your filesystem against the database and will create a file called report.txt in /tmp which will contain information on what Tripwire discovered.

Open up this file and look for anything that it said it couldn't find. Log into another terminal and open up the twpol.txt policy file. Compare the two and remove anything not found one by one. Once you are done editing, you have to recreate the policy file, to do this run:

/usr/local/src/tripwire-2.3.1-2/bin/twadmin --create-polfile ../policy/twpol.txt

It will ask you for your passphrase, once you enter it, tripwire should create a new policy file. You can then go ahead and update and then check your filesystem once more to see if you got everything. If you install alot of things, you will probably want to update the database on a regular basis.

You can also set up a cronjob to check the filesystem every night or whenever you feel like it and it will email you the report. Here is the line in my /etc/crontab file for Tripwire:

03 2 * * * /usr/local/src/tripwire-2.3.1-2/bin/tripwire --check | /usr/bin/mail root -s "Tripwire Check" 2>&1

All in all Tripwire is a handy utility to have and I feel some sort of relief reading the report every morning.


Having trouble? Got questions? Require further assistance? If so please feel free to visit our Help Forums and ask the experts!


Copyright © 1997 - 2014 Private World Domination Inc. All rights reserved.
Linux is a registered trademark of Linus Torvalds. All other trademarks and copyrights are the property of their respective owners.
| Contact Us | Link to Us | RSS Feed | Staff |

DNS Hosting by easyDNS