Install and configure Tripwire IDS on ubuntu 18.04
Tripwire is a free and open source Intrusion Detection System (IDS). It's a security tool for monitoring and alerting file changes on the system.Tripwire compares files and directories against a baseline database of file locations, dates modified, and other data. It generates the baseline by taking a snapshot of specified files and directories in a known secure state. After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions.
In this tutorial, we will explain how to configure Tripwire on ubntu 18.04.
Step 1: Install tripwire
Here first we will install tripwire on system which is available from ubuntu repository. Run following commands to install it.
root@ubuntu18:~# apt update
root@ubuntu18:~# apt install tripwireDuring installation it prompts and configures postfix mail application. choose "internet site". and click ok to continue.
For the mail system name, leave default and click ok to continue
then "Do you wish to create site key passphrase during installatio"n - choose 'Yes' and press Enter to continue.
Now for the local-key also choose 'Yes' and press Enter again.
For both the Rebuild Tripwire Configuration ans Tripwire Plocy options, choose 'Yes'.
Now it promptsfor the site-key passphrase. Type password and choose ok.
and once again enter same password for site-key. Now it prompts for local-key
and repeat the password for local-site key.Finally tripwire installation completed and it appears like below.
Step 2: configure Tripwire policy
we will initialize database with following command.
root@ubuntu18:~# tripwire --initAfter database initialization process, we will see many warning and errors like 'No such file or directory". To solve this error, we need to edit Tripwire configuration file and regenerate it.For this ,we need to first find out what directories are missing.
sample output at the end of the file.
### Warning: File system error.
### Filename: /root/.ICEauthority
### No such file or directory
### Continuing...
The object: "/dev/hugepages" is on a different file system...ignoring.
The object: "/dev/mqueue" is on a different file system...ignoring.
The object: "/dev/pts" is on a different file system...ignoring.
The object: "/dev/shm" is on a different file system...ignoring.
Wrote database file: /var/lib/tripwire/ubuntu18.twd
The database was successfully generated.
Note: if you get any error like Software interrupt forced exit: Segmentation Fault or Segmentation fault (core dumped) then edit "/etc/tripwire/twpol.txt" file and comment /proc and save it and then run "twadmin -m P /etc/tripwire/twpol.txt" command and run again "tripwire --init" command.
Now we will find missing files with below command
sh -c "tripwire --check | grep Filename > missingdirectory.txt"you can check miising files in missingdirectory.txt which are not exists.Next, go to the Tripwire configuration directory and edit the configuration file twpol.txt.
root@ubuntu18:~# vim /etc/tripwire/twpol.txtIn the “Boot Scripts” section, you should comment out the /etc/rc.boot line, since this isn’t present in your system.
(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
# /etc/rc.boot -> $(SEC_BIN) ;
/etc/rcS.d -> $(SEC_BIN) ;Next go down to rule ''system Boot Changes' and comment out following lines
# /var/lock -> $(SEC_CONFIG) ;
# /var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
Next go down to rule ''Root config files' and comment out Everything except below lines.
/root -> $(SEC_CRIT) ; # Catch all additions to /root
/root/.bashrc -> $(SEC_CONFIG) ;
/root/.bash_history -> $(SEC_CONFIG) ;Next scroll down to Device and kernel Infomation rule and comment out like below
# /proc -> $(Device) ;save and close the file.
Regenerate the encrypted policy file with the following command
root@ubuntu18:~# twadmin -m P /etc/tripwire/twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
Then reinitialize the Tripwire database again like below
root@ubuntu18:~# tripwire --initsample output
root@ubuntu18:~# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/dev/hugepages" is on a different file system...ignoring.
The object: "/dev/mqueue" is on a different file system...ignoring.
The object: "/dev/pts" is on a different file system...ignoring.
The object: "/dev/shm" is on a different file system...ignoring.
Wrote database file: /var/lib/tripwire/ubuntu18.twd
The database was successfully generated.Step 3: Test integrity of system files
Now we will test with our newly installed Tripwire system and verify all system files using the following command.
root@ubuntu18:~# tripwire --checksample output at the end of the file looks like below
Total objects scanned: 33505
Total violations found: 0
===============================================================================
Object Summary:
===============================================================================-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***Step 4: Adding New Rule
Lets create a tripwire rule to monitor the /var/www/html directory for any violations.you can change to another directory
root@ubuntu18:~# vim /etc/tripwire/twpol.txtadd below lines at the end of the file.
# Rules for web hosting
(
rulename = "Web Hosting Ruleset",
severity = $(SIG_HI)
)
{
/var/www/html -> $(SEC_CRIT);
}
save the file and exit and regenerate tripwire config file with below command
root@ubuntu18:~# twadmin -m P /etc/tripwire/twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.polReinitialize the Tripwire database with the following command
root@ubuntu18:~# tripwire --initNow you can test new rule by adding one test file in /var/www/html file and run
'tripwire --check' command again
root@ubuntu18:~# cd /var/www/html
root@ubuntu18:/var/www/html# touch test
root@ubuntu18:~# tripwire --check
sample output:
Total objects scanned: 35652
Total violations found: 2
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Rule Name: Web server (/var/www/html)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/www/html/test"
Modified:
"/var/www/html"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Above report is showing us new rule is working fine.
Step 5: Set Email notifications
you can now manually run a Tripwire check and output will send to your email id with below command.
0 0 * * * tripwire --check --email-reportwe will update in crontab for daily run of tripwire and will get report to email.
root@ubuntu18:~# crontab -eyou can add below line and change according to your preferred time
0 0 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" mail@domain.comsave and close the file. Now you will get notifications by email on everyday.
That's it. Now you have successfully installed and configured tripwire on your ubuntu 18.04 server.
