Hamsa K
Editor
10 min read | 9 months ago

How to Install and Configure Tripwire on Ubuntu 18.04 LTS

Install and configure Tripwire IDS on ubuntu 18.04

Tripwire is a free and open source Intrusion Detection System (IDS). It's a security tool for monitoring and alerting file changes on the system.Tripwire compares files and directories against a baseline database of file locations, dates modified, and other data. It generates the baseline by taking a snapshot of specified files and directories in a known secure state. After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions.

Step 1: Install tripwire

Here first we will install tripwire on system which is available from ubuntu repository. Run following commands to install it.

root@ubuntu18:~# apt update
root@ubuntu18:~# apt install tripwire

During installation it prompts and configures postfix mail application. choose "internet site". and click ok to continue.

For the mail system name, leave default and click ok to continue

then "Do you wish to create site key passphrase during installatio"n - choose 'Yes' and press Enter to continue.

Now for the local-key also choose 'Yes' and press Enter again.

For both the Rebuild Tripwire Configuration ans Tripwire Plocy options, choose 'Yes'.

Now it promptsfor the site-key passphrase. Type password and choose ok.

and once again enter same password for site-key. Now it prompts for local-key

and repeat the password for local-site key.Finally tripwire installation completed and it appears like below.

Step 2: configure Tripwire policy

we will initialize database with following command.

root@ubuntu18:~# tripwire --init

After database initialization process, we will see many warning and errors like 'No such file or directory". To solve this error, we need to edit Tripwire configuration file and regenerate it.For this ,we need to first find out what directories are missing.

sample output at the end of the file.

### Warning: File system error.
### Filename: /root/.ICEauthority
### No such file or directory
### Continuing...
The object: "/dev/hugepages" is on a different file system...ignoring.
The object: "/dev/mqueue" is on a different file system...ignoring.
The object: "/dev/pts" is on a different file system...ignoring.
The object: "/dev/shm" is on a different file system...ignoring.
Wrote database file: /var/lib/tripwire/ubuntu18.twd
The database was successfully generated.

Note: if you get any error like Software interrupt forced exit: Segmentation Fault or Segmentation fault (core dumped) then edit "/etc/tripwire/twpol.txt" file and comment /proc and save it and then run "twadmin -m P /etc/tripwire/twpol.txt" command and run again "tripwire --init" command.

Now we will find missing files with below command

sh -c "tripwire --check | grep Filename > missingdirectory.txt"

you can check miising files in missingdirectory.txt which are not exists.Next, go to the Tripwire configuration directory and edit the configuration file twpol.txt.

root@ubuntu18:~# vim /etc/tripwire/twpol.txt

In the “Boot Scripts” section, you should comment out the /etc/rc.boot line, since this isn’t present in your system.

(
  rulename = "Boot Scripts",
  severity = $(SIG_HI)
)
{
        /etc/init.d             -> $(SEC_BIN) ;
#       /etc/rc.boot            -> $(SEC_BIN) ;
        /etc/rcS.d              -> $(SEC_BIN) ;

Next go down to rule ''system Boot Changes' and comment out following lines

#       /var/lock               -> $(SEC_CONFIG) ;
#       /var/run                -> $(SEC_CONFIG) ; # daemon PIDs
        /var/log                -> $(SEC_CONFIG) ;

Next go down to rule ''Root config files' and comment out Everything except below lines.

/root                           -> $(SEC_CRIT) ; # Catch all additions to /root
/root/.bashrc                   -> $(SEC_CONFIG) ;
/root/.bash_history             -> $(SEC_CONFIG) ;

Next scroll down to Device and kernel Infomation rule and comment out like below

#       /proc           -> $(Device) ;

save and close the file.

Regenerate the encrypted policy file with the following command

root@ubuntu18:~# twadmin -m P /etc/tripwire/twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

Then reinitialize the Tripwire database again like below

root@ubuntu18:~# tripwire --init

sample output

root@ubuntu18:~# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/dev/hugepages" is on a different file system...ignoring.
The object: "/dev/mqueue" is on a different file system...ignoring.
The object: "/dev/pts" is on a different file system...ignoring.
The object: "/dev/shm" is on a different file system...ignoring.
Wrote database file: /var/lib/tripwire/ubuntu18.twd
The database was successfully generated.

Step 3: Test integrity of system files

Now we will test with our newly installed Tripwire system and verify all system files using the following command.

root@ubuntu18:~# tripwire --check

sample output at the end of the file looks like below

Total objects scanned:  33505
Total violations found:  0
===============================================================================
Object Summary:
===============================================================================-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***

Step 4: Adding New Rule

Lets create a tripwire rule to monitor the /var/www/html directory for any violations.you can change to another directory

root@ubuntu18:~# vim /etc/tripwire/twpol.txt

add below lines at the end of the file.

# Rules for web hosting
(
  rulename = "Web Hosting Ruleset",
  severity  = $(SIG_HI)
)
{
      /var/www/html           -> $(SEC_CRIT);
}

save the file and exit and regenerate tripwire config file with below command

root@ubuntu18:~# twadmin -m P /etc/tripwire/twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

Reinitialize the Tripwire database with the following command

root@ubuntu18:~# tripwire --init

Now you can test new rule by adding one test file in /var/www/html file and run

'tripwire --check' command again

root@ubuntu18:~# cd /var/www/html
root@ubuntu18:/var/www/html# touch test
root@ubuntu18:~# tripwire --check

sample output:

Total objects scanned:  35652
Total violations found:  2
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Rule Name: Web server (/var/www/html)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/www/html/test"
Modified:
"/var/www/html"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***

Above report is showing us new rule is working fine.

Step 5: Set Email notifications

you can now manually run a Tripwire check and output will send to your email id with below command.

0 0 * * * tripwire --check --email-report

we will update in crontab for daily run of tripwire and will get report to email.

root@ubuntu18:~# crontab -e

you can add below line and change according to your preferred time

0 0 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" mail@domain.com

save and close the file. Now you will get notifications by email on everyday.

 

 



Warning! This site uses cookies
By continuing to browse the site, you are agreeing to our use of cookies. Read our terms and privacy policy