Intrusion Detection

Updated 2017-10-24

Tripwire has a free Linux version of their software. The Enterprise edition also supports Windows. As always, before installing any new software, make sure that your OS is up to date. See Link.

If you are using apt-get to install tripwire, you will be given the opportunity to setup your key files during the install. If you are using dnf, you must execute the second step below.

which tripwire

if not found:

dnf -y install tripwire

/usr/sbin/tripwire-setup-keyfiles

You will be asked to enter site passwords and key file passwords, (multiple times. I suggest that you use the same site password for all machines, but make sure that each machine has a unique key. (see my notes on passwords.) Write them down.

tripwire –init

cp /etc/tripwire/twpol.txt  /etc/tripwire/twpol.txt.BKP

tripwire -m c | grep Filename > /var/tmp/firstrun.txt

cd /etc/tripwire


copy the file configure_twpol.zip from here to:

/etc/tripwire/configure_twpol.zip

Unzip it and make sure that configure_twpol.pl is executable and owned by root:

chmod 700 /etc/tripwire/configure_twpol.pl

chown root:root /etc/tripwire/configure_twpol.pl

run it.

/etc/tripwire/configure_twpol.pl

Using your favorite editor, open the file /etc/tripwire/twpol.txt

in the section for critical devices (deals with /proc), find the last entry for “/proc” and add “!/proc ;” after that. Save and exit.

re-initialize.

twadmin -m P /etc/tripwire/twpol.txt

tripwire -m i

Add to crontab: type crontab -e

i (to enter insert mode)

Now enter the following two lines

Remember that the crontab format is:

Min  Hr  DoM  Mon  DoW  Cmd

0 2 * * * /usr/sbin/tripwire -m c > /var/tmp/tripwire.$(date  +%Y%m%d)

0 3 * * * cat /var/tmp/tripwire.$(date +%Y%m%d) | mailx -s ‘Tripwire Report’ example@email.com

to exit this mode press esc, then :wq (return)

Review your tripwire reports every day. After doing the updates from Fedora (or whoever your distributor is) you will note that the tripwire report has flagged a number of changes.  This changes will continue to appear on your reports until you reset tripwire.  Put the following lines in a file called /root/bin/reset_tripwire.sh

#!/bin/bash

twadmin -m P /etc/tripwire/twpol.txt

tripwire -m i

tripwire -m c

The last line is a test to be sure that you got everything right.

If you want tripwire to email your reports to you, create a shell script to do the system updates, check tripwire and email. mailx is an excellent tool to handle this. Install mailx and use it in the script. create a file called /root/mailrc and have itcontain:

set smtp=<ip of mail server>

set from = ‘root@this server’

END

Up in the country.