Posts Tagged ‘tripwire’

By request, and because I haven’t posted on here in a while here’s a quickie for Tripwire on Ubuntu. This is done using 11.10 but should work on nearly any version of Ubuntu >= 10.04. It’s important to know two things ahead of time with Tripwire. One , it’s extremely high maintenance compared to other host based intrusion detection systems. Two, it depends on a known good configuration at install time. So if you feel your system is already compromised it’s wise to start off with a fresh install prior to doing this.

Step 1 : Install Tripwire

To install Tripwire, simply do the following in a terminal.

sudo apt-get update && sudo apt-get install tripwire

Step 2 : Configure Postfix

After Tripwire is installed, you will be prompted to configure Postfix. Choose local only configuration for Postfix unless you are using some external monitoring service like Satellite or Space Walk. You may accept the rest of the default options presented to you up until you reach the part of “Twipwire Configuration” Displayed below.

Super ominous warning. If you heed it go to step 3, if you say yes proceed to step 5.

You will be prompted with a warning that the debian install process sucks, and if you have your site key and configuration policy publicly exposed for a period of approximately 1.3 seconds. If this is unacceptable to you follow the alternate instructions in Step 3 below. Otherwise choose yes.

Step 3 : Configuring Site Key and Configuration Policy

First we must create our sitekey we may do so by running the following command in a terminal

twadmin -m G --site-keyfile site.key

You will be prompted for a passphrase, create a strong one and remember it.

Then we must create a local keyfile which may be done by doing the following

twadmin -m G --local-keyfile local.key

You will again be asked for a passphrase. Create a new one for the local keyfile.

Step 4 : Generate your Configuration Files

Now we need to generate our config files, we will do so by doing the following

sudo cp *.key /etc/tripwire
sudo twadmin --create-cfgfile -S site.key /etc/tripwire/twcfg.txt
sudo twadmin --create-polfile -S local.key /etc/tripwire/twpol.txt
sudo rm /etc/tripwire/twpol.txt /etc/tripwire/twcfg.txt

* You will be prompted for your passphrase for each keyfile in this step you must provide it correctly to continue. Also, do not perform the last line until you have confirmed that the above steps were successful.

Step 5 : Creating the Baseline for Tripwire

Now we simply need to run the command to baseline our system which is below.

sudo tripwire --init

and any time you want to compare the current status of the system to the baseline database you need to run

sudo tripwire --check

Enjoy 😉