Install Tripwire on Ubuntu or Debian

Install Tripwire on Ubuntu or Debian

Tripwire Ubuntu

  • Tripwire is important tool to check integrity of the files on Linux.
  • It is having 2 versions one is open-source and one is commerical version. Open-source version not included with Redhat RHEL.
  • We can download tripwire in www.tripwire.org for open source version
  • Commercial version is provided TriSentry suite from www.psionic.com.

This guide we will show you how to install Tripwire with open source version on Ubuntu/Debian. More detail about Tripwire and Linux Guide. Please have a look http://linuxelearning.ithelpblog.com/

Step 1: Install Tripwire and Tripwire depedencies by apt-get command

root@ithelpblog:~# sudo apt-get install tripwire
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages were automatically installed and are no longer required:
apache2-mpm-worker apache2-utils apache2.2-common
Use ‘apt-get autoremove’ to remove them.
The following extra packages will be installed:
postfix
Suggested packages:
procmail postfix-mysql postfix-pgsql postfix-ldap postfix-pcre sasl2-bin dovecot-common postfix-cdb postfix-doc
The following NEW packages will be installed:
postfix tripwire
0 upgraded, 2 newly installed, 0 to remove and 290 not upgraded.
Need to get 4,871 kB of archives.
After this operation, 12.4 MB of additional disk space will be used.
Do you want to continue [Y/n]? y
WARNING: The following packages cannot be authenticated!
postfix tripwire
Install these packages without verification [y/N]? y
Get:1 http://us.archive.ubuntu.com/ubuntu/ raring/main postfix i386 2.10.0-3 [1,305 kB]
3% [1 postfix 155 kB/1,305 kB 12%]setting myhostname: ithelpblog
setting alias maps
setting alias database
mailname is not a fully qualified domain name. Not changing /etc/mailname.
setting destinations: localdomain, localhost, localhost.localdomain, localhost
setting relayhost:
setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
setting mailbox_size_limit: 0
setting recipient_delimiter: +
setting inet_interfaces: all
/etc/aliases does not exist, creating it.
WARNING: /etc/aliases exists, but does not have a root alias.Postfix is now set up with a default configuration. If you need to make
changes, edit
/etc/postfix/main.cf (and others) as needed. To view Postfix configuration
values, see postconf(1).After modifying main.cf, be sure to run ‘/etc/init.d/postfix reload’.Running newaliases
* Stopping Postfix Mail Transport Agent postfix [ OK ]
* Starting Postfix Mail Transport Agent postfix [ OK ]
Processing triggers for ufw …
Processing triggers for ureadahead …
Setting up tripwire (2.4.2.2-2) …
Generating site key (this may take several minutes)…
Generating local key (this may take several minutes)…
Processing triggers for libc-bin …
ldconfig deferred processing now taking place
root@ithelpblog:~#

Email Tripwire

Tripwire key

When we install tripwire, it will ask us to install postfix and tripwire Keys. We can say “Yes” and put the keys.

Step 2: Initializing Tripwire database

root@ithelpblog:~# sudo tripwire –init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database…
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /var/lib/tripwire/ithelpblog.twd
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /etc/rc.boot
### No such file or directory
### Continuing…
### Filename: /root/.addressbook.lu
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /root/.addressbook
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /root/.Xresources
### No such file or directory
### Continuing…
The object: “/dev/pts” is on a different file system…ignoring.
### Warning: File system error.
### Filename: /proc/3536/fd/4
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /proc/3536/fdinfo/4
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /proc/3536/task/3536/fd/4
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /proc/3536/task/3536/fdinfo/4
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /proc/3541
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /proc/3542
### No such file or directory
### Continuing…
### Warning: File system error.
### Filename: /proc/3543
### No such file or directory
### Continuing…
The object: “/proc/sys/fs/binfmt_misc” is on a different file system…ignoring.
Wrote database file: /var/lib/tripwire/ithelpblog.twd
The database was successfully generated.
root@ithelpblog:~#

Step 3: Configure tripwire policy

You can disable some check by “#” with  ”no such file or directory” file when we have done Initializing polices (in Step 2)

root@ithelpblog:~# sudo vi /etc/tripwire/twpol.txt
……………………………………………………./root/.tcshrc -> $(SEC_CONFIG) ;
/root/.sawfish -> $(SEC_CONFIG) ;
/root/.pinerc -> $(SEC_CONFIG) ;
/root/.mc -> $(SEC_CONFIG) ;
/root/.gnome_private -> $(SEC_CONFIG) ;
/root/.gnome-desktop -> $(SEC_CONFIG) ;
/root/.gnome -> $(SEC_CONFIG) ;
/root/.esd_auth -> $(SEC_CONFIG) ;
/root/.elm -> $(SEC_CONFIG) ;
/root/.cshrc -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
/root/.bash_profile -> $(SEC_CONFIG) ;
/root/.bash_logout -> $(SEC_CONFIG) ;
/root/.bash_history -> $(SEC_CONFIG) ;
/root/.amandahosts -> $(SEC_CONFIG) ;
/root/.addressbook.lu -> $(SEC_CONFIG) ;
/root/.addressbook -> $(SEC_CONFIG) ;
# /root/.Xresources -> $(SEC_CONFIG) ;
/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
/root/.ICEauthority -> $(SEC_CONFIG) ;
}#
# Critical devices
#
(
rulename = “Devices & Kernel information”,
severity = $(SIG_HI),
)
{
/dev -> $(Device) ;
/proc -> $(Device) ;
}#
# Other configuration files
#
(
rulename = “Other configuration files”,
severity = $(SIG_MED)
)…………………..

Step 4:  Update Tripwire policy

root@ithelpblog:~# sudo tripwire –update-policy –secure-mode low /etc/tripwire/twpol.txt

Step 5: Check if have any changes on your Ubuntu/Debian system

root@ithelpblog:~# tripwire –check –interactive
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check…
Open Source Tripwire(R) 2.4.2.2 Integrity Check ReportReport generated by: root
Report created on: Fri Oct 11 12:38:42 2013
Database last updated on: Fri Oct 11 12:33:29 2013===============================================================================
Report Summary:
===============================================================================Host name: ithelpblog
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/ithelpblog.twd
Command line used: tripwire –check –interactive===============================================================================
Rule Summary:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

Rule Name Severity Level Added Removed Modified
——— ————– —– ——- ——–
Other binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Other libraries 66 0 0 0
Root file-system executables 100 0 0 0
* Tripwire Data Files 100 0 0 1
System boot changes 100 0 0 0
Root file-system libraries 100 0 0 0
(/lib)
Critical system boot files 100 0 0 0
* Other configuration files 66 1 0 1
(/etc)
Boot Scripts 100 0 0 0
Security Control 66 0 0 0
Root config files 100 0 0 0
* Devices & Kernel information 100 367 666 0
Invariant Directories 66 0 0 0

Total objects scanned: 83003
Total violations found: 1036

Step 6: Create one test file and recheck your Ubuntu/Debian system agian

root@ithelpblog:~# touch ithelpblog.com
root@ithelpblog:~# tripwire –check –interactive
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check…
===============================================================================——————————————————————————-
# Section: Unix File System
————————————————————————————————————————————————————–
Rule Name: Root config files (/root)
Severity Level: 100
——————————————————————————-Remove the “x” from the adjacent box to prevent updating the database
with the new values for this object.Added:
[x] “/root/ithelpblog.com”

Modified:
[x] “/root”
[x] “/root/.nano_history”

——————————————————————————-
Rule Name: Devices & Kernel information (/proc)
Severity Level: 100
——————————————————————————-

Thanks for using IThelpblog.com

 

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>