How to Install and Configure Tripwire on Ubuntu 20.04

In this article, I will teach you. How to install and configure Tripwire on Ubuntu 20.04 Linux operating system. Tripwire is an open-source host-based Intrusion Detection System. Tripwire can check the integrity of the file and it will monitor and alert of file/directory changes.

The Tripwire test compares the current file system state compared to the known baseline state and alerts for any changes it detects. The baseline and check response are controlled by a policy file, which specifies which files or directories to monitor, and what features should be considered, such as hashes, file permissions, and ownership.

When the expected change occurs, such as package upgrades, the baseline database can be updated to the new known state. The policy can also be updated, for example, to reduce noise or to cover a newly installed package.

Install and Configure Tripwire on Ubuntu 20.04 [Step by Step Guide]

The Ubuntu tripwire package is available at a suitable storage location. Install it by running:

sudo apt update
sudo apt install tripwire

This installation is an interactive process, it will ask you a few questions.

1. Create Tripwire Keys and Initialize the Database

Once the installation is completed, we need to generate keys and initialize the database so that tripwire can start its work.

$ sudo su –
cd /etc/tripwire/
ls -1
server-01-local.key
site.key
tw.cfg
tw.pol
twcfg.txt
twpol.txt

We will convert the twcfg.txt file REPORT LEVEL to 4 which is a maximum.

ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/usr/bin/editor
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =4
SYSLOGREPORTING =true
MAILMETHOD =SMTP
SMTPHOST =localhost
SMTPPORT =25
TEMPDIRECTORY =/tmp

Generate a configuration file after the change:

twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg

Optimize Tripwire Policy File

Create a twpolmake.pl file with the content below:

vim twpolmake.pl

Add:

#!/usr/bin/perl
# Tripwire Policy File customize tool
# —————————————————————-

# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA  02111-1307, USA.
# —————————————————————-

# Usage:
#     perl twpolmake.pl {Pol file}
# —————————————————————-
#
$POLFILE=$ARGV[0];

open(POL,”$POLFILE”) or die “open error: $POLFILE” ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_=”HOSTNAME=\”$myhost\”;” ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq ‘/sbin/e2fsadm’ ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = “$sharp#$tpath$cond” if ($ret == 0) ;
}
else {
$_ = “$sharp$tpath$cond” ;
}
}
print “$_\n” ;
}
close(POL) ;

2. Create Configs

# perl twpolmake.pl twpol.txt > twpol.txt.new
# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

3. Create a Tripwire Database

# tripwire -m i -s -c tw.cfg
Please enter your local passphrase:
### Warning: File system error.
### Filename: /var/lib/tripwire/server-01.twd
### No such file or directory
### Continuing…

You can also print the database using the command:

4. Updating a Database

An easy way to update updates the database with all changes to the report file:

# tripwire –update –accept-all

Tripwire test by executing manual testing

# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.3.1 Integrity Check Report

Report generated by: root
Report created on: Sat Jun 9 07:32:25 2018
Database last updated on: Never

=====================================================
Rule Summary:
=====================================================

Host name: server-01
Host IP address: 127.0.1.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/server-01.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg

=====================================================
Rule Summary:
=====================================================

———————————————————————————————————–
Section: Unix File System
———————————————————————————————————–

Total objects scanned: 14492
Total violations found: 1

=====================================================
Object Summary:
=====================================================

———————————————————————————————————–
# Section: Unix File System
———————————————————————————————————–

———————————————————————————————————–
Rule Name: Tripwire Data Files (/var/lib/tripwire/server-01.twd)
Severity Level: 100
———————————————————————————————————–

Added:
“/var/lib/tripwire/server-01.twd”

=====================================================
Error Report:
=====================================================

No Errors

———————————————————————————————————–
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use –version. This is free software that may be redistributed or modified only under certain conditions; see COPYING for details.
All rights reserved.

If no errors are encountered, Tripwire data files are located on: /var/lib/tripwire/<servername>.twd Scan the results are saved under /var/lib/tripwire/report/ directory:

# ls /var/lib/tripwire/report/
server-01-20180609-073225.twr

To print this report, use the syntax:

# twprint -m r -t [0-4] -r /path/to/reportfile.twr

Argument -t specifies the level of report verbosity, where 0 is a summary of one line content of the report content, and 4 displays all the attributes collected in all the variables. Reporting level defaults to 3 if not specified in the command line or with the REPORT LEVEL config file option.

5. Updating a Policy

Policy update mode changes the current Tripwire policy without missing the existing baseline.

# tripwire –update-policy updated-policy.txt

As part of the update process, this will perform a check with the new policy. If this test detects a change, the default operation will show the change and exit without updating the policy or database. To accept changes and continue with the policy updates, use the -Z low / -secure-mode low command-line option.

6. Checking the Email Configuration

Email configuration check:

# tripwire –test –email [email protected]

This sends the test email to the specified address, using the email settings specified in the config file.

If you have any questions or queries about this article, please comment below, and we’ll get back to you. Check more daily updates to subscribe to our Website and get informational articles and much more, etc.