Tripwire is an opensource security and data integrity tool. We can configure tripwire to get alerts and warnings when the files and directories get modified. Thus we monitor which files or directories are being modified. If the changes are valid and essential we can accept the changes by updating the tripwire database.
1. We can install Tripwire from the EPEL directory.
[root@server ~]# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
[root@server ~]# rpm -ivh epel-release-6-8.noarch.rpm
2. Let's Install Tripwire
[root@server ~]# yum install tripwire -y
3. Now we can create site and setup pass phrases using the command
[root@server ~]# tripwire-setup-keyfiles
We have to provide the site pass phrase and local pass phrase when prompted for the same.
4. Next step we can Initialize the tripwire database.
[root@server ~]# tripwire --init
While executing this command we will get some error like file system error or No such file or directory. This is because we have not created the tripwire policy file, so we can ignore this messages.
5. We can setup the tripwire policy file. Open the tripwire policy file /etc/tripwire/twpol.txt
[root@server ~]# vim /etc/tripwire/twpol.txt
we can see entries like the following:
(
rulename = "OS Boot Files and Mount Points",
)
{
/boot -> $(ReadOnly) ;
/cdrom -> $(Dynamic) ;
/floppy -> $(Dynamic) ;
/mnt -> $(Dynamic) ;
}
Policy file determines the files and directories that should be monitored for changes. We can also specify the file attributes that should be monitored or ignored.
6. Next we have to update the tripwire policy file.
[root@server ~]# ./tripwire --update-policy --secure-mode low ../etc/twpol.txt
7. Now we have done with the setup. Let's run tripwire for the first time.
[root@server ~]# tripwire --check --interactive
we well get a detailed report while executing this command.
8. Lets check the tripwire report file. All the tripwire report file will have the extension .twr and is located at /var/lib/tripwire/report/ directory. The problem is these are not text files so we have to convert this to readable text files.
[root@server ~]# twprint --print-report --twrfile /var/lib/tripwire/report/server.twr > /tmp/twrreport.txt
after this we can read the report file in a text editor.
9. To view the tripwire configuration files we can use the command [root@server ~]# twadmin --print-cfgfile