How to install and configure Tripwire IDS on Debian 10

How to install and configure Tripwire IDS on Debian 10

Tripwire is a free and open source Linux intrusion detection system. It is used to detect and report any unauthorized changes to files and directories on Linux. It will also send you email alerts about file/directory changes. Tripwire works by comparing the current file system state with a known baseline state and reports whether any changes have been detected.

In this article, we will show you how to install and configure Tripwire on Debian 10.

prerequisites

  • A server running Debian 10.
  • The root password is configured on the server.

getting Started

First, update the system software package to a newer version by running the following command:

apt-get update -y

After all packages have been updated, you can proceed to the next step.

Install Tripwire

By default, the Tripwire package is available in the Debian 10 default repository. You can use the following command to install:

apt-get install tripwire -y

During the installation process, you will be asked to choose an email configuration as shown below:

Select the desired option and click enter. The system will ask you to set the system mail name as shown below:

Suffix configuration

Provide your system email name and name enter. You will be asked to create a site key password as shown below:

Tripwire passphrase

Choose yes, then click enter. The system will ask you to rebuild the Tripwire configuration file as shown below:

Rebuild configuration file

Choose yes, then click enter. The system will ask you to rebuild the Tripwire policy file as shown below:

Rebuild the policy file

Choose yes, then click enter. The system will ask you to provide the site key password as shown below:

Set site key

Provide your password and click enter. The system will ask you to set the local key password as shown below:

Set local password

Provide your password and click enter. After installing Tripwire, you should see the following screen:

Tripwire installation is complete

Click on Ok Button to complete the installation.

Configure Tripwire

Next, you will need to generate a Tripwire key and initialize the database. First, change the directory to Tripwire and use the following command to list all keys and files:

cd /etc/tripwire/ls

You should see the following output:

debian10-local.key  site.key  tw.cfg  twcfg.txt  tw.pol  twpol.txt

Next, edit the Tripwire configuration file and set REPORTLEVEL to 4

nano /etc/tripwire/twcfg.txt

Change the following line:

REPORTLEVEL   =4

Save and close the file when you are done.

Next, use the following command to generate a new configuration file:

twadmin -m F -c tw.cfg -S site.key twcfg.txt

The system will ask you to provide the website password as shown below:

Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg

Next, create a twpolmake.pl file to optimize the Tripwire strategy.

nano twpolmake.pl

Add the following line:

#!/usr/bin/perl
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while () {
    chomp;
    if (($thost) = /^HOSTNAMEs*=s*(.*)s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME="$myhost";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(s*#?s*)(/S+)b(s+->s+.+)$/) {
        $ret = ($sharp =~ s/#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;s+(tune2fs.*)$/; #$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_n" ;
}
close(POL) ;

Save and close the file, then use the following command to create the configuration file:

perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

You should see the following output:

Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol

Next, use the following command to create a Tripwire database:

tripwire -m i -s -c tw.cfg

You should see the following output:

Please enter your local passphrase: 
### Warning: File system error.
### Filename: /var/lib/tripwire/debian10.twd
### No such file or directory
### Continuing...

You can also use the following command to display the generated database:

twprint -m d -d /var/lib/tripwire/debian10.twd

You should see the following output:

Open Source Tripwire(R) 2.4.3.7 Database

Database generated by:        root
Database generated on:        Sun 09 May 2021 08:39:18 AM UTC
Database last updated on:     Never

===============================================================================
Database Summary: 
===============================================================================

Host name:                    debian10
Host IP address:              45.58.38.142
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/debian10.twd
Command line used:            tripwire -m i -s -c tw.cfg 

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

If you want to update the Tripwire database, run the following command:

tripwire --update --accept-all

You should get the following output:

### Error: File could not be opened.
### Filename: /var/lib/tripwire/report/debian10-20210509-084141.twr
### No such file or directory
### Exiting...

Now, use the following command to test Tripwire:

tripwire -m c -s -c /etc/tripwire/tw.cfg

You should see the following output:

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by:          root
Report created on:            Sun 09 May 2021 08:42:15 AM UTC
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    debian10
Host IP address:              45.58.38.142
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/debian10.twd
Command line used:            tripwire -m c -s -c /etc/tripwire/tw.cfg 

===============================================================================
Rule Summary: 
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Other binaries                  66                0        0        0        
  Tripwire Binaries               100               0        0        0        
  Other libraries                 66                0        0        0        
  Root file-system executables    100               0        0        0        
* Tripwire Data Files             100               1        0        0        
  System boot changes             100               0        0        0        
  Root file-system libraries      100               0        0        0        
  (/lib)
  Critical system boot files      100               0        0        0        
* Other configuration files       66                0        0        1        
  (/etc)
  Boot Scripts                    100               0        0        0        
  Security Control                66                0        0        0        
  Root config files               100               0        0        0        
  Devices & Kernel information    100               0        0        0        
  (/dev)
  Invariant Directories           66                0        0        0        

Total objects scanned:  27975
Total violations found:  2

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire/debian10.twd)
Severity Level: 100
-------------------------------------------------------------------------------

By default, Tripwire report files are located in /var/lib/tripwire/report/:

ls /var/lib/tripwire/report/

Output:

debian10-20210509-084215.twr

You can check this report with the following command:

twprint -m r -t 4 -r /var/lib/tripwire/report/debian10-20210509-084215.twr

Verify Tripwire IDS

At this point, Tripwire has been installed and configured. Now, it’s time to check whether Tripwire is working properly.

First, use the following command to create some files in the system:

touch fil1 file2 file3 file4 file5

Now, run Tripwire to check if Tripwire detects these files:

tripwire --check --interactive

You should see the newly created file in the following output:

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by:          root
Report created on:            Sun 09 May 2021 08:46:36 AM UTC
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    debian10
Host IP address:              45.58.38.142
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/debian10.twd
Command line used:            tripwire --check --interactive

===============================================================================
-------------------------------------------------------------------------------
Rule Name: Other configuration files (/etc)
Severity Level: 66
-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Modified:
[x] "/etc/tripwire"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Added:
[x] "/root/file4"
[x] "/root/file3"
[x] "/root/fil1"
[x] "/root/file2"
[x] "/root/file5"

Modified:
[x] "/root"

===============================================================================

You can also check the generated report later using the following command:

twprint --print-report --twrfile /var/lib/tripwire/report/debian10-20210509-084636.twr

Automated Tripwire report

You can also set up a cron job to run Tripwire at a specific time. You can use the following commands to do so:

crontab -e

Add the following line:

00 06 * * * /usr/sbin/tripwire --check

Save and close the file when you are done.

The above file runs Tripwire every morning at 06:00 AM.You can view the generated report at /var/lib/tripwire/report/.

in conclusion

Congratulations! You have successfully installed and configured Tripwire IDS on Debian 10. Hope this will help you check which files or directories have been modified on your system.

Source

Related Posts