Tripwire IDS on CentOS 7

Tripwire is an Intrusion Detection System. It is used to secure systems and creates a unique fingerprint of how a system is configured. It continually checks the system against this fingerprint and if there are any inconsistencies between the fingerprint and the current system it is logged and a report generated. This is a sure-fire way to tell if a system has been changed without your knowledge. This post will guide you through installation and configuration of Tripwire IDS running on a CentOS 7 system.

Install Tripwire

Install tripwire IDS from the yum repositories.

Add EPEL Repository

First enable the EPEL Repository.

[root@server ~]# yum -y install epel-release

Install the Tripwire Application

Install the Tripwire binaries.

[root@server ~]# yum -y install tripwire

Backup Original Configuration

Backup the original Tripwire configuration files before making any changes.

[root@server ~]# mkdir ~/tripwire_backup
[root@server ~]# cp /etc/tripwire/twcfg.txt ~/tripwire_backup/twcfg.txt
[root@server ~]# cp /etc/tripwire/twpol.txt ~/tripwire_backup/twpol.txt

Directory Checking

Change ‘LOOSEDIRECTORYCHECKING’ to true.

[root@server ~]# sed -i '/^LOOSEDIRECTORYCHECKING/ s/false/true/g' /etc/tripwire/twcfg.txt

Create Keys

Create the keys to secure Tripwire.

[root@server ~]# /usr/sbin/tripwire-setup-keyfiles

Initialise DB

Initialise the Tripwire database. (A list of errors will be displayed these will be fixed later on, so are safe to ignore)

[root@server ~]# tripwire --init

A message should be displayed that the database was successfully generated.

Fix Errors

Tripwire checks a number of different settings on the system, it will check for a configuration that may not actually be included on your system and produce an error. This step will remove those errors. Create a folder for the update process and change into that directory.

[root@server ~]# mkdir ~/tripwire_update
[root@server ~]# cd ~/tripwire_update

Collect all the errors and log them to a file.

[root@server ~]# tripwire --check | grep "Filename:" | awk {'print $2'} >> ./tripwire_errors

Copy the policy file

[root@server ~]# cp /etc/tripwire/twpol.txt ~/tripwire_update/twpol.txt

Create the bash script below to parse the errors file and fix the issues in the Tripwire policy file.

[root@server ~]# cat <<'EOF' >> ~/tripwire_update/tripwire_fix_script.sh
#!/bin/sh

TWERR="./tripwire_errors";
TWPOL="./twpol.txt";

export IFS=$'\n'
for i in $(cat $TWERR);
    do
    if grep $i $TWPOL
    then
        sed -i "s!$i!# $i!g" $TWPOL
    fi
done
EOF

Run the script.

[root@server ~]# sh ./tripwire_fix_script.sh

Copy the updated Tripwire policy file back to the original location.

[root@server ~]# cp ~/tripwire_update/twpol.txt /etc/tripwire/twpol.txt

Update the tripwire database from the tripwire policy that was created.

[root@server ~]# tripwire --update-policy -Z low /etc/tripwire/twpol.txt

Run a tripwire check. This check will generate a Tripwire Report usually located in /var/lib/tripwire/report/

[root@server ~]# tripwire --check

Run a check

[root@server ~]# /etc/cron.daily/tripwire-check

Update (Again)

Update again to fix the errors that will be displayed because we have updated the policy file. Change YYYYMMDD & HHMMSS to the date and time that you ran the first check.

To find the latest one just run

[root@server ~]# ls -la /var/lib/tripwire/report/

Update the errors

[root@server ~]# tripwire --update --twrfile /var/lib/tripwire/report/server-YYYMMDD-HHMMSS.twr

Email Reports

Make sure you have mail installed

[root@server ~]# yum -y install mailx

Next change the Tripwire cron job to send an email report out.

Open the cron job file for the tripwire check

[root@server ~]# vi /etc/cron.daily/tripwire-check

Change the following line

test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check

to (Make sure to update the server name and email address of where you want the report to go to)

test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check | /bin/mail -s "File Integrity Report (Tripwire) - servername" user@domain.tld

Directory Checking (Revert)

Now we need to set Loose Directory Checking back to false.

[root@server ~]# sed -i '/^LOOSEDIRECTORYCHECKING/ s/true/false/g' /etc/tripwire/twcfg.txt

Testing

We need to test the cronjob to make sure that it will run, create the report and email it out to the address specified.

[root@server ~]# /etc/cron.daily/tripwire-check

If no errors were encountered you should have a working tripwire setup, if any changes are made to your file system you will see them in the report that gets emailed out to you everyday. If you have made changes to the system don’t forget to update, otherwise you will just see the errors growing and wont be able to tell if something has actually changed.