Tripwire IDS Security on CentOS 7
Table of Contents
Tripwire is an Intrusion Detection System. It is used to secure systems and creates a unique fingerprint of how a system is configured. It continually checks the system against this fingerprint and if there are any inconsistencies between the fingerprint and the current system it is logged and a report generated. This is a sure-fire way to tell if a system has been changed without your knowledge. This post will guide you through installation and configuration of Tripwire IDS running on a CentOS 7 system.
Install Tripwire #
Install tripwire IDS from the yum repositories.
Add EPEL Repository #
First enable the EPEL Repository.
[root@server ~]# yum -y install epel-release
Install the Tripwire Application #
Install the Tripwire binaries.
[root@server ~]# yum -y install tripwire
Backup Original Configuration #
Backup the original Tripwire configuration files before making any changes.
[root@server ~]# mkdir ~/tripwire_backup
[root@server ~]# cp /etc/tripwire/twcfg.txt ~/tripwire_backup/twcfg.txt
[root@server ~]# cp /etc/tripwire/twpol.txt ~/tripwire_backup/twpol.txt
Directory Checking #
Change ‘LOOSEDIRECTORYCHECKING’ to true.
[root@server ~]# sed -i '/^LOOSEDIRECTORYCHECKING/ s/false/true/g' /etc/tripwire/twcfg.txt
Create Keys #
Create the keys to secure Tripwire.
[root@server ~]# /usr/sbin/tripwire-setup-keyfiles
Initialise DB #
Initialise the Tripwire database. (A list of errors will be displayed these will be fixed later on, so are safe to ignore)
[root@server ~]# tripwire --init
A message should be displayed that the database was successfully generated.
Fix Errors #
Tripwire checks a number of different settings on the system, it will check for a configuration that may not actually be included on your system and produce an error. This step will remove those errors. Create a folder for the update process and change into that directory.
[root@server ~]# mkdir ~/tripwire_update
[root@server ~]# cd ~/tripwire_update
Collect all the errors and log them to a file.
[root@server ~]# tripwire --check | grep "Filename:" | awk {'print $2'} >> ./tripwire_errors
Copy the policy file
[root@server ~]# cp /etc/tripwire/twpol.txt ~/tripwire_update/twpol.txt
[root@server ~]# cat <<'EOF' >> ~/tripwire_update/tripwire_fix_script.sh
#!/bin/sh
TWERR="./tripwire_errors";
TWPOL="./twpol.txt";
export IFS=$'\n'
for i in $(cat $TWERR);
do
if grep $i $TWPOL
then
sed -i "s!$i!# $i!g" $TWPOL
fi
done
EOF
Run the script.
[root@server ~]# sh ./tripwire_fix_script.sh
Copy the updated Tripwire policy file back to the original location.
[root@server ~]# cp ~/tripwire_update/twpol.txt /etc/tripwire/twpol.txt
Update the tripwire database from the tripwire policy that was created.
[root@server ~]# tripwire --update-policy -Z low /etc/tripwire/twpol.txt
Run a tripwire check. This check will generate a Tripwire Report usually located in /var/lib/tripwire/report/
[root@server ~]# tripwire --check
Run a check #
[root@server ~]# /etc/cron.daily/tripwire-check
Update (Again) #
Update again to fix the errors that will be displayed because we have updated the policy file. Change YYYYMMDD & HHMMSS to the date and time that you ran the first check.
To find the latest one just run
[root@server ~]# ls -la /var/lib/tripwire/report/
[root@server ~]# tripwire --update --twrfile /var/lib/tripwire/report/server-YYYMMDD-HHMMSS.twr
Email Reports #
Make sure you have mail installed
[root@server ~]# yum -y install mailx
Next change the Tripwire cron job to send an email report out.
Open the cron job file for the tripwire check
[root@server ~]# vi /etc/cron.daily/tripwire-check
Change the following line
test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check
to (Make sure to update the server name and email address of where you want the report to go to)
test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check | /bin/mail -s "File Integrity Report (Tripwire) - servername" user@domain.tld
Directory Checking (Revert) #
Now we need to set Loose Directory Checking back to false.
[root@server ~]# sed -i '/^LOOSEDIRECTORYCHECKING/ s/true/false/g' /etc/tripwire/twcfg.txt
Testing #
We need to test the cronjob to make sure that it will run, create the report and email it out to the address specified.
[root@server ~]# /etc/cron.daily/tripwire-check
If no errors were encountered you should have a working tripwire setup, if any changes are made to your file system you will see them in the report that gets emailed out to you everyday. If you have made changes to the system don’t forget to update, otherwise you will just see the errors growing and wont be able to tell if something has actually changed.