Soto Systems LLC

by Ramses Soto-Navarro ramses@sotosystems.com, 7/26/2021

Overview
Installation
Generate Keys
Initialize
Check Files

Overview

Brief notes on how to install and run tripwire on SuSE Enterprise Linux SLE 15. Tripwire checksums critical files in a database. Afterward you can inspect the checksum for files that have changed or files that have been breached. So for example, files in /bin/ should never change unless an upgrade was performed; Tripwire can scan daily for delicate files changed; a good security intrusion detection software.

Installation

Install the package.

# zypper install tripwire

Edit the policy.

# vi /etc/tripwire/twpol.txt

@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL=/etc/tripwire;
TWDB=/var/lib/tripwire;
TWSKEY=/etc/tripwire;
TWLKEY=/etc/tripwire;
TWREPORT=/var/lib/tripwire/report;
HOSTNAME=myhostname;
Device        = +pugsdr-intlbamcCMSH ;
Dynamic       = +pinugtd-srlbamcCMSH ;
Growing       = +pinugtdl-srbamcCMSH ;
IgnoreAll     = -pinugtsdrlbamcCMSH ;
IgnoreNone    = +pinugtsdrbamcCMSH-l ;
ReadOnly      = +pinugtsdbmCM-rlacSH ;
Temporary     = +pugt ;
@@section FS
(
  rulename = "Tripwire Binaries",
)
{
  $(TWBIN)/siggen                      -> $(ReadOnly) ;
  $(TWBIN)/tripwire                    -> $(ReadOnly) ;
  $(TWBIN)/twadmin                     -> $(ReadOnly) ;
  $(TWBIN)/twprint                     -> $(ReadOnly) ;
}
(
  rulename = "Tripwire Data Files",
)
{
  $(TWDB)                              -> $(Dynamic) -i ;
  $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
  $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(ReadOnly) ;
  $(TWSKEY)/site.key                   -> $(ReadOnly) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
}
(
  rulename = "Global Configuration Files",
)
{
  /etc                           -> $(IgnoreNone) -SHa ;
}
(
  rulename = "OS Boot Files and Mount Points",
)
{
  /boot                         -> $(ReadOnly) ;
}
(
  rulename = "OS Devices and Misc Directories",
)
{
  /opt                          -> $(Dynamic) ;
}
(
  rulename = "OS Binaries and Libraries",
)
{
  /bin                          -> $(ReadOnly) ;
  /lib                          -> $(ReadOnly) ;
  /lib64                         -> $(ReadOnly) ;
  /sbin                         -> $(ReadOnly) ;
  /usr/bin                      -> $(ReadOnly) ;
  /usr/lib                      -> $(ReadOnly) ;
  /usr/lib64                      -> $(ReadOnly) ;
  /usr/sbin                     -> $(ReadOnly) ;
}
(
  rulename = "User Binaries and Libraries",
)
{
  /usr/local                    -> $(ReadOnly) ;
  /usr/local/bin                -> $(ReadOnly) ;
  /usr/local/etc                -> $(ReadOnly) ;
  /usr/local/include            -> $(ReadOnly) ;
  /usr/local/lib                -> $(ReadOnly) ;
  /usr/local/sbin               -> $(ReadOnly) ;
  /usr/local/share              -> $(ReadOnly) ;
}
(
  rulename = "Root Directory and Files",
)
{
  /root                         -> $(IgnoreNone) -SHa ;
}
(
  rulename = "Monitor Filesystems",
)
{
  /home                         -> $(ReadOnly) ;  # Modify as needed
  /usr                          -> $(ReadOnly) ;
  /var                          -> $(ReadOnly) ;
}

Generate Keys

# twadmin --generate-keys --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/$HOSTNAME-local.key
# twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt
# mkdir /usr/local/etc/
# ln -s /etc/tripwire/tw.cfg /usr/local/etc/tw.cfg
# twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt

Initialize

# tripwire --init

Check Files

# tripwire --check > /tmp/tw1.txt

The End.