Tripwire Installation for SuSE 15
Monday, July 26, 2021
Add a comment
by Ramses Soto-Navarro ramses@sotosystems.com, 7/26/2021
Overview
Installation
Generate Keys
Initialize
Check Files
Overview
Brief notes on how to install and run tripwire on SuSE Enterprise Linux SLE 15. Tripwire checksums critical files in a database. Afterward you can inspect the checksum for files that have changed or files that have been breached. So for example, files in /bin/ should never change unless an upgrade was performed; Tripwire can scan daily for delicate files changed; a good security intrusion detection software.
Installation
Install the package.
# zypper install tripwire
Edit the policy.
# vi /etc/tripwire/twpol.txt
@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL=/etc/tripwire;
TWDB=/var/lib/tripwire;
TWSKEY=/etc/tripwire;
TWLKEY=/etc/tripwire;
TWREPORT=/var/lib/tripwire/report;
HOSTNAME=myhostname;
Device = +pugsdr-intlbamcCMSH ;
Dynamic = +pinugtd-srlbamcCMSH ;
Growing = +pinugtdl-srbamcCMSH ;
IgnoreAll = -pinugtsdrlbamcCMSH ;
IgnoreNone = +pinugtsdrbamcCMSH-l ;
ReadOnly = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ;
@@section FS
(
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(ReadOnly) ;
$(TWBIN)/tripwire -> $(ReadOnly) ;
$(TWBIN)/twadmin -> $(ReadOnly) ;
$(TWBIN)/twprint -> $(ReadOnly) ;
}
(
rulename = "Tripwire Data Files",
)
{
$(TWDB) -> $(Dynamic) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
$(TWSKEY)/site.key -> $(ReadOnly) ;
# don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
}
(
rulename = "Global Configuration Files",
)
{
/etc -> $(IgnoreNone) -SHa ;
}
(
rulename = "OS Boot Files and Mount Points",
)
{
/boot -> $(ReadOnly) ;
}
(
rulename = "OS Devices and Misc Directories",
)
{
/opt -> $(Dynamic) ;
}
(
rulename = "OS Binaries and Libraries",
)
{
/bin -> $(ReadOnly) ;
/lib -> $(ReadOnly) ;
/lib64 -> $(ReadOnly) ;
/sbin -> $(ReadOnly) ;
/usr/bin -> $(ReadOnly) ;
/usr/lib -> $(ReadOnly) ;
/usr/lib64 -> $(ReadOnly) ;
/usr/sbin -> $(ReadOnly) ;
}
(
rulename = "User Binaries and Libraries",
)
{
/usr/local -> $(ReadOnly) ;
/usr/local/bin -> $(ReadOnly) ;
/usr/local/etc -> $(ReadOnly) ;
/usr/local/include -> $(ReadOnly) ;
/usr/local/lib -> $(ReadOnly) ;
/usr/local/sbin -> $(ReadOnly) ;
/usr/local/share -> $(ReadOnly) ;
}
(
rulename = "Root Directory and Files",
)
{
/root -> $(IgnoreNone) -SHa ;
}
(
rulename = "Monitor Filesystems",
)
{
/home -> $(ReadOnly) ; # Modify as needed
/usr -> $(ReadOnly) ;
/var -> $(ReadOnly) ;
}
Generate Keys
# twadmin --generate-keys --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/$HOSTNAME-local.key # twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt # mkdir /usr/local/etc/ # ln -s /etc/tripwire/tw.cfg /usr/local/etc/tw.cfg # twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt
Initialize
# tripwire --init
Check Files
# tripwire --check > /tmp/tw1.txt
The End.