tripwire monitors files so you can tell if they get changed without you knowing it. You can install it on Debian pretty easy like:
apt install tripwire Create new 'site-key' for Tripwire - choose 'Yes' and press Enter to continue. Create new 'local-key', choose 'Yes' and press Enter again. Rebuild Tripwire Configuration option, choose 'Yes'. Rebuild Tripwire Policy option - choose 'Yes'. Prompt for 'site-key' passphrase. Type a password and choose 'OK'. Prompt for 'local-key' passphrase, type a password and choose 'OK'. |
It’s setup, but now you have to initialize it, so it establishes a baseline for you files like:
tripwire --init please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix file system *** ... ### Continuing... ### Warning: File system error. ### Filename: /proc/3838/task/3838/fdinfo/4 ### No such file or directory ... ### Continuing... The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring. Wrote database file: /var/lib/tripwire/www.twd The database was successfully generated. |
Now we weed out the errors:
sh -c "tripwire --check | grep Filename > no-directory.txt" ... ### Warning: File system error. ### Filename: /etc/rc.boot ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /root/mail ### No such file or directory ### Continuing... ... |
So you should have a file with a bunch of stuff in it like this:
cat no-directory.txt Filename: /etc/rc.boot Filename: /root/mail Filename: /root/Mail Filename: /root/.xsession-errors Filename: /root/.xauth Filename: /root/.tcshrc Filename: /root/.sawfish Filename: /root/.pinerc Filename: /root/.mc Filename: /root/.gnome_private Filename: /root/.gnome-desktop Filename: /root/.gnome Filename: /root/.esd_auth Filename: /root/.elm Filename: /root/.cshrc Filename: /root/.bash_profile Filename: /root/.bash_logout Filename: /root/.amandahosts Filename: /root/.addressbook.lu Filename: /root/.addressbook Filename: /root/.Xresources Filename: /root/.Xauthority Filename: /root/.ICEauthority Filename: /proc/4002/fd/3 Filename: /proc/4002/fdinfo/3 Filename: /proc/4002/task/4002/fd/3 Filename: /proc/4002/task/4002/fdinfo/3 |
Now edit the config file and tell it ignore those:
cd /etc/tripwire vi tw.pol #/etc/rc.boot -> $(SEC_BIN) ; <--comment out line #/var/lock -> $(SEC_CONFIG) ; <-- comment out line #/var/run -> $(SEC_CONFIG) ; # daemon PIDs <-- comment out line comment next lines like: /root -> $(SEC_CRIT) ; # Catch all additions to /root #/root/mail -> $(SEC_CONFIG) ; #/root/Mail -> $(SEC_CONFIG) ; #/root/.xsession-errors -> $(SEC_CONFIG) ; #/root/.xauth -> $(SEC_CONFIG) ; #/root/.tcshrc -> $(SEC_CONFIG) ; #/root/.sawfish -> $(SEC_CONFIG) ; #/root/.pinerc -> $(SEC_CONFIG) ; #/root/.mc -> $(SEC_CONFIG) ; #/root/.gnome_private -> $(SEC_CONFIG) ; #/root/.gnome-desktop -> $(SEC_CONFIG) ; #/root/.gnome -> $(SEC_CONFIG) ; #/root/.esd_auth -> $(SEC_CONFIG) ; #/root/.elm -> $(SEC_CONFIG) ; #/root/.cshrc -> $(SEC_CONFIG) ; /root/.bashrc -> $(SEC_CONFIG) ; #/root/.bash_profile -> $(SEC_CONFIG) ; #/root/.bash_logout -> $(SEC_CONFIG) ; /root/.bash_history -> $(SEC_CONFIG) ; #/root/.amandahosts -> $(SEC_CONFIG) ; #/root/.addressbook.lu -> $(SEC_CONFIG) ; #/root/.addressbook -> $(SEC_CONFIG) ; #/root/.Xresources -> $(SEC_CONFIG) ; #/root/.Xauthority -> $(SEC_CONFIG) -i ; #/root/.ICEauthority -> $(SEC_CONFIG) ; #/dev -> $(Device) ; #/proc -> $(Device) ; /dev/block -> $(Device) ; /dev/bsg -> $(Device) ; /dev/bus -> $(Device) ; /dev/char -> $(Device) ; /dev/disk -> $(Device) ; /dev/mapper -> $(Device) ; /dev/net -> $(Device) ; /dev/snd -> $(Device) ; /dev/vfio -> $(Device) ; /dev/virtio-ports -> $(Device) ; /proc/devices -> $(Device) ; /proc/net -> $(Device) ; /proc/tty -> $(Device) ; /proc/cpuinfo -> $(Device) ; /proc/modules -> $(Device) ; /proc/mounts -> $(Device) ; /proc/dma -> $(Device) ; /proc/filesystems -> $(Device) ; /proc/interrupts -> $(Device) ; /proc/ioports -> $(Device) ; /proc/kcore -> $(Device) ; /proc/self -> $(Device) ; /proc/kmsg -> $(Device) ; /proc/stat -> $(Device) ; /proc/loadavg -> $(Device) ; /proc/uptime -> $(Device) ; /proc/locks -> $(Device) ; /proc/meminfo -> $(Device) ; /proc/misc -> $(Device) ; |
Now re-create the encrypted policy file like:
twadmin -m P /etc/tripwire/twpol.txt Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol |
Now re-run the database initialization, you *shouldn’t* see errors anymore:
tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** Wrote database file: /var/lib/tripwire/www.twd The database was successfully generated. |
Now run a check of your system like:
tripwire --check Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... Wrote report file: /var/lib/tripwire/report/www-20190813-153915.twr Open Source Tripwire(R) 2.4.2.2 Integrity Check Report Report generated by: root Report created on: Tue 13 Aug 2019 03:39:15 PM PDT Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: whatever Host IP address: 1.2.3.4 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/www.twd Command line used: tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Other binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Other libraries 66 0 0 0 Root file-system executables 100 0 0 0 Tripwire Data Files 100 0 0 0 System boot changes 100 0 0 0 (/var/log) Root file-system libraries 100 0 0 0 (/lib) Critical system boot files 100 0 0 0 * Other configuration files 66 0 0 1 (/etc) Boot Scripts 100 0 0 0 Security Control 66 0 0 0 * Root config files 100 0 0 2 Devices & Kernel information 100 0 0 0 Invariant Directories 66 0 0 0 Total objects scanned: 21610 Total violations found: 3 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Other configuration files (/etc) Severity Level: 66 ------------------------------------------------------------------------------- Modified: "/etc/tripwire" ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/root" "/root/.viminfo" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. |
Which tells us we modified something in the folder /etc/tripwire, and also there was activity on the vim log in root since we were using vi (aliased to vim).
Now let’s delete the temp file and add a new file and see if it triggers:
cd /root rm .viminfo touch somefile.txt tripwire --init tripwire --check Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... Wrote report file: /var/lib/tripwire/report/www-20190813-154856.twr Open Source Tripwire(R) 2.4.2.2 Integrity Check Report Report generated by: root Report created on: Tue 13 Aug 2019 03:48:56 PM PDT Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: whatever Host IP address: 1.2.3.4 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/www.twd Command line used: tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Other binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Other libraries 66 0 0 0 Root file-system executables 100 0 0 0 Tripwire Data Files 100 0 0 0 System boot changes 100 0 0 0 (/var/log) Root file-system libraries 100 0 0 0 (/lib) Critical system boot files 100 0 0 0 Other configuration files 66 0 0 0 (/etc) Boot Scripts 100 0 0 0 Security Control 66 0 0 0 * Root config files 100 1 0 1 Devices & Kernel information 100 0 0 0 Invariant Directories 66 0 0 0 Total objects scanned: 20797 Total violations found: 2 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/root/somefile.txt" Modified: "/root" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. |
So it flags that we were in the /root folder and created somefile.txt, which means it works!
If you want to know more details about either event, do:
tripwire --check --interactive ... ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- ---------------------------------------- Added Objects: 1 ---------------------------------------- Added object name: /root/somefile.txt Property: Expected Observed ------------- ----------- ----------- * Object Type --- Regular File * Device Number --- 65025 * File Device Number --- 0 * Inode Number --- 131075 * Mode --- -rw-r--r-- * Num Links --- 1 * UID --- root (0) * GID --- root (0) * Size --- 0 * Modify Time --- Tue 13 Aug 2019 03:48:50 PM PDT * Change Time --- Tue 13 Aug 2019 03:48:50 PM PDT * Blocks --- 0 * CRC32 --- D///// * MD5 --- DUHYzZjwCyBOmACZjs+EJ+ |
If you want to add other directories to check, you can just add something at the end. In this case, I added an email address so I’ll get an email report if it finds anything when I automate the process. To see if your email setup is working, try this first:
tripwire --test --email your@emailaddress.com Sending a test message to: your@emailaddress.com |
Make sure you got the email, then add it into the config file like:
vi /etc/tripwire/twpol.txt ## Added later to check wordpress directories ( rulename = "Wordpress", severity = $(SIG_MED) ) { /var/www -> $(SEC_BIN) ; emailto = your@emailaddress.com } twadmin -m P /etc/tripwire/twpol.txt tripwire --init tripwire --check ... ------------------------------------------------------------------------------- Rule Name: Wordpress (/var/www) Severity Level: 66 ------------------------------------------------------------------------------- Added: "/var/www/whoops" Modified: "/var/www" |
Now automate the testing so you can get notification emails. Add this next line to crontab. This particular line will email every other day at 2 a.m., so change to whatever you actually want.
crontab -e 0 2 */2 * * tripwire --check --email-report |