How to Install and Configure Tripwire IDS on Debian 10

Tripwire is a free and open-source Linux Intrusion Detection System. It is used to detect and report any unauthorized change in files and directories on Linux. It will also send you an alert on email on file/directory changes. Tripwire works by comparing the current filesystem state against a known baseline state and reports if detect any changes.

In this post, we will show you how to install and configure Tripwire on Debian 10.

Prerequisites

  • A server running Debian 10.
  • A root password is configured on the server.

Getting Started

First, update the system packages to the updated version by running the following command:

apt-get update -y

Once all the packages are updated, you can proceed to the next step.

Install Tripwire

By default, the Tripwire package is available in the Debian 10 default repository. You can install it using the following command:

apt-get install tripwire -y

During the installation, you will be asked to select the email configuration as shown below:

Install Tripwire IDS

Select your desired option and hit ENTER. You will be asked to set up a system mail name as shown below:

Postfix configuration

Provide your system mail name and hit ENTER. You will be asked to create your site key passphrase as shown below:

Tripwire Passphrase

Select Yes and hit ENTER. You will be asked to rebuild the Tripwire configuration file as shown below:

Rebuild configuration file

Select Yes and hit ENTER. You will be asked to rebuild your Tripwire policy file as shown below:

Rebuild policy file

Select Yes and hit ENTER. You will be asked to provide your site-key passphrase as shown below:

Set a site key

Provide your password and hit ENTER. You will be asked to set your local key passphrase as shown below:

Set local passphrase

Provide your password and hit ENTER. Once Tripwire has been installed, you should see the following screen:

Tripwire installation finished

Click on the Ok button to finish the installation.

Configure Tripwire

Next, you will need to generate Tripwire keys and initialize the database. First, change the directory to Tripwire and list all keys and files with the following command:

cd /etc/tripwire/
ls

You should see the following output:

debian10-local.key  site.key  tw.cfg  twcfg.txt  tw.pol  twpol.txt

Next, edit the Tripwire configuration file and set REPORTLEVEL to 4

nano /etc/tripwire/twcfg.txt

Change the following line:

REPORTLEVEL   =4

Save and close the file when you are finished.

Next, generate a new configuration file with the following command:

twadmin -m F -c tw.cfg -S site.key twcfg.txt

You will be asked to provide your site passphrase as shown below:

Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg

Next, create a twpolmake.pl file to optimize Tripwire policy.

nano twpolmake.pl

Add the following lines:

#!/usr/bin/perl
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while () {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;

Save and close the file then create a configuration file with the following command:

perl twpolmake.pl twpol.txt > twpol.txt.new 
twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

You should see the following output:

Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol

Next, create a Tripwire database with the following command:

tripwire -m i -s -c tw.cfg

You should see the following output:

Please enter your local passphrase: 
### Warning: File system error.
### Filename: /var/lib/tripwire/debian10.twd
### No such file or directory
### Continuing...

You can also display the generated database with the following command:

twprint -m d -d /var/lib/tripwire/debian10.twd

You should see the following output:

Open Source Tripwire(R) 2.4.3.7 Database

Database generated by:        root
Database generated on:        Sun 09 May 2021 08:39:18 AM UTC
Database last updated on:     Never

===============================================================================
Database Summary: 
===============================================================================

Host name:                    debian10
Host IP address:              45.58.38.142
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/debian10.twd
Command line used:            tripwire -m i -s -c tw.cfg 

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

If you want to update the Tripwire database, run the following command:

tripwire --update --accept-all

You should get the following output:

### Error: File could not be opened.
### Filename: /var/lib/tripwire/report/debian10-20210509-084141.twr
### No such file or directory
### Exiting...

Now, test the Tripwire using the following command:

tripwire -m c -s -c /etc/tripwire/tw.cfg

You should see the following output:

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by:          root
Report created on:            Sun 09 May 2021 08:42:15 AM UTC
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    debian10
Host IP address:              45.58.38.142
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/debian10.twd
Command line used:            tripwire -m c -s -c /etc/tripwire/tw.cfg 

===============================================================================
Rule Summary: 
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Other binaries                  66                0        0        0        
  Tripwire Binaries               100               0        0        0        
  Other libraries                 66                0        0        0        
  Root file-system executables    100               0        0        0        
* Tripwire Data Files             100               1        0        0        
  System boot changes             100               0        0        0        
  Root file-system libraries      100               0        0        0        
  (/lib)
  Critical system boot files      100               0        0        0        
* Other configuration files       66                0        0        1        
  (/etc)
  Boot Scripts                    100               0        0        0        
  Security Control                66                0        0        0        
  Root config files               100               0        0        0        
  Devices & Kernel information    100               0        0        0        
  (/dev)
  Invariant Directories           66                0        0        0        

Total objects scanned:  27975
Total violations found:  2

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire/debian10.twd)
Severity Level: 100
-------------------------------------------------------------------------------

By default, Tripwire report files are located at /var/lib/tripwire/report/:

ls /var/lib/tripwire/report/

Output:

debian10-20210509-084215.twr

You can check this report using the following command:

twprint -m r -t 4 -r /var/lib/tripwire/report/debian10-20210509-084215.twr

Verify Tripwire IDS

At this point, Tripwire is installed and configured. Now, it's time to check whether Tripwire is working or not.

First, create some files in your system with the following command:

touch fil1 file2 file3 file4 file5

Now, run the Tripwire to check whether the Tripwire detects these files or not:

tripwire --check --interactive

You should see the newly created files in the following output:

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by:          root
Report created on:            Sun 09 May 2021 08:46:36 AM UTC
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    debian10
Host IP address:              45.58.38.142
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/debian10.twd
Command line used:            tripwire --check --interactive

===============================================================================
-------------------------------------------------------------------------------
Rule Name: Other configuration files (/etc)
Severity Level: 66
-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Modified:
[x] "/etc/tripwire"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Added:
[x] "/root/file4"
[x] "/root/file3"
[x] "/root/fil1"
[x] "/root/file2"
[x] "/root/file5"

Modified:
[x] "/root"

===============================================================================

You can also check the generated report later using the following command:

twprint --print-report --twrfile /var/lib/tripwire/report/debian10-20210509-084636.twr

Automate Tripwire Report

You can also set up a cron job to run a Tripwire at a specific time. You can do it with the following command:

crontab -e

Add the following lines:

00 06 * * * /usr/sbin/tripwire --check

Save and close the file when you are finished.

The above file will run a Tripwire every morning at 06:00 AM. You can check the generated report at /var/lib/tripwire/report/.

Conclusion

Congratulations! you have successfully installed and configured Tripwire IDS on Debian 10. I hope this will help you to check which files or directories are modified on your system.

Share this page:

2 Comment(s)