Monitoring and Detecting Modified Files using Tripwire on CentOS 7

Tripwire is a free and open source Intrusion Detection System (IDS). It's a security tool for monitoring and alerting file changes on the system. Tripwire is a powerful IDS that protects your system against unwanted changes. You can use it to monitor your system files, including website files, so when there is an unwanted file change, Tripwire will check your system and if set up correctly, can alert you on email.

In this tutorial, we will show you how to monitor and detect any changes in your system files other using Tripwire on CentOS 7 system. We will show you how to install and configure Tripwire on CentOS 7, how to generate Tripwire key files, configure and add tripwire policy, check the system, and enable email notifications for tripwire and cron setup.

What we will do

  1. Install Tripwire on CentOS 7
  2. Configure Tripwire Policy for CentOS 7
  3. Verifying Tripwire Configuration
  4. Add New Rule to Tripwire Policy
  5. Setup Tripwire Email Notification and Cron

Prerequisites

  • CentOS 7 System
  • Root Privileges

Step 1 - Install Tripwire on CentOS 7

The first step we must do is to install Tripwire on to the system. By default, tripwire is available in the CentOS 7 repository.

Login to your server and update all packages.

ssh [email protected]
sudo yum update -y

Now install Tripwire using yum.

yum -y install tripwire

After the installation, we need to generate new key files.

Tripwire works with 2 key files.

  1. site-key: It's used to secure Tripwire configuration. So any changes to the tripwire configuration will not be applied until we generate the configuration again, and we will be prompted for the 'site-key' passphrase for that.
  2. local-key: It's used for verifying the tripwire binary. When we want to update the tripwire system database, we need to run the tripwire command and we will be prompted for the passphrase for 'local-key'.

Let's generate new tripwire key files (site and local keys) using the command below.

sudo tripwire-setup-keyfiles

The command will generate two key files 'site-key' and 'local-key', and you will be asked for the passphrase for each of them.

Type your own 'site-key' passphrase and press Enter.

Set sitekey passphrase

Type your own 'local-key' passphrase and press Enter again.

Set local-key

Next, sign the tripwire configuration using the 'site-key'.

Type your 'site-key' passphrase.

configure site-key

And now for signing for Tripwire policy, type your 'local-key' passphrase.

Sign tripwire policy

Tripwire has been installed on CentOS 7, and new tripwire configuration and keys are located in the '/etc/tripwire' directory.

Step 2 - Configure Tripwire Policy for CentOS 7

After the tripwire installation we discussed in the first step, we need to initialize the tripwire database and make sure there is no error.

Initialize tripwire database using the tripwire command below.

sudo tripwire --init

You will be asked about the 'local-key' passphrase and you will likely get the error message 'no such directory' as below.

Configure tripwire policy on CentOS

We get the error because the system doesn't have a directory and files that are already defined in the tripwire configuration. To solve this error, we need to edit the tripwire configuration 'twpol.txt' and re-sign again the tripwire configuration.

Now generate the log error from tripwire using the command below.

sudo sh -c "tripwire --check | grep Filename > no-directory.txt"

All directories and files that don't exist on the CentOS 7 system are listed in the file 'mo-directory.txt'

cat no-directory.txt

cat no-directory.txt

Edit the tripwire configuration 'twpol.txt' by using the following bash script - run this script on your terminal.

for f in $(grep "Filename:" no-directory.txt | cut -f2 -d:); do
sed -i "s|\($f\) |#\\1|g" /etc/tripwire/twpol.txt
done

After all this, we need to regenerate and re-sign the tripwire configuration using the twadmin command as shown below.

sudo twadmin -m P /etc/tripwire/twpol.txt

Type your 'site-key' passphrase.

Reinitialize tripwire database again, and make sure you get no error.

sudo tripwire --init

Reinitialize tripwire database without any error.

twadmin command

Step 3 - Verifying Tripwire Configuration and Checking System

To verify tripwire configuration, we can run the system check command as below.

sudo tripwire --check

And you should get a result similar to the following.

Verifying Tripwire Configuration and Checking System

So this means there is no error and no system violation found on our system.

Now we will try to add a new file under the root home directory and check again using tripwire.

Go to the root home directory and create a new file 'hakase-labs.txt'.

cd ~/
touch hakase-labs.txt

Now check the system again using the tripwire command.

sudo tripwire --check

And you will get the result of the new violation on the system with severity 100 as below.

tripwire check

At this stage, Tripwire is installed and configured for CentOS 7 system.

Step 4 - Add New Rule to Tripwire Policy

In this step, we will show you how to add a new rule to the tripwire policy configuration 'twpol.txt'.

To perform this work, we need to define the rule name, severity, directory for monitoring, and type of files. In this step, we will create a new rule named 'Wordpress Data' for our WordPress installation in the '/var/www/' directory, with severity 'HIGH/SIG_HI', and all files in that directory are critical (both their ownership as well as source code cannot be changed).

Go to the tripwire configuration directory '/etc/tripwire' and edit the configuration file 'twpol.txt' using vim.

cd /etc/tripwire/
vim twpol.txt

Go to the end of the line and paste the following WordPress rule there.

# Ruleset for Wordpress
(
  rulename = "Wordpress Data",
  severity= $(SIG_HI)
)
{
        /var/www        -> $(SEC_CRIT);
}

Save and exit.

Regenerate and re-sign the configuration using the twadmin command as below.

sudo twadmin -m P /etc/tripwire/twpol.txt

Type your 'site-key' passphrase.

Now we need to regenerate the tripwire database again.

sudo tripwire --init

Type the 'local-key' passphrase.

A new rule set has been added and applied to the Tripwire policy configuration.

re-sign the configuration

Check your system using the tripwire command below.

sudo tripwire --check

And you should get the result saying with no error and violation.

Check violation with tripwire

Now go to the '/var/www/' directory and create a new file inside it.

cd /var/www/
touch hakase-labs.php

Create a test file

Do system checking using tripwire again.

sudo tripwire --check

And you will get the result saying system violation in '/var/www/' directory with security level High 100.

result of the test

A new rule has been added and applied to the Tripwire Policy configuration.

Step 5 - Setup Tripwire Email Notification and Cron

In this step, we will configure notifications for specific tripwire ruleset policy and configure a cronjob for automatic system checking. We will send a report for any violation of the 'Wordpress Data' rule to email address '[email protected]'.

For email notification, tripwire provides a function 'emailto' in the configuration. And by default, tripwire is using Postfix or Sendmail to send the report via email.

Before configuring email notifications, test tripwire notification feature using the command below.

sudo tripwire --test --email [email protected]

Check your email and you should get the email report from your server as below.

Tripwire report by email

Now go to the '/etc/tripwire' directory and edit the 'twpol.txt' configuration.

cd /etc/tripwire/
vim twpol.txt

Add new line 'emailto' inside the 'Wordpress Data' rule as shown below.

# Ruleset for Wordpress
(
  rulename = "Wordpress Data",
  severity= $(SIG_HI),
  emailto = [email protected]
)
{
        /var/www        -> $(SEC_CRIT);
}

Save and exit.

Regenerate and sign the configuration using the twadmin command.

sudo twadmin -m P /etc/tripwire/twpol.txt

Type your 'site-key' passphrase.

And regenerate the tripwire database.

sudo tripwire --init

Type your tripwire 'local-key' passphrase.

Configuration for Tripwire Email Notification has been completed.

generate and sign the configuration

Now do some test by creating a new file again in the '/var/www/' directory.

cd /var/www/
touch hakase.txt

Check your system again using the command below.

sudo tripwire --check --email-report

Note:

  • --email-report: Send report of the system to the email address defined in each rule.

Check your email and you should get the result as below on your email.

Email report

Email notification for Tripwire has been enabled and applied.

Next, we'll enable automatic Tripwire system checking using cron setup. For this, create a new cron script under the root user using the crontab command below.

sudo crontab -e -u root

Paste the following cron configuration.

0 0 * * * tripwire --check --email-report

Save and exit.

Note:

  • - The cron script will do tripwire system checking on a daily basis.

Now restart the crond service on CentOS 7.

systemctl restart crond

setup tripwire cronjob

Now you will get tripwire report notification to your email on daily basis.

Tripwire has been installed and configured for CentOS 7 system.

Reference

Share this page:

3 Comment(s)