Quick steps to setup TRIPWIRE - Host Based Intrusion Detection System

Posted November 22nd, 2007 by gnulinux

How to setup tripwire quickly in 30 minutes www.drashti.net linux ubuntu suse centos redhat freebsd bsd unix gnu passwd how how-to useradd passwd groupadd shadow sysconfig network ifcfg tw.pol tw.cfg tripwire integrity

1. Get the installer from internet. you can either install from rpm or compile from source code.
     http://sourceforge.net/projects/tripwire/
     You can download source code from this link which will be useful for any *nix system.
2. If you install from source code, you will see doc, etc, sbin, lib, man, share. Among these , etc holds all config files and sbin holds all required binaries.
3. Now you will need to generate two key files.

    (i) site.key which is responsible for tripwire configuration and policy files. To generate site.key file use following commaind.
       ./sbin/twadmin -m -G /sbin/twadmin -m G --site-keyfile site.key
       this will ask you to enter a passphrase to get your file password protected. assign some good password and remember it ...

    (ii) local.key which is responsible for tripwire databases and report files. To generate local.key file use following command.
       ./sbin/twadmin -m -G /sbin/twadmin -m G --local-keyfile local.key
       this will ask you to enter a passphrase to get your file password protected. assign some good password and remember it ...

4. To Edit/Update/Modify anything in configuration policy file you need to edit twcfg.txt and generate/regenerate tw.cfg file.
    Open twcfg.txt in your favourite editor and do necessary changes and fire following command.
    ./sbin/twadmin --create-cfgfile -S site.key ./etc/twcfg.txt
5. To Edit/Update/Modify anything in policy file you need to edit twpol.txt and generate/regenerate tw.pol file.
Open twpol.txt in your favourite editor and do necessary changes and fire following command.
    ./sbin/twadmin --create-polfile -S site.key ./etc/twpol.txt

Note: It is advisable to delete twcfg.txt and twpol.txt files after you generate tw.cfg and tw.pol files for security reasons.

6. Now it is time to generate baseline database for your system so that we can use it to compare against all future changes.
    file following command from command line to generate baseline database.
    ./sbin/tripwire --init
7. To check your system against baseline database use following command.
    ./sbin/tripwire --check
    This command will rescan your whole system and compare it with baseline database. If there are any changes then it will give you report of those changes.

8. baseline databases and all reports will be stored in ./share (share directory under your tripwire installation directory). By default baseline database and reports
    files are encrypted by local.key. If you want to print them in human readable text then use following command.
    ./sbin/twprint --print-dbfile -d file.twd [To print baseline database in clear text]
    ./sbin/twprint --print-report -r file.twr [To print report inclear text]

9. To regenerate twcfg.txt from tw.cfg and twpol.txt from tw.pol use following commands.
./sbin/twadmin --print-cfgfile > twcfg-new.txt
./sbin/twadmin --print-polfile > twpol-new.txt

www.linux4beginners.info

GNU/Linux is the best Operating System.