How To Install Tripwire On Windows

Open Source Tripwire® is a security and data integrity tool for monitoring. Ago #36 Tripwire Install in Kubernetes Opened by Mohitg06 over 1 year ago.

{ Setting up tripwire }

• What is tripwire?
  • If an attacker gets on to your servers, do you know what they changed?
  • Did they modify any of your important files, such as 'su' or 'cp' or 'rm'? How would you know this?
  • One answer is the Open Source project Tripwire. This tutorial will cover how to install, configure and maintain Tripwire.
  • Open Source Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.
  • Rather than attempting to detect intrusions at the network interface level (as in network intrusion detection systems), Open Source Tripwire detects changes to file system objects.

1. Play virtual machine. (See Below)

1. Login As student
2. Start Up A Terminal.
   • Applications --> System Tools --> Terminal
3. Switch User to root
   • Command: su - root
4. Determine IP Address and Network Connection.
   • Command: ifconfig -a
   • Note: In my case, the IP Address is 192.168.1.112.

• Note
  • Perl is not a requirement for tripwire.
  • However, I will later be using perl to reduce false positives in the /etc/tripwire/twpol.txt file.

1. Install tripwire
   • Command: yum install 'perl'
2. Install perl's rpm
   • Command: Type 'y', and hit enter
3. Verify Installation Results
   • Note: Just take note of what is getting installed along with the completion notice.

1. Install tripwire
   • Command: yum install 'tripwire'
2. Install tripwire's rpm
   • Command: Type 'y', and hit enter
3. Verify Installation Results
   • Note: Just take note of what is getting installed along with the completion notice.

1. Setup keyfiles in tripwire
   • Command: /usr/sbin/tripwire-setup-keyfiles
   • Note:
     • During install it will ask you to set up a site keyfile passphrase and a local keyfile passphrase.
     • They are used to administer Tripwire, and encrypt the Tripwire policy files.
     • This is to protect them against attackers modifying the policies.
2. Site keyfile passphrase
   • Command: Enter the site keyfile passphrase:
   • Note: I recommend using the same password for both site and the local keyfile.
3. Local keyfile passphrase
   • Command: Enter the local keyfile passphrase
   • Note: Use the same password as you did with the site keyfile.
4. Initialize Tripwire
   • Command: tripwire --init
   • Note: You will be required to enter your previously created passphrase.
5. Verify Results
   • Notes:
     • The tripwire database file was written to: /var/lib/tripwire/fedora14.twd.
     • Also, you should have received a completion message.
6. Run tripwire
   • Command: tripwire -m c grep Filename >> /var/tmp/firstrun.txt
   • Note: You will be required to enter your previously created passphrase.
7. Looking at the firstrun file.
   • Command: more /var/tmp/firstrun.txt
   • Note:
     • This run should report many out of compliance problems. This is because the default configuration checks many files that may not exist on your server.
     • This can be because you didn’t install the software, because you removed software or because you installed it from source. Whatever the reason, we want to turn off these false positives so that we don’t get huge reports each time Tripwire runs.

1. Navigate to the tripwire configuration directory
   • Command: cd /etc/tripwire
2. Make a backup copy of the
   • Command: cp twpol.txt twpol.txt.BKP
   • Note: When modifying any configuration file, it is always a good idea make a backup file. Although Unix/Linux is a superior Operating System to Windows, it lacks 'undo'.
3. Highlight and copy the code
   • Command: Highlight the below code, right-click and copy.
   • Pasting Problem Notes: Bring up your web browser inside of Fedora itself, if you are having trouble cutting and pasting from your desktop to Fedora.
   • Code:

     #!/usr/bin/perl
     #Path to tripwire policy backup file
     $policy_file = '/etc/tripwire/twpol.txt.BKP';
     #Put tripwire policy file into an array
     @CONTENT = `cat $policy_file`;
     #False Positive Entries we want to ignore
     @IGNORE_LIST = `awk '{print $2}' /var/tmp/firstrun.txt`;
     #Open a new file called twpol.txt
     open(NEWFILE,'>/etc/tripwire/twpol.txt');
     #Go through each line in the twpol.txt.BKP file
     foreach my $line (@CONTENT)
     {
     #Chop off the hard return at the end of each line
     chomp($line);
     #Reset IGNORE_FLAG before each check
     my $IGNORE_FLAG = 'F';
     #Then check the line against the ignore list
     foreach my $entry (@IGNORE_LIST)
     {
     #Chop off the hard return at the end of each line
     chomp($entry);
     #Compare tripwire line against each ignore list line
     if(($line =~ m/s$entrys/)&&($line =~ m/-> $/))
     {
     #Setting the FLAG to true means a match was found
     $IGNORE_FLAG = 'T';
     print '[Ignoring]: $linen';
     }
     }
     if($IGNORE_FLAG eq 'F')
     {
     #Write policy entry to file, if not found in the ignore list
     print NEWFILE '$linen';
     }
     }
     close(NEWFILE);

4. Create Perl Script
   • Command:
     • vi /etc/tripwire/configure_twpol.pl
5. Past the code into a vi session.
   • Command:
     1. Press the 'i' key to get into insert mode.
     2. Edit --> Paste
     3. Type ':wq' to save and quit.
6. Make the file executable only by root.
   • Command:
     1. chmod 700 /etc/tripwire/configure_twpol.pl
     2. chown root:root /etc/tripwire/configure_twpol.pl
7. Execute
   • Command: /etc/tripwire/configure_twpol.pl
8. Results
   • Notes: After executing the above perl script you will see lines in the twpol.txt that were ignored and not written to the new twpol.txt file.
9. Display data collected by sar in multiple formats.
   • Command:
     1. ls -lrta twpol.txt*
     2. wc -l twpol.txt*
   • Notes: Notice the both the bytesize and number of lines of twpol.txt is much less than twpol.txt.BKP

1. Re-initialize tripwire policy
   • Command: twadmin -m P /etc/tripwire/twpol.txt
2. Re-initialize tripwire database
   • Command:
     1. tripwire -m i
     2. Enter your local passphrase
3. Re-initialize tripwire database
   • Command: tripwire -m c grep Filename > /var/tmp/secondrun.txt
4. Compare firstrun.txt to secondrun.txt
   • Command: ls -lrta /var/tmp/*run.txt
   • Note: Notice the bytesize for secondrun.txt if zero. This means all false positives have been cleaned up.
   • Proof of Lab: Do a PrtScn, Paste into a word document and upload to Moodle.

1. Create a cron file for tripwire
   • Command: vi /etc/cron.d/tripwire
2. Adding entries to the tripwire cron file.
   • Command:
     1. Press 'i' to go into insert mode
     2. #Tripwire will run everyday at 2AM server local time
     3. 0 2 * * * root /usr/sbin/tripwire -m c > /var/tmp/tripwire.`date +%Y%m%d`
     4. 0 3 * * * root cat /var/tmp/tripwire.`date +%Y%m%d` mailx -s 'Tripwire Report' example@email.com
     5. Press the 'Esc' key
     6. Type ':wq' to save and quit.

1. Cut and Paste a screen shot of Section 7, Step 4 into a word document and upload to Moodle.

Tripwire v2.3 software ensures the integrity of critical system files and directories by identifying all changes made to specified system files and directories. Configure Tripwire software to monitor your system in the way that is best for you.

Tripwire software works by comparing files and directories against a baseline. It generates the baseline by taking a snapshot of specified files and directories in a known secure state. Tripwire software then compares the current system against the baseline and reports any modifications, additions, or deletions. Use Tripwire software for system security, intrusion detection, damage assessment, and recovery forensics.

While it is recommended that Tripwire be selected and installed during the Red Hat Linux 7.0 installation process, it is possible to install it after your Red Hat Linux system has been installed. The following steps outline this process:

Locate the RedHat/RPMS directory on the Red Hat Linux 7.0 CD-ROM.

Locate the Tripwire binary RPM.

Type rpm -i <name> (where <name> is the name of the Tripwire RPM found in step 2)

After installing the Tripwire binary RPM, follow the post-installation instructions outlined below.

We recommend you read the release notes and README file.

The Tripwire binary RPM installs the basic program files needed to run the software. However, this installation does not complete custom configurations that Tripwire 2.3 needs to perform correctly. After you unpack the RPM, you must:

Run the configuration script /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files.

Once encoded and signed, the configuration file should not be renamed or moved.

Initialize the Tripwire database file. (/usr/sbin/tripwire--init)

Run the first integrity check. (/usr/sbin/tripwire--check)

Edit the configuration file (twcfg.txt) with a text editor, if desired.

Edit the policy file (twpol.txt) with a text editor, if desired.

If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file.