SINT - Deploying tripwire in CentOS

After tripwire installation from repository we have two files in /etc/tripwire directory (on CentOS). It's twcfg.txt and twpol.txt. These files aren't sufficient and we need to make some additional steps to get tripwire working.

After we checked configuration and policy files mentioned above, we need to generate two keys named site.key and $HOSTNAME-local.key (check twcfg.txt for proper names). $HOSTNAME is variable containing our system hostname and for this mini-article we will use mybox as its value.
 
cd /etc/tripwire
twadmin -m G -S site.key
 # we will be prompted for passphrase
 
twadmin -m G -S mybox-local.key
 # we will be prompted for passphrase
 

Now we can create configuration and policy files based on their text versions.
 
twadmin --create-cfgfile -S site.key twcfg.txt
 # we will be prompted for site key passphrase
 
twadmin --create-polfile -S site.key twpol.txt
 # we will be prompted for site key passphrase
 

Check files in directory. We can delete .txt files now. But it's good idea to keep them somewhere at safe place for future modifications and binary files generation based on them.
-rw-r--r--   1 root root   931 Aug 27 10:28 mybox-local.key
-rw-r--r--   1 root root   931 Aug 27 10:25 site.key
-rw-r--r--   1 root root  4586 Aug 27 10:32 tw.cfg
-rw-r--r--.  1 root root   603 Jul  6  2010 twcfg.txt
-rw-r--r--   1 root root  4159 Aug 27 10:35 tw.pol
-rw-r--r--   1 root root  7590 Aug 27 10:34 twpol.txt

And finally we can run tripwire --init to build database against which we will check filesystem integrity.
To test it, you can run tripwire --check.

By default, there is tripwire-check script in /etc/cron.daily so our filesystem will be checked every day.

Post Scriptum

There is also default twpol.txt file in CentOS after installation. But I prefer to use policy file from Debian modified to satisfy my needs. I consider it better (it's my personal opinion).

author: niekto@niekde.sk (Jaroslav Petráš)

date: Tue, 27 Aug 2013 10:42:00 +0000

link: CyberAsylum.eu/sint-deploying-tripwire-in-centos