SINT - Deploying tripwire in CentOS
Aftertripwire
installation from repository we have two files in /etc/tripwire
directory (on CentOS). It's twcfg.txt
and twpol.txt
. These files aren't sufficient
and we need to make some additional steps to get tripwire working.After we checked configuration and policy files mentioned above, we need to generate two keys named
site.key
and $HOSTNAME-local.key
(check twcfg.txt
for proper names).
$HOSTNAME
is variable containing our system hostname and for this mini-article we will use mybox
as its value.cd /etc/tripwire twadmin -m G -S site.key # we will be prompted for passphrase twadmin -m G -S mybox-local.key # we will be prompted for passphrase
Now we can create configuration and policy files based on their text versions.
twadmin --create-cfgfile -S site.key twcfg.txt # we will be prompted for site key passphrase twadmin --create-polfile -S site.key twpol.txt # we will be prompted for site key passphrase
Check files in directory. We can delete
.txt
files now. But it's good idea to keep them somewhere at safe place for future modifications and binary files generation based on them.
-rw-r--r-- 1 root root 931 Aug 27 10:28 mybox-local.key -rw-r--r-- 1 root root 931 Aug 27 10:25 site.key -rw-r--r-- 1 root root 4586 Aug 27 10:32 tw.cfg -rw-r--r--. 1 root root 603 Jul 6 2010 twcfg.txt -rw-r--r-- 1 root root 4159 Aug 27 10:35 tw.pol -rw-r--r-- 1 root root 7590 Aug 27 10:34 twpol.txt
And finally we can run
tripwire --init
to build database against which we will check filesystem integrity.To test it, you can run
tripwire --check
.By default, there is
tripwire-check
script in /etc/cron.daily
so our filesystem will be checked every day.Post Scriptum
There is also defaulttwpol.txt
file in CentOS after installation.
But I prefer to use policy file from Debian modified to satisfy my needs. I consider it better (it's my personal opinion).date: Tue, 27 Aug 2013 10:42:00 +0000
link: CyberAsylum.eu/sint-deploying-tripwire-in-centos