Tripwire: Difference between revisions
No edit summary |
No edit summary |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Install== | |||
You will set pass phrases ect during the package install. | |||
sudo apt install tripwire | sudo apt install tripwire | ||
After install you have to initialize the database. | |||
sudo tripwire --init | sudo tripwire --init | ||
Then run a check, you will find some errors, fixing some of these requires editing the policy file. | |||
sudo tripwire --check | sudo tripwire --check | ||
| Line 15: | Line 19: | ||
sudo tripwire --check | sudo tripwire --check | ||
after editing the configuration file: | |||
sudo twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt | |||
if the passwords arn't set up for whatever reason: | if the passwords arn't set up for whatever reason: | ||
sudo dpkg-reconfigure tripwire | sudo dpkg-reconfigure tripwire | ||
to update changes to your system the easy way: | ==Change Policies== | ||
to ignore certain files: | |||
!/srv/ro/myfile1.txt ; | |||
!/srv/ro/myfile2.txt ; | |||
==Normal Updates== | |||
To update changes to your system the easy way: | |||
sudo tripwire -m c -I | sudo tripwire -m c -I | ||
==cron.daily and crontab== | |||
I prefer to run things from crontab vs scripts in /etc/cron.daily | |||
remove script from cron.daily: | |||
sudo rm /etc/cron.daily/tripwire | |||
Add crontab entry to run a check and email the results to you (daily at 2am) NOTE: you need ssmtp set up to send the email. | |||
sudo crontab -e | |||
Paste in the following line: | |||
00 02 * * * sudo tripwire --check | mail -s "Tripwire report for nsserver" someone@gmail.com | |||
==Email reports== | |||
Tripwire CAN email you on violations, BUT it requires either sendmail setup or SMTP listening on port 25. | |||
The following is a workaround in the case that you don't have a mailserver. | |||
==Reports and Logs== | |||
Tripwire reports are saved in /var/lib/tripwire/report/ and date stamped, but they are encrypted so don't bother trying to open them. | |||
sudo ls /var/lib/tripwire/report/ | |||
==References== | ==References== | ||
https://www.howtoforge.com/tutorial/how-to-monitor-and-detect-modified-files-using-tripwire-on-ubuntu-1604 | https://www.howtoforge.com/tutorial/how-to-monitor-and-detect-modified-files-using-tripwire-on-ubuntu-1604<br> | ||
https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps<br> | |||
https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps | https://www.techrepublic.com/article/example-2-a-sample-tripwire-policy-file/<br> | ||
Latest revision as of 10:09, 28 October 2018
Install
You will set pass phrases ect during the package install.
sudo apt install tripwire
After install you have to initialize the database.
sudo tripwire --init
Then run a check, you will find some errors, fixing some of these requires editing the policy file.
sudo tripwire --check
after editing the policy file do this:
sudo twadmin -m P /etc/tripwire/twpol.txt
sudo tripwire --init
sudo tripwire --check
after editing the configuration file:
sudo twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
if the passwords arn't set up for whatever reason:
sudo dpkg-reconfigure tripwire
Change Policies
to ignore certain files:
!/srv/ro/myfile1.txt ; !/srv/ro/myfile2.txt ;
Normal Updates
To update changes to your system the easy way:
sudo tripwire -m c -I
cron.daily and crontab
I prefer to run things from crontab vs scripts in /etc/cron.daily
remove script from cron.daily:
sudo rm /etc/cron.daily/tripwire
Add crontab entry to run a check and email the results to you (daily at 2am) NOTE: you need ssmtp set up to send the email.
sudo crontab -e
Paste in the following line:
00 02 * * * sudo tripwire --check | mail -s "Tripwire report for nsserver" someone@gmail.com
Email reports
Tripwire CAN email you on violations, BUT it requires either sendmail setup or SMTP listening on port 25. The following is a workaround in the case that you don't have a mailserver.
Reports and Logs
Tripwire reports are saved in /var/lib/tripwire/report/ and date stamped, but they are encrypted so don't bother trying to open them.
sudo ls /var/lib/tripwire/report/
References
https://www.howtoforge.com/tutorial/how-to-monitor-and-detect-modified-files-using-tripwire-on-ubuntu-1604
https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps
https://www.techrepublic.com/article/example-2-a-sample-tripwire-policy-file/
