Tripwire

From James's Wiki
Revision as of 13:41, 4 March 2018 by Ractive (talk | contribs)


Install

You will set pass phrases ect during the package install. 

sudo apt install tripwire

After install you have to initialize the database. 

sudo tripwire --init

Then run a check, you will find some errors, fixing some of these requires editing the policy file. 

sudo tripwire --check


after editing the policy file do this: 

sudo twadmin -m P /etc/tripwire/twpol.txt

sudo tripwire --init

sudo tripwire --check

after editing the configuration file: 

sudo twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

if the passwords arn't set up for whatever reason: 

sudo dpkg-reconfigure tripwire

to update changes to your system the easy way: 

sudo tripwire -m c -I

cron.daily and crontab

I prefer to run things from crontab vs scripts in /etc/cron.daily

remove script from cron.daily: 

sudo rm /etc/cron.daily/tripwire

Add crontab entry to run a check and email the results to you (daily at 2am) NOTE: you need ssmtp set up to send the email. 

sudo crontab -e

Paste in the following line: 

00 02 * * * sudo tripwire --check | mail -s "Tripwire report for nsserver" someone@gmail.com

Reports and Logs

Tripwire reports are saved in /var/lib/tripwire/report/ and date stamped. 

sudo ls /var/lib/tripwire/report/

References

https://www.howtoforge.com/tutorial/how-to-monitor-and-detect-modified-files-using-tripwire-on-ubuntu-1604
https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps
https://www.techrepublic.com/article/example-2-a-sample-tripwire-policy-file/

Retrieved from "https://wiki.jamesclaus.com/index.php?title=Tripwire&oldid=251"
Powered by MediaWiki