Tripwire

Install

You will set pass phrases ect during the package install.

sudo apt install tripwire

After install you have to initialize the database.

sudo tripwire --init

Then run a check, you will find some errors, fixing some of these requires editing the policy file.

sudo tripwire --check

after editing the policy file do this:

sudo twadmin -m P /etc/tripwire/twpol.txt

sudo tripwire --init

sudo tripwire --check

after editing the configuration file:

sudo twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

if the passwords arn't set up for whatever reason:

sudo dpkg-reconfigure tripwire

Change Policies

to ignore certain files:

!/srv/ro/myfile1.txt ;
!/srv/ro/myfile2.txt ;

Normal Updates

To update changes to your system the easy way:

sudo tripwire -m c -I

cron.daily and crontab

I prefer to run things from crontab vs scripts in /etc/cron.daily

remove script from cron.daily:

sudo rm /etc/cron.daily/tripwire

Add crontab entry to run a check and email the results to you (daily at 2am) NOTE: you need ssmtp set up to send the email.

sudo crontab -e

Paste in the following line:

00 02 * * * sudo tripwire --check | mail -s "Tripwire report for nsserver" someone@gmail.com

Email reports

Tripwire CAN email you on violations, BUT it requires either sendmail setup or SMTP listening on port 25. The following is a workaround in the case that you don't have a mailserver.

Reports and Logs

Tripwire reports are saved in /var/lib/tripwire/report/ and date stamped, but they are encrypted so don't bother trying to open them.

sudo ls /var/lib/tripwire/report/

References

https://www.howtoforge.com/tutorial/how-to-monitor-and-detect-modified-files-using-tripwire-on-ubuntu-1604
https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps
https://www.techrepublic.com/article/example-2-a-sample-tripwire-policy-file/