A popular host-based intrusion detection system on Linux is tripwire. This software can keep track of many different filesystem data points in order to detect whether unauthorized changes have occurred.

In this article, we will discuss how to install and configure tripwire and Commands for installation

Install Tripwire.

# yum install tripwire -y

Creating site and local keyfile pass-phrases

# tripwire-setup-keyfiles

Initializing Tripwire Database

# tripwire --init

Modifying Tripwire policy file

# vi /etc/tripwire/twpol.txt

Once modifying all the files, update the tripwire policy file.

# tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt

Checking for any changes in files/directories

# tripwire --check --interactive

It will ask you to enter passwords

Now let us add a new file called Anil.

# touch Anil

Now check this file with tripwire ?check ?interactive command. You may find the file Anil under the Added section in the result

# tripwire --check --interactive

OR

# tripwire --check

It will not ask you to enter password

Viewing the tripwire report file

All tripwire report files having extension .twr are stored in /var/lib/tripwire/report/ directory. These are not text files, so you can?t view them using any editor. First convert them using the following command to human readable format.

# twprint --print-report --twrfile /var/lib/tripwire/report/server.ostechnix.com-20130510-124159.twr > /tmp/twrreport.txt

Now open the file using any editor.

# vi /tmp/twrreport.txt 

Viewing tripwire configuration and policy file locations

To view the policy file locations enter the following command.

#twadmin --print-polfile

To view the configuration files enter the following command.

# twadmin --print-cfgfile

Scheduling Tripwire Check

You may find a cron file tripwire-check might be created automatically in the /etc/cron.daily/ directory. If it isn?t created, open your crontab file and add lines as shown below. The following example will execute the tripwire daily at 5 am.

# vi /etc/crontab 

# Tripwire Monitor process

00 5 * * * /usr/sbin/tripwire  --check

OR

0 7 * * * /usr/sbin/tripwire --check > /mnt/tripwire

0 8 * * * /bin/mail -s "Tripwire" amullapudi@ciphercloud.com  < /tmp/tripwire

It will check system at 7 AM of everyday,everyweek,every month,every year and it will send an email on same.

========================================================================