Monitoring and Detecting Modified Files using Tripwire on CentOS 7

Tripwire is a totally free and source that is open Detection System (IDS). It’s a security tool for monitoring and file that is alerting regarding system. Tripwire is a IDS that is powerful that your system against unwanted changes. You can use it to monitor your system files, including website files, so when there is an file that is unwanted, Tripwire will check always one’s body assuming setup precisely, can alert you on e-mail.

In this guide, we’ll demonstrate how exactly to monitor and identify any alterations in one’s body files other Tripwire that is using on 7 system. We will show you how to install and configure Tripwire on CentOS 7, how to generate Tripwire key files, configure and add policy that is tripwire check out the system, and enable e-mail notifications for tripwire and cron setup.

that which we can do

  1. Install Tripwire on CentOS 7
  2. Configure Tripwire Policy for CentOS 7
  3. Verifying Tripwire Configuration
  4. Add brand new Rule to Tripwire Policy
  5. Setup Tripwire e-mail Notification and Cron

Prerequisites

  • CentOS 7 System
  • Root Privileges

Step 1 – Install Tripwire on CentOS 7

The first faltering step we should do is install Tripwire to the system. Automagically, tripwire will come in the CentOS 7 repository.

Login towards host and upgrade all packages.

ssh [email protected]
sudo yum upgrade -y

Now install Tripwire making use of yum.

yum -y install tripwire

After the installation, we have to produce brand new key files.

Tripwire works together with 2 files that are key

  1. site-key: It’s used to secure Tripwire configuration. So any changes to the tripwire configuration will not be applied we will be prompted for the ‘site-key’ passphrase for that.( until we generate the configuration again, and*********)
  2. local-key: It is employed for confirming the tripwire binary. We need to run the tripwire command and we will be prompted for the passphrase for ‘local-key’.( when we want to update the tripwire system database,*********)

Let’s generate tripwire that is new files (website and regional secrets) utilizing the demand below.

sudo tripwire-setup-keyfiles

The demand will create two files that are key’ and ‘local-key’, and you will be asked for the passphrase for each of them.

Type your own ‘site-key‘ passphrase and press Enter.

Set sitekey passphrase

Type your own ‘local-key‘ passphrase and press Enter again.

Set local-key

Next, sign the tripwire configuration using the ‘site-key’.

Type your ‘site-key‘ passphrase.

configure site-key

And now for signing for Tripwire policy, type your ‘local-key‘ passphrase.

Sign tripwire policy

Tripwire has been installed on CentOS 7, and tripwire that is new and secrets are found in ‘/etc/tripwire’ directory.

Step 2 – Configure Tripwire Policy for CentOS 7

After the tripwire installation we talked about in step that is first we need to initialize the tripwire database and make sure there is no error.

Initialize tripwire database using the tripwire command below.

sudo tripwire –init

You will be asked about the ‘local-key’ passphrase and you will likely get the error message ‘no such directory’ as below.

Configure tripwire policy on CentOS

We get the error because the system doesn’t have a directory and files that are already defined in the tripwire configuration. To solve this error, we need to edit the tripwire configuration ‘twpol.txt’ and re-sign again the tripwire configuration.

Now generate the log error from tripwire using the command below.

sudo sh -c “tripwire –check | grep Filename > no-directory.txt”

All directories and files that don’t exist on the CentOS 7 system are listed in the file ‘mo-directory.txt’

cat no-directory.txt

cat no-directory.txt

Edit the tripwire configuration ‘twpol.txt’ This script on your terminal.( by using the following bash script – run****)

for f in $(grep “Filename:” no-directory.txt | cut -f2 -d:); do
sed -i “s|($f) |#1|g” /etc/tripwire/twpol.txt
done

After all of this, we have to regenerate and re-sign the tripwire setup utilizing the twadmin demand as shown below.

sudo twadmin -m P /etc/tripwire/twpol.txt

Type your ‘site-key’ passphrase.

Reinitialize tripwire database once more, and work out yes you obtain no mistake.

sudo tripwire –init

Reinitialize tripwire database with no mistake.

twadmin command

Step 3 – confirming Tripwire Configuration and Checking System

To verify tripwire setup, we are able to run the machine check demand as below.

sudo tripwire –check

And you need to get an effect much like the following.

Verifying Tripwire Configuration and Checking System

So this implies there’s absolutely no mistake with no system breach entirely on our bodies.

Now we’ll make an effort to include a file that is new the root home directory and check again using tripwire.

Go to the root home directory and create a file that is new’.

cd ~/
touch hakase-labs.txt

Now check out the system once more utilizing the tripwire demand.

sudo tripwire –check

And you get the consequence of the violation that is new the system with severity 100 as below.

tripwire check

At this stage, Tripwire is installed and configured for CentOS 7 system.

Step 4 – Add New Rule to Tripwire Policy

In this step, we will show you how to add a rule that is new the tripwire policy setup ‘twpol.txt’.

To perform this work, we have to determine the guideline title, extent, directory for monitoring, and kind of files. Inside action, we’ll produce a rule that is new ‘WordPress Data’ for our WordPress installation in the ‘/var/www/’ directory, with severity ‘HIGH/SIG_HI’, and all files in that directory are critical (both their ownership as well as source code cannot be changed).

Go to the tripwire configuration directory ‘/etc/tripwire’ and edit the configuration file ‘twpol.txt’ using vim.

cd /etc/tripwire/
vim twpol.txt

Go to the end of the line and paste the wordPress that is following here.

# Ruleset for WordPress
(
  rulename = "Wordpress Data",
  extent= $(SIG_HI)
)
{
        /var/www        -> $(SEC_CRIT);
}

Save and exit.

Regenerate and re-sign the configuration using the twadmin command as below.

sudo twadmin -m P /etc/tripwire/twpol.txt

Type your ‘site-key’ passphrase.

Now we need to regenerate the tripwire database again.

sudo tripwire –init

Type the ‘local-key’ passphrase.

A new rule set has been added and applied to the Tripwire policy configuration.

re-sign the configuration

Check your system using the tripwire command below.

sudo tripwire –check

And you should get the result saying with no error and violation.

Check violation with tripwire

Now go to the ‘/var/www/’ directory and create a file that is new it.

cd /var/www/
touch hakase-labs.php

Create a test file

Do system checking tripwire that is using.

sudo tripwire –check

And you will get the result system that is saying in ‘/var/www/’ directory with protection degree tall 100.

result of the test

A brand new guideline is added and placed on the Tripwire Policy setup.

Step 5 – Setup Tripwire e-mail Notification and Cron

In this task, we’ll configure notifications for particular tripwire ruleset policy and configure a cronjob for automated system checking. We shall send a report for any violation of the ‘WordPress Data’ rule to email address ‘[email protected]’.

For email notification, tripwire provides a function ’emailto’ in the configuration. And by default, tripwire is Postfix that is using or to deliver the report via e-mail.

Before configuring e-mail notifications, test tripwire notification function utilizing the demand below.

sudo tripwire –test –email [email protected]

Check your e-mail and you ought to obtain the e-mail report from your own host as below.

Tripwire report by email

Now go right to the ‘/etc/tripwire’ directory and edit the ‘twpol.txt’ setup.

cd /etc/tripwire/
vim twpol.txt

Add brand new line ’emailto’ in the ‘WordPress information’ guideline as shown below.

# Ruleset for WordPress
(
  rulename = "Wordpress Data",
  extent= $(SIG_HI),
  emailto = [email protected]
)
{
        /var/www        -> $(SEC_CRIT);
}

Save and exit.

Regenerate and sign the configuration using the twadmin command.

sudo twadmin -m P /etc/tripwire/twpol.txt

Type your ‘site-key’ passphrase.

And regenerate the tripwire database.

sudo tripwire –init

Type your tripwire ‘local-key’ passphrase.

Configuration for Tripwire Email Notification has been completed.

generate and sign the configuration

Now do some test by creating a file that is new in ‘/var/www/’ directory.

cd /var/www/
touch hakase.txt

Check one’s body once more utilizing the demand below.

sudo tripwire –check –email-report

Note:

  • –email-report: forward report associated with the system on email defined in each guideline.

Check your e-mail and you ought to obtain the outcome as below on your own e-mail.

Email report

Email notification for Tripwire is enabled and used.

Next, we will allow automated Tripwire system checking cron setup that is using. For this, create a cron that is new in root individual utilizing the crontab demand below.

sudo crontab -e -u root

Paste the cron that is following.

0 0 * * * tripwire --check --email-report

Save and exit.

Note:

  • – The cron script will do tripwire system checking on a basis that is daily

Now restart the crond solution on CentOS 7.

systemctl restart crond

setup tripwire cronjob

Now you get tripwire report notification towards e-mail on day-to-day foundation.

Tripwire is set up and configured for CentOS 7 system.

LEAVE A REPLY

Please enter your comment!
Please enter your name here