Tripwire HIDS

debian security

How to Install Tripwire Intrusion Detection System on Debian

Tripwire is an Host Intrusion Detection System. Like AIDE it monitors the local filesystem and detects unauthorized changes.

Install Tripwire

Install

# apt update
# apt install tripwire

You are asked to create site and local keys. Select No at both prompts; you will generate the keys manually in the next step.

Generate Keys

The policy, database and configuration files are signed with site and local keys.

Generate the local key.

# twadmin --generate-keys -L /etc/tripwire/tripwire-local.key

Generate the site key.

# twadmin --generate-keys -S /etc/tripwire/tripwire-site.key

Configure Tripwire

Edit the configuration file

Open the config /etc/tripwire/twcfg.txt and edit the following lines to include your site and local keys:

SITEKEYFILE   =/etc/tripwire/tripwire-site.key
LOCALKEYFILE  =/etc/tripwire/tripwire-local.key

Sign the config.

# sudo twadmin --create-cfgfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twcfg.txt 

The configuration file is saved to /etc/tripwire/tw.cfg.

Create a Policy File

The default policy is provided with Tripwire and shoukld be adapted to your needs Sign the policy file with the site key.

# sudo twadmin --create-polfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twpol.txt 

The signed policy file is saved to /etc/tripwire/tw.pol.

Initialize Tripwire

When the policy is changed, generate the database.

# sudo tripwire --init

Tripwire prompts you to enter the local key's passphrase.

Run a Tripwire Check

Run a filesystem check.

# sudo tripwire --check -r report.twr 

The filesystem report is saved as report.twr in CWD. Plain text version ouput to terminal.

Update the Tripwire database to include any filesystem changes.

# sudo tripwire --update -a -r report.twr

Previous Post Next Post