How to Install Tripwire Intrusion Detection System on Debian
Tripwire is an Host Intrusion Detection System. Like AIDE it monitors the local filesystem and detects unauthorized changes.
Install
# apt update
# apt install tripwire
You are asked to create site and local keys. Select No at both prompts; you will generate the keys manually in the next step.
The policy, database and configuration files are signed with site and local keys.
Generate the local key.
# twadmin --generate-keys -L /etc/tripwire/tripwire-local.key
Generate the site key.
# twadmin --generate-keys -S /etc/tripwire/tripwire-site.key
Edit the configuration file
Open the config /etc/tripwire/twcfg.txt
and edit the following lines to include your site and local keys:
SITEKEYFILE =/etc/tripwire/tripwire-site.key
LOCALKEYFILE =/etc/tripwire/tripwire-local.key
Sign the config.
# sudo twadmin --create-cfgfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twcfg.txt
The configuration file is saved to /etc/tripwire/tw.cfg
.
The default policy is provided with Tripwire and shoukld be adapted to your needs Sign the policy file with the site key.
# sudo twadmin --create-polfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twpol.txt
The signed policy file is saved to /etc/tripwire/tw.pol
.
When the policy is changed, generate the database.
# sudo tripwire --init
Tripwire prompts you to enter the local key's passphrase.
Run a filesystem check.
# sudo tripwire --check -r report.twr
The filesystem report is saved as report.twr in CWD. Plain text version ouput to terminal.
# sudo tripwire --update -a -r report.twr