How to Install Tripwire IDS on Debian 11 Bullseye

Tripwire IDS is a reliable intrusion detection system that identifies changes made to specified files and directories. Tripwire IDS Detects intrusions by analyzing operating systems and applications, resource utilization, and other system activity.

In the following tutorial, you will learn how to install Tripwire IDS on your Debian 11 Bullseye desktop or server using the command line terminal and first-time configuration setup.

Update Debian

First, update your system to ensure all existing packages are up to date.

sudo apt update && sudo apt upgrade -y

Install Tripwire

Tripwire comes as a default package in Debian’s repositories, making it ideal and easy to install by using the following command.

sudo apt install tripwire -y

As the installation begins, you will get a pop-up Tripwire configuration screen warning how the software uses a pair of keys to sign into various files to ensure they are not tampered with. During the installation, during the briefest of moments, an attacker can potentially see these if your system is highly compromised. Make sure your network is secure.

Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation set-up.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

You are prompted to create a site key passphrase in the next screen now or later, which should be done during the setup.

Select <Yes> to create a site key passphrase to continue installing.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

Another warning message arises about the potential of the keys being intercepted for a brief moment during the installation. Again make sure your network is secure and take steps to make sure. This is only really a problem on extensive networks where local users may be sniffing.

Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation set-up.

How to Install Tripwire IDS on Debian 11 Bullseye

On the next screen, you are prompted to create a local key passphrase now or later, which should be done during the setup. Note that this is separate from the site key passphrase and should not be identical.

Select <Yes> to create a site key passphrase to continue installing.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

In the next part, you rebuild the Tripwire configuration file.

Select <Yes> to create a site key passphrase to continue installing.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

A common theme you will notice by now is more warning messages. This message explains where Tripwire keeps its policies on attributes of files monitored and the procedures of changes.

Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation set-up.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

Rebuild the Tripwire policy file.

Select <Yes> to create a site key passphrase to continue installing.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

The following message window will inform you that Tripwire uses two different keys for authentication, which you may have noticed by now. Be sure to make sure these passphrases are recorded down manually somewhere safe.

Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation set-up.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

Enter the site passphrase:

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

Re-enter the site passphrase:

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

A repeat of the Tripwire uses two different keys, and this is the same message repeated for the site passphrase now being used for the local passphrase.

Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation set-up.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

Enter the local passphrase:

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

Re-enter the local passphrase:

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

At this point, you should receive a message saying Tripwire has been installed.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

Congratulations, you have installed Tripwire. Now, continue to configure Tripwire.

How to Configure Tripwire

Now the long journey of never-ending pop-ups is complete, and now it’s time for you to configure the basics of your Tripwire installation on your Debian operating system.

The first thing you need to do is generate Tripwire keys and initialize the database. You can use any text editor on Debian to configure Tripwire. For the guide, we will use nano.

First, navigate to the directory of Tripwire.

cd /etc/tripwire/

Now bring up your (twcfg.txt) configuration file by executing the following command:

sudo nano twcfg.txt

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

The default settings are primarily ok here, and it’s recommended you change the default (REPORTLEVEL=3) to (REPORTLEVEL=4). Once done, hit (CTRL+O) to save and then (CTRL+X) to exit.

Now you will generate a new configuration file by executing the following terminal command:

sudo twadmin -m F -c tw.cfg -S site.key twcfg.txt

You will be prompted for your site passphrase.

Enter the passphrase and press the ENTER KEY.

Example output:

How to Install Tripwire IDS on Debian 11 Bullseye

You will create the following file (twpolmake.pl) to optimize the Tripwire policy using the nano text editor.

sudo nano twpolmake.pl

Then enter the following code into your file:

#!/usr/bin/perl
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while () {
     chomp;     if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
         $myhost = `hostname` ; chomp($myhost) ;
         if ($thost ne $myhost) {             
           $_="HOSTNAME=\"$myhost\";" ;         
         }
     }
         elsif ( /^{/ ) {
          $INRULE=1 ;

     }   elsif ( /^}/ ) {
          $INRULE=0 ;
     }
         elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
          $ret = ($sharp =~ s/\#//g) ;
          if ($tpath eq '/sbin/e2fsadm' ) {
          $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
           }
           if (! -s $tpath) {
             $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
           }
         else {
             $_ = "$sharp$tpath$cond" ;
           }
     }
    print "$_\n" ;
}
close(POL) ;

Once complete, save the file (CTRL+O) and then exit the nano editor (CTRL+X).

Next, if you are using SUDO, you will need to switch to the root account, or else you cannot continue.

su

Now create the configuration file using the following.

perl twpolmake.pl twpol.txt > twpol.txt.new / 
sudo twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

Note that twadmin may require the sudo command if you face a twadmin not found error.

Example output:

How to Install Tripwire IDS on Debian 11 Bullseye

You will create a new Tripwire database by executing the following command in your terminal.

sudo tripwire -m i -s -c tw.cfg

Note, to display the generated database, use the following command:

sudo twprint -m d -d /var/lib/tripwire/debian.twd

Note that this may take a few minutes.

To keep the tripwire IDS database you created up to date, execute the following command:

sudo tripwire --update --accept-all

Example output:

How to Install Tripwire IDS on Debian 11 Bullseye

Now, it’s a good idea to test the tripwire system by running it. Execute the command to do so:

sudo tripwire -m c -s -c /etc/tripwire/tw.cfg

Tripwire files its reports to the default location at (/var/lib/tripwire/report/).

cd /var/lib/tripwire/report/ && ls

If you like to review any report located in the directory, use the following print command.

sudo twprint -m r -t 4 -r /var/lib/tripwire/report/<report file name>.twr

How to Verify Tripwire on Debian

Now you have installed and configured your tripwire system, it’s best to do some quick tests to make sure the tripwire is working correctly at this point. The ideal way is to create a few files and run the tripwire against them to detect the files.

First, create some files:

sudo touch test1 test2 test3

The next step is to run the Tripwire to make sure the Tripwire can successfully detect the files:

sudo tripwire --check --interactive

If you have no errors in your Tripwire IDS, you should see the newly created files.

Example:

How to Install Tripwire IDS on Debian 11 Bullseye

Note that you can also check the generated reports at any given time by executing the following command.

sudo twprint --print-report --twrfile /var/lib/tripwire/report/<report file name>.twr

How to Setup Cronjob Report

Type the following command to set up a cronjob to have automatic reporting at desired times.

sudo crontab -e

Now make up the desired time you want to run your report. If unsure of how to set a time, use Crontab.Guru.

Run every 12 hours example:

00 */12 * * * /usr/sbin/tripwire --check

The reports will be generated and stored at the file location(/var/lib/tripwire/report/).

Comments and Conclusion

Overall, hackers usually contaminate a hijacked system with trojans, backdoors, and manipulated files. Tripwire helps prevent this problem by encrypting information (checksums, file sizes, Mtime, ctime, inode, etc.) and essential directories and files and storing the information in a database.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!