Intrusion detection is a crucial element of any defense strategy in today’s online world. Tripwire IDS is a reliable intrusion detection system that can help to identify changes made to specified files and directories. Tripwire IDS can detect intrusions and raise an alert by analyzing operating systems and applications, resource utilization, and other system activity. This allows organizations to take immediate action to mitigate the threat and protect their data. In addition, Tripwire IDS provides a comprehensive report of all changes made to the monitored system, allowing organizations to track down the source of the intrusion and prevent future attacks.
The following tutorial will teach you how to install Tripwire IDS on your Debian 11/10/Sid desktop or server using the command line terminal and first-time configuration set-up, which shows step-by-step instructions with screenshots to get you started.
Table of Contents
Important Notice
The following tutorial was done with a Debian 11 Bullseye release and example images taken, but it was tested on Debian Buster and Sid. In the future, if Debian makes any changes to break the tutorial for one of the distribution versions, please place a comment for me to investigate so I can update the tutorial.
Recommended Steps Before Installation
Before proceeding with the tutorial, ensuring your system is up-to-date with all existing packages is good.
sudo apt updateOptionally, you can list the updates for users who require review or are curious.
sudo apt --list upgradableProceed to upgrade any outdated packages using the following command.
sudo apt upgradeInstall Tripwire on Debian Linux
Tripwire is a default package in Debian’s repositories, making it ideal and easy to install using the following command.
sudo apt install tripwire -yAs the installation begins, you will get a pop-up Tripwire configuration screen warning how the software uses a pair of keys to sign into various files to ensure they are not tampered with. During the installation, during the briefest moments, an attacker can see these if your system is highly compromised. Make sure your network is secure.
Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation.
Example:
You are prompted to create a site key passphrase in the next screen now or later, which should be done during the set-up.
Select <Yes> to create a site key passphrase to continue installing.
Example:
Another warning message arises about the potential of the keys being intercepted for a brief moment during the installation. Again make sure your network is secure and take steps to make sure. This is only a problem on extensive networks where local users may sniff.
Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation set-up.
On the next screen, you are prompted to create a local key passphrase now or later, which should be done during the set-up. Note that this is separate from the site key passphrase and should not be identical.
Select <Yes> to create a site key passphrase to continue installing.
Example:
In the next part, you rebuild the Tripwire configuration file.
Select <Yes> to create a site key passphrase to continue installing.
Example:
A common theme you will notice by now is more warning messages. This message explains where Tripwire keeps its policies on attributes of files monitored and the procedures of changes.
Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation set-up.
Example:
Rebuild the Tripwire policy file.
Select <Yes> to create a site key passphrase to continue installing.
Example:
The following message window will inform you that Tripwire uses two different keys for authentication, which you may have noticed by now. Be sure to make sure these passphrases are recorded manually somewhere safe.
Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation set-up.
Example:
Enter the site passphrase:
Example:
Re-enter the site passphrase:
Example:
A repeat of the Tripwire uses two different keys, and this is the same message repeated for the site passphrase now being used for the local passphrase.
Proceed by pressing (TAB) to highlight the (Ok) selection and hit enter to continue the installation set-up.
Example:
Enter the local passphrase:
Example:
Re-enter the local passphrase:
Example:
At this point, you should receive a message saying Tripwire has been installed.
Example:
Congratulations, you have installed Tripwire. Now, continue to configure Tripwire.
Configure Tripwire on Debian Linux
The long journey of never-ending pop-ups is complete, and it’s time for you to configure the basics of your Tripwire installation on your Debian operating system.
The first thing you need to do is generate Tripwire keys and initialize the database. You can use any text editor on Debian to configure Tripwire. For the guide, we will use nano.
First, navigate to the directory of Tripwire.
cd /etc/tripwire/Now bring up your (twcfg.txt) configuration file by executing the following command:
sudo nano twcfg.txtExample:
The default settings are primarily ok here, and you should change the default (REPORTLEVEL=3) to (REPORTLEVEL=4). Once done, hit (CTRL+O) to save and then (CTRL+X) to exit.
Now you will generate a new configuration file by executing the following terminal command:
sudo twadmin -m F -c tw.cfg -S site.key twcfg.txtYou will be prompted for your site passphrase.
Enter the passphrase and press the ENTER KEY.
Example output:
Using the nano text editor, you will create the following file (twpolmake. pl) to optimize the Tripwire policy.
sudo nano twpolmake.plThen enter the following code into your file:
#!/usr/bin/perl
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while () {
chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
} elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;Once complete, save the file (CTRL+O) and exit the nano editor (CTRL+X).
Next, if you are using SUDO, you will need to switch to the root account, or you cannot continue.
suNow create the configuration file using the following.
perl twpolmake.pl twpol.txt > twpol.txt.new /
sudo twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.newNote that twadmin may require the sudo command if you face a twadmin not found error.
Example output:
You will create a new Tripwire database by executing the following command in your terminal.
sudo tripwire -m i -s -c tw.cfgNote, to display the generated database, use the following command:
sudo twprint -m d -d /var/lib/tripwire/debian.twdNote that this may take a few minutes.
To keep the tripwire IDS database you created up to date, execute the following command:
sudo tripwire --update --accept-allExample output:
Now, it’s a good idea to test the tripwire system by running it. Execute the command to do so:
sudo tripwire -m c -s -c /etc/tripwire/tw.cfgTripwire files its reports to the default location at (/var/lib/tripwire/report/).
cd /var/lib/tripwire/report/ && lsIf you like to review any report located in the directory, use the following print command.
sudo twprint -m r -t 4 -r /var/lib/tripwire/report/<report file name>.twrVerify Tripwire on Debian Linux
Now that you have installed and configured your tripwire system, it’s best to do some quick tests to ensure it is working correctly. The ideal way is to create a few files and run the Tripwire against them to detect the files.
First, create some files:
sudo touch test1 test2 test3The next step is to run the Tripwire to make sure the Tripwire can successfully detect the files:
sudo tripwire --check --interactiveYou should see the newly created files if you have no errors in your Tripwire IDS.
Example:
Note that executing the following command can also check the generated reports at any time.
sudo twprint --print-report --twrfile /var/lib/tripwire/report/<report file name>.twrHow to Setup Cronjob Report
Type the following command to automatically set up a cronjob to report at desired times.
sudo crontab -eNow make up the desired time you want to run your report. If unsure of how to set a time, use Crontab.Guru.
Run every 12 hours example:
00 */12 * * * /usr/sbin/tripwire --checkThe reports will be generated and stored at the file location (/var/lib/tripwire/report/).