How to set up Tripwire on CentOS
Tripwire is a software application that provides data integrity and security for Linux-based operating systems by monitoring changes in certain system files. The open source version is available for free, although it isn't included with Red Hat Enterprise Linux (RHEL). The commercial version of Tripwire is part of the TriSentry suite of security tools available from www.psionic.com. Once Tripwire is downloaded and installed, it needs to be configured for its environment. After being initialized, Tripwire can be started from the command line.
| DIFFICULTY | Basic - 1 | Medium - 2 | Advanced - 3 |
| TIME REQUIRED | 30 min |
| RELATED PRODUCTS | CentOS-based VPS or dedicated servers |
Install Tripwire
Move to the /tmp directory:
Download the appropriate distribution package for your system. The following wget command downloads the latest version of Tripwire for a 64-bit Linux system:
Install Tripwire with this rpm command:
The most common configuration changes for Tripwire deal with sending reports, since email support isn't enabled by default. Modify /etc/tripwire/twcfg.txt to deliver email reports for your environment. Assume for this example that you have a central host named localhost that will send Tripwire reports for you. Change the line that reads "MAILMETHOD =SENDMAIL" to read "MAILMETHOD =SMTP". Add a line below that one that reads "SMTPHOST =localhost".
Edit /etc/tripwire/twpol.txt to provide email reports as needed for each rule. These rules generally begin with lines similar to the following:
severity = $(SIG_HI)
Add a comma to the end of the severity line above if it's not already present. Add another line below it to provide your email address as follows:
This section should now appear as follows:
severity = $(SIG_HI),
emailto = yourname@yourdomain.com
Create the key files
Enter the following command to generate the key files for your machine:
The above command will prompt you for a pass phrase for site key files, which you'll need to enter twice. You'll also provide a pass phrase for local key files by entering it twice. You'll then provide the appropriate pass phrase to generate the keys for the site and local key files.
Initialize the Tripwire database
The following command will initialize the Tripwire database:
Enter the local pass phrase when prompted. The initialization process will normally require at least several minutes and generate many warnings for missing files.
Start Tripwire
Start Tripwire with the following command line:
This command will perform an integrity check, after which you'll be prompted for your local pass phrase to write the database file.
