How to Install Tripwire Intrusion Detection System on Debian 11
Tripwire is an Intrusion Detection System. It monitors the server's filesystem and detects unauthorized changes to files and directories.
This guide shows you how to install Tripwire, configure a basic list of files to monitor for changes, and automate the Tripwire filesystem scan.
This guide is for Open Source Tripwire; do not confuse Open Source Tripwire with the commercial version of Tripwire, which is a different software package.
Prerequisites
- Deploy a Debian 11 cloud server at Vultr.
- Update the server.
- Create a non-root user with sudo privileges.
- Log in to your server as the non-root user.
1. Install Tripwire
Install Tripwire.
$ sudo apt-get update
$ sudo apt-get install tripwireDuring installation, you are prompted to create site keys and local keys. Select No at both prompts; you will generate the keys manually in the next step.
2. Generate Keys
Tripwire's policy, database, and configuration files are signed by site keys and local keys, which are protected by passphrases. This ensures that your Tripwire configuration cannot be changed without the passphrase.
Make sure you choose memorable and secure passphrases for both keys. You will need them whenever you edit the Tripwire policy or configuration.
Generate the local key.
$ sudo twadmin --generate-keys -L /etc/tripwire/tripwire-local.keyGenerate the site key.
$ sudo twadmin --generate-keys -S /etc/tripwire/tripwire-site.key3. Configure Tripwire
Edit the Configuration File
Open the configuration file /etc/tripwire/twcfg.txt and edit the following lines to include your site and local keys:
SITEKEYFILE =/etc/tripwire/tripwire-site.key
LOCALKEYFILE =/etc/tripwire/tripwire-local.keyUse twadmin to sign the edited configuration file.
$ sudo twadmin --create-cfgfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twcfg.txt Tripwire prompts you to enter the site key's passphrase. It then saves the signed configuration file to /etc/tripwire/tw.cfg.
If you make changes to the configuration file in the future, you must re-sign it with the site key.
Create a Policy File
The policy file specifies which directories and files will be monitored for changes. A default policy is provided with Tripwire, but it is complex. You will create a basic policy for this guide which only monitors the /etc directory.
Move the default policy to a different file.
$ sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.old.txtCreate a new policy file called /etc/tripwire/twpol.txt and add the following rule to it:
/etc -> $(ReadOnly);This rule tells Tripwire to scan the entire /etc directory, and to treat the files inside as read-only.
Sign the policy file using the site key.
$ sudo twadmin --create-polfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twpol.txt Tripwire prompts you to enter the site key's passphrase. It then saves the signed policy file to /etc/tripwire/tw.pol.
If you make changes to the policy file in the future, you must re-sign it with the site key.
5. Initialize Tripwire
Tripwire maintains a database of files, which it uses to run checks. Whenever you edit a policy, you should re-generate the database.
Generate the initial Tripwire database.
$ sudo tripwire --initTripwire prompts you to enter the local key's passphrase.
6. Run a Tripwire Check
You are now ready to run a filesystem check.
$ sudo tripwire --check -r report.twrTripwire generates a filesystem report and saves it as report.twr in your current working directory. It also outputs a plain text version of the report to the terminal. You should see in the Rule Summary section that no files have been added, removed, or modified.
To test your policy, create a new file in the /etc directory.
$ sudo touch /etc/test.txtRe-run the Tripwire check.
$ sudo tripwire --check -r report.twrYou should now see that Tripwire detects the file /etc/test.txt, and lists it in the report.
You can now update the Tripwire database to include the new file, which will prevent it from appearing on future reports.
$ sudo tripwire --update -a -r report.twrOptional: Automate Tripwire Checks using Cron
Cron is a task scheduler that is used to run programs automatically.
Edit the root crontab file.
$ sudo crontab -u root -eAdd the following line, which will run hourly Tripwire checks on the server.
0 * * * * /usr/sbin/tripwire --checkCron sends the command output to the mail file /var/mail/mail. Tripwire stores the reports it generates in /var/lib/tripwire/report/, which you can use to update the Tripwire database.
You can learn more about using cron to schedule tasks in this Vultr Docs article.
Next Steps
Now that you have installed and configured Tripwire, you should consider which other files on your server need to be monitored for changes and add them to the policy file. You can learn how to write more advanced policies and find examples on the Tripwire GitHub repository.