Tripwire: Difference between revisions
From charlesreid1
| Line 57: | Line 57: | ||
* <code>/etc/tripwire/site.key</code> - this is the automatically generated site key | * <code>/etc/tripwire/site.key</code> - this is the automatically generated site key | ||
=== | ===Policy and Config Files=== | ||
Note that the policy and configuration files that are created have two versions: the actual policy/config file (which is encrypted using the site key), and the plain text version. | |||
The automated installation has the default encrypted policy file at <code/etc/tripwire/tw.pol</code> and the plain text version at: | |||
<pre> | <pre> | ||
/etc/tripwire/ | /etc/tripwire/twpol.txt | ||
</pre> | </pre> | ||
The automated installation has the default encrypted config file at <code/etc/tripwire/tw.cfg</code> and the plain text version at: | |||
<pre> | |||
/etc/tripwire/twcfg.txt | |||
</pre> | |||
==Running== | ==Running== | ||
Revision as of 23:32, 5 March 2022
Overview
What is it?
Tripwire is an open-source program that monitors file integrity. It performs a check of the filesystem state against a known baseline state, and alerts on changes that are detected.
Tripwire can monitor file contents, but also permissions, ownership, or directories.
Installing
Tripwire is a bit of a pain to install in an automated way, because it wants to try and walk you through a few initial setup steps.
We cover automated installation below.
Manual Installation
Install Tripwire using aptitude, since it is present in the official Debian repositories:
sudo apt-get -y update sudo apt-get -y install tripwire
This will present several interactive prompts for the mulit-step setup process.
The steps are described on the Tripwire Readme: https://github.com/Tripwire/tripwire-open-source
Automated Installation
This SO answer gives some help, but this Unix SE answer is also needed. Here's the final incantation:
sudo DEBIAN_FRONTEND=noninteractive apt-get -y install tripwire
This should install tripwire with zero user intervention required.
Automated Setup Details
Some details about what happens and where things go when setup is automated...
Automated Key Creation
The Tripwire setup process sets up two different keys:
- site key - the key used to secure the configuration file (if the configuration file is compromised, all findings from tripwire are suspect); this can be used across multiple servers just as config files can be
- local key - the key used on each machine to run the binary (ensures binary does not run without owner's consent)
These keys can be protected with a passphrase if Tripwire is being set up manually, but the automated installation process will not put any passphrase in place.
Automated installation will put the keys here:
/etc/tripwire/HOSTNAME-local.key- this is the automatically generated local key/etc/tripwire/site.key- this is the automatically generated site key
Policy and Config Files
Note that the policy and configuration files that are created have two versions: the actual policy/config file (which is encrypted using the site key), and the plain text version.
The automated installation has the default encrypted policy file at <code/etc/tripwire/tw.pol and the plain text version at:
/etc/tripwire/twpol.txt
The automated installation has the default encrypted config file at <code/etc/tripwire/tw.cfg and the plain text version at:
/etc/tripwire/twcfg.txt
Running
The tripwire binary is just called tripwire
You're welcome
Getting Help
tripwire --help all
Flags
