How to Install and Configure Tripwire IDS on Ubuntu 16.04

Join us at the Alibaba Cloud ACtivate Online Conference on March 5–6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Tripwire is a free, open source host-based Intrusion Detection System (IDS) that can be used to detect if unauthorized filesystem changes occurred over time. Tripwire continuously monitor computer’s filesystem, when an expected change occurs, such as upgrading a package, the baseline database can be updated to the new known-good state. Tripwire works by collecting detail information of your filesystem and stores this information to reference and validate the current state of the system. If changes are found between the known-good state and the current state, Tripwire will send an alert to you. The baseline and check behavior are controlled by a policy file, which specifies which files or directories to monitor, and which attributes to monitor on them, such as hashes, file permissions, and ownership. Tripwire allows the system admin to know immediately what was compromised and fix it.

In this tutorial, we will be installing and using Tripwire IDS on an Alibaba Cloud Elastic Compute Service (ECS) with Ubuntu 16.04.

Prerequisites

  1. A fresh Alibaba Cloud Ubuntu 16.04 instance.
  2. A static IP address is configured.
  3. A root password is set up to your instance.

Launch Alibaba Cloud ECS Instance

First, log in to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

Install Tripwire

By default, Tripwire is available in the Ubuntu 16.04 default repository. You can install it by just running the following command:

During the installation, you’ll be prompted with several messages with various options.

First, you will be asked to provide SMTP configuration. Select Internet Site and click OK to continue the installation.

Image for post
Image for post

Here, you will be asked for Tripwire configuration agreement. Click OK. You will be redirected to site-key creation page.

Click Yes to create a site key passphrase.

Click Yes to rebuild the Tripwire configuration.

Click Yes to rebuild the Tripwire policy file. You should see the following page:

Image for post
Image for post

Provide your site-key passphrase and click Ok. You should see the following page:

Image for post
Image for post

Provide your local key passphrase and click Ok. Once the installation has been completed. You should see the following page:

Image for post
Image for post

Configure Tripwire Policy

Before starting, you will need to initialize the Tripwire database system. You can do this by running the following command:

You should see the following output:

In the above output, you should get “No such directory” error. To resolve this error, you will need to edit Tripwire policy configuration file and regenerate the configuration.

First, list out all the files and directory that does not exist by running the following command:

You should see all the files and directories in the following output:

Now, open the Tripwire policy configuration file twpol.txt.

Comment out the lines as shown below:

Save and close the file, when you are finished. Then, recreate the encrypted policy file with the following command:

Enter your site-key passphrase and press Enter.

Now, reinitialize the Tripwire database with the following command:

Enter your local-key passphrase. You should see the following output:

Check System Files

Now, you will need to check the integrity of system files. You can do this with the following command:

You should see the following output with no errors:

Now, create some file and directory with the following command:

Next, check the system using Tripwire again:

You should see files and directory which you have added earlier in the following output:

Add New Rules for Apache

Next, create a new Tripwire Rule for Apache named “Apache Ruleset” with severity ‘High/SIG_HI’ and all files on that directory is critical cannot be changed

First, open the Tripwire policy configuration file:

Add the following lines:

Save and close the file, when you are finished. Then, regenerate the tripwire config file and reinitialize the Tripwire database with the following command:

Now, try to create a new file test.html inside /var/www/html directory with the following command:

Next, check the system with the following command:

You should get a notification about system violations with security level 100 in the following output:

Set Up E-mail Notification

By default, Tripwire provides a function ‘emailto’ in the configuration file to notify you through the mail. Before starting, test E-mail notification using the following command:

Now, check your mail with the following command:

You should see the following output:

If you receive this message, email notification from tripwire. That means it is working correctly.

Next, you will need to configure Tripwire to send E-mail notification for Apache. You can do this by editing /etc/tripwire/twpol.txt file:

Make the following changes:

Save the file. Then, regenerate the configuration and reinitialize the Tripwire database with the following command:

Next, create some new file inside /var/www/html directory again and check the system manually using Tripwire and send the report over email.

Now, check your mail using the following command:

You should see the following output:

Next, you can also configure cron that check your system every day and send a notification for an Apache rule violation to your email.

You can do this by editing /etc/crontab file:

Add the following line:

Save and close the file, then restart cron to apply the changes:

Now, you will get notifications by e-mail every day.

Reference:https://www.alibabacloud.com/blog/how-to-install-and-configure-tripwire-ids-on-ubuntu-16-04_594498?spm=a2c65.12602046.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store