Multiple things must be done to effectively secure your Linux server and using Tripwire is one of them. Tripwire basically checks all important files on your system and lets you know if they change. It's a good tool in theory but to be useful you must learn to configure it and use it properly.
Installation (the easy part):
sudo aptitude install tripwire
Voilà! That's it, just follow the on-screen menus. You'll need to enter (and remember) two password, the local and the site passphrases. For added security, use two different ones and as long and complexe as possible. Why not use phrases that are easy to remember like "Bi2clycle0ridesare4fun!"
Configuration (the important part):
The beauty with Debian packages is that everything is installed and pre-configured so it works out of the box (so to speak). For Tripwire, a default configuration is installed and (if
anacron is also installed) a cron job will mail it's report daily to the root user. But you'll find that some files that Tripwire monitors don't exist or change daily (or more often) even on a perfectly sane system. If you keep it like that you'll just get used to seeing errors and won't notice the important one.
You'll find the configuration file at /
etc/tripwire/twpol.txt. If it's not there, just create it:
sudo -i
/usr/sbin/twadmin -m p > /etc/tripwire/twpol.txt
exit
compare it with the output of:
sudo tripwire --check
Comment out files in
twpol.txt that
--check reports has non-existant or directories that you know will always change (like
/var/log). Once you're satisfied, run:
sudo /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
sudo /usr/sbin/tripwire -m i
to load the new policy.
Redo the
--check and the configuration until you're satisfied (you should get down to 0 errors reported). For safety measures, you can now delete the
twpo.txt file.
Using (the essential part):
OK, Tripwire is installed and configure properly, it monitors your important files/directories and mails you reports every day. Eventually, files will change and Tripwire will report errors. Most of the time those will be known and accepted changes and we must tell Tripwire that we accept those changes or he will continue to report those errors forever.
First, take a look at the report you received or run (and read):
sudo tripwire --check
If everything is OK, run the following command:
sudo tripwire -m u -Z low -r /var/lib/tripwire/report/hostname-timestamp.twr
The hostname will be the one that is return by the hostname command and the timestamp should have the form: yyyymmdd-hhmmss (ex. superserver.com-20101212-200745.twr). Choose the latest one, the one that was just created when you ran the --check command. This will open a file where you can accept or refuse the changes. If you have already checked the report and everything is OK, just quit (:quit), enter your local passphrase and Tripwire will re-initialize it's database and be ready to report any new changes from now on (but not report the old ones).
So remember:
- Install Tripwire
- Configure it properly
- Make sure it mails you a daily report
- Read it (daily)
- If all is OK, re-initialize the database.