How to Install Tripwire Intrusion Detection System on Debian 11

Updated on June 9, 2022
How to Install Tripwire Intrusion Detection System on Debian 11 header image

Tripwire is an Intrusion Detection System. It monitors the server's filesystem and detects unauthorized changes to files and directories.

This guide shows you how to install Tripwire, configure a basic list of files to monitor for changes, and automate the Tripwire filesystem scan.

This guide is for Open Source Tripwire; do not confuse Open Source Tripwire with the commercial version of Tripwire, which is a different software package.

Prerequisites

1. Install Tripwire

Install Tripwire.

$ sudo apt-get update
$ sudo apt-get install tripwire

During installation, you are prompted to create site keys and local keys. Select No at both prompts; you will generate the keys manually in the next step.

2. Generate Keys

Tripwire's policy, database, and configuration files are signed by site keys and local keys, which are protected by passphrases. This ensures that your Tripwire configuration cannot be changed without the passphrase.

Make sure you choose memorable and secure passphrases for both keys. You will need them whenever you edit the Tripwire policy or configuration.

Generate the local key.

$ sudo twadmin --generate-keys -L /etc/tripwire/tripwire-local.key

Generate the site key.

$ sudo twadmin --generate-keys -S /etc/tripwire/tripwire-site.key

3. Configure Tripwire

Edit the Configuration File

Open the configuration file /etc/tripwire/twcfg.txt and edit the following lines to include your site and local keys:

SITEKEYFILE   =/etc/tripwire/tripwire-site.key
LOCALKEYFILE  =/etc/tripwire/tripwire-local.key

Use twadmin to sign the edited configuration file.

$ sudo twadmin --create-cfgfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twcfg.txt 

Tripwire prompts you to enter the site key's passphrase. It then saves the signed configuration file to /etc/tripwire/tw.cfg.

If you make changes to the configuration file in the future, you must re-sign it with the site key.

Create a Policy File

The policy file specifies which directories and files will be monitored for changes. A default policy is provided with Tripwire, but it is complex. You will create a basic policy for this guide which only monitors the /etc directory.

Move the default policy to a different file.

$ sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.old.txt

Create a new policy file called /etc/tripwire/twpol.txt and add the following rule to it:

/etc -> $(ReadOnly);

This rule tells Tripwire to scan the entire /etc directory, and to treat the files inside as read-only.

Sign the policy file using the site key.

$ sudo twadmin --create-polfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twpol.txt 

Tripwire prompts you to enter the site key's passphrase. It then saves the signed policy file to /etc/tripwire/tw.pol.

If you make changes to the policy file in the future, you must re-sign it with the site key.

5. Initialize Tripwire

Tripwire maintains a database of files, which it uses to run checks. Whenever you edit a policy, you should re-generate the database.

Generate the initial Tripwire database.

$ sudo tripwire --init

Tripwire prompts you to enter the local key's passphrase.

6. Run a Tripwire Check

You are now ready to run a filesystem check.

$ sudo tripwire --check -r report.twr

Tripwire generates a filesystem report and saves it as report.twr in your current working directory. It also outputs a plain text version of the report to the terminal. You should see in the Rule Summary section that no files have been added, removed, or modified.

To test your policy, create a new file in the /etc directory.

$ sudo touch /etc/test.txt

Re-run the Tripwire check.

$ sudo tripwire --check -r report.twr

You should now see that Tripwire detects the file /etc/test.txt, and lists it in the report.

You can now update the Tripwire database to include the new file, which will prevent it from appearing on future reports.

$ sudo tripwire --update -a -r report.twr

Optional: Automate Tripwire Checks using Cron

Cron is a task scheduler that is used to run programs automatically.

Edit the root crontab file.

$ sudo crontab -u root -e

Add the following line, which will run hourly Tripwire checks on the server.

0 * * * * /usr/sbin/tripwire --check

Cron sends the command output to the mail file /var/mail/mail. Tripwire stores the reports it generates in /var/lib/tripwire/report/, which you can use to update the Tripwire database.

You can learn more about using cron to schedule tasks in this Vultr Docs article.

Next Steps

Now that you have installed and configured Tripwire, you should consider which other files on your server need to be monitored for changes and add them to the policy file. You can learn how to write more advanced policies and find examples on the Tripwire GitHub repository.