Updated 2019-06-01
Tripwire has a free Linux version of their software. The Enterprise edition also supports Windows. As always, before installing any new software, make sure that your OS is up to date. See Link.
If you are using apt-get to install tripwire, you will be given the opportunity to setup your key files during the install. If you are using dnf, you must execute the second step below.
which tripwire
If not found:
dnf -y install tripwire
/usr/sbin/tripwire-setup-keyfiles
You will be asked to enter site passwords and key file passwords, (multiple times. I suggest that you use the same site password for all machines, but make sure that each machine has a unique key. (see my notes on passwords.) Write them down.
tripwire –init
cp /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.BKP
tripwire -m c | grep Filename > /var/tmp/firstrun.txt
cd /etc/tripwire
copy the file configure_twpol.zip from here to:
/etc/tripwire/configure_twpol.zip
Unzip it and make sure that configure_twpol.pl is executable and owned by root:
chmod 700 /etc/tripwire/configure_twpol.pl
chown root:root /etc/tripwire/configure_twpol.pl
run it.
/etc/tripwire/configure_twpol.pl
Using your favorite editor, open the file /etc/tripwire/twpol.txt
in the section for critical devices (deals with /proc), find the last entry for “/proc” and add “!/proc ;” after that. Save and exit.
re-initialize.
twadmin -m P /etc/tripwire/twpol.txt
tripwire -m i
Add to crontab: type crontab -e
i (to enter insert mode)
Now enter the following two lines
Remember that the crontab format is:
Min Hr DoM Mon DoW Cmd
0 2 * * * /usr/sbin/tripwire -m c > /var/tmp/tripwire.$(date +%Y%m%d)
0 3 * * * cat /var/tmp/tripwire.$(date +%Y%m%d) | mailx -s ‘Tripwire Report’ example@email.com
to exit this mode press esc, then :wq (return)
Review your tripwire reports every day. After doing the updates from Fedora (or whoever your distributor is) you will note that the tripwire report has flagged a number of changes. This changes will continue to appear on your reports until you reset tripwire. Put the following lines in a file called /root/bin/reset_tripwire.sh
#!/bin/bash
twadmin -m P /etc/tripwire/twpol.txt
tripwire -m i
tripwire -m c
The last line is a test to be sure that you got everything right.
If you want tripwire to email your reports to you, create a shell script to do the system updates, check tripwire and email. mailx is an excellent tool to handle this. Install mailx and use it in the script. create a file called /root/.mailrc and have it contain:
set smtp=<ip of mail server>
set from = ‘root@this server’
END