Configuring basic Tripwire server

From Notes_Wiki

Home > CentOS > CentOS 6.x > Security tools > Tripwire configuration > Configuring basic Tripwire server


Tripwire keys

Tripwire uses two types of keys, site key and local key. Site key can be used to protect files which are common across site like configuration file and policy file. Local key is used to protect files which are specific to a machine, like tripwire database.


Generating tripwire keys

To generate keys we can use:

twadmin --generate-keys --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/<hostname>-local.key

For example:

twadmin --generate-keys --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/labpc-local.key

Note that it is not necessary that we generate both type of keys. We can generate just one type of key if we want. Tripwire would ask us to enter passphrase for keys that we are trying to generate. These passphrase would be required whenever we want to sign something with these keys.



Tripwire configuration file

Tripwire configuration file contains locations of key files, tripwire database, whether reports should be mailed etc. configuration parameters. To create tripwire configuration file we specify all parameters in a text file, typically 'twcfg.txt' and then sign this with site key to create signed configuration file, typically 'tw.cfg'.

Tripwire configuration file uses 'variable=value' format and we can use value of a variable to define values of other variables using $(variable) syntax. All variables defined in this file are case-sensitive.

Required variables are:

Variable Name Description and default value
POLFILE Tripwire encrypted policy file location.
Default: /etc/tripwire/tw.pol
DBFILE Tripwire database file location.
Default: /var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE Tripwire report file location.
Default: /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE Site key to be used to sign policy and configuration files.
Default: /etc/tripwire/site.key
LOCALKEYFILE Local key to be used to sign database and reports.
Default: /etc/tripwire/$(HOSTNAME)-local.key

Note: If we use above values in our configuration file then we should ensure directory '/var/lib/tripwire/report' exists. Also we should do 'chmod -R 700 /var/lib/tripwire'


In CentOS 5.5 it makes sense to define these additional variables

Variable name Description and example value
TEMPDIRECTORY Directory where tripwire should create temporary files while it is working. The default value is '/tmp' which is not very secure. We should create a directory with 700 permissions and set value of this variable to that directory.
Example value: '/etc/tripwire/temp'. We have to ensure that we create this directory and also exclude it being checked in tripwire policy file.
GLOBALEMAIL Email address where tripwire reports are sent when we run check with '--email-report' option.
Example value: 'saurabh@example.com'
MAILMETHOD Mail method to be used to send email. It can be either SMTP or SENDMAIL. In case of SENDMAIL the local sendmail should have been configured properly so that it can send emails to emails address specified in policy file or in GLOBALEMAIL. If MAILMETHOD has value SMTP then we need to define two additional variables SMTPHOST and SMTPPORT. In case it is SENDMAIL, then we need to define MAILPROGRAM variable. Unless we define this variable in configuration file, the email feature will not work.
Example value: 'SENDMAIL'
MAILPROGRAM Location of program which can take email data along with headers and send email. The program should not stop reading if a line containing only dot(.) is encountered.
Example : '/usr/sbin/sendmail -oi -t'
SMTPHOST Specifies the domain name or IP address of the SMTP server used for email notification.
Example value : 'smtp.example.com'
SMTPPORT Specifies the port number used with SMTP.
Example value: '25'


Creating signed tripwire configuration file

We can create signed tripwire configuration file using:

twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt


Printing configuration file

We can print tripwire configuration file using:

twadmin --print-cfgfile --cfgfile /etc/tripwire/tw.cfg




Tripwire policy

Same as in case of tripwire configuration file, we have two tripwire policy files. We first create plain-text policy file, typically 'twpol.txt' and then encode/sign it with site key file to get signed and encoded policy file, typically 'tw.pol'. We can learn about tripwire policy file format from 'man twpolicy' page. We can also learn from default policy file 'twpol.txt' to learn about tripwire policy file format. This default file also serves as good starting point for creating our own custom tailored policy files.

Note that in case we have specified our own temporary files location in tripwire configuration other than the default '/tmp' then we should exclude that directory from being monitored by tripwire for changes. To do that we can add following line under section with name rulename="Tripwire Data Files"

$(TWPOL)/temp   -> (Temporary)  (recurse=0) ;


Creating policy file

To create signed tripwire policy file from plain-text policy file, we can use:

twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt


Printing policy file

To print tripwire policy file we can use:

twadmin --print-polfile --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key
  • Refer to 'man twadmin' to learn how to encrypt files, decrypt files or check their encryption status. It can also be used to change passphrase of local and site key files.



Home > CentOS > CentOS 6.x > Security tools > Tripwire configuration > Configuring basic Tripwire server