Located in Boston MA 02216.

Tripwire: Help identify what that hacker/cracker broke

Often times, the first thing a hacker (or cracker to be more precise) does is install a backdoor for themselves to connect in later. This way, even if you patch the hole in your system that they came in through, they still can get onto your system. If you don't have an Intrusion Detection System or Intrusion Prevention System, something you can easily do to help mitigate the risk is use Tripwire.

Now you may be thinking: "I am not a target, I have nothing of value!" Oh but you are! Your system alone has many uses, from launching DDoS attacks, distributing viruses to others, even running bitcoin mining rigs. How can you protect yourself if you don't have the budget for an IPS or even IDS? Tripwire is a great start!

Tripwire is a free security and data integrity tool used to monitor filesystems for changes. It is a basic host intrusion detection system. It works by making a checksum of all files on the filesystem, and sending alerts when something changes. It takes a bit of configuration to exclude all the things that change that you don't normally need to care about, but once setup it is very simple.

How to install and configure tripwire

      There are numerous guides out there, but the basic steps are (CentOS 7 used in this example):


  1. Install tripwire and mailx to send email
    yum -y install tripwire mailx
  2. Generate keyfiles
  3. Initialize Tripwire
    tripwire --init
  4. Remove unnecessary config lines in policy
    Now it will print out a lot of warnings about missing files. You need to edit the twpol.txt file it created and comment out the files/folders that do not exist. I also like to comment out /var/log and add an ignore rule for this directory as I have a log handler system. Ignore rules look like this:

    ! /var/log ;
  5. Update the policy once you've removed the junk lines
    tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
  6. Check to see if there are any changes
    tripwire --check --interactive
  7. Create the new signed policy file, and initialize again to update database
    /usr/sbin/twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
    /usr/sbin/tripwire --init
  8. Create cron job to send alerts daily (4am example)
    crontab -e
    0 4 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" youremail@yourdomain.com
  9. confirm you can generate policy text file
    twadmin --print-polfile > /etc/tripwire/newpol.txt
  10. cleanup twpol.txt file
    rm /etc/tripwire/twpol.txt


Of course, once Tripwire detects that something has been broken, you'll need to restore those files (and possibly more) from your most recent backup! Having good backups is essential!

Other Links

Installing and Configuring Tripwire from IT Help Blog
Only sending tripwire report when files change
Tripwire policy information

Still need help?

If you still need help, please use the contact form on the right to see how RDA can help your business!

Comments are closed.