Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section Web Server
  • Search

[HowTo] Monitor and Detect files changes in CentOS 7 VestaCP Server with Tripwire

Questions regarding the Web Server
Apache + Nginx, Nginx + PHP5-FPM
Post Reply
  • Print view
Advanced search
1 post • Page 1 of 1
xorro
Posts: 87
Joined: Sun Nov 13, 2016 3:11 pm
Contact:
Contact xorro
Website Skype

Os: CentOS 6x
Web: apache + nginx
[HowTo] Monitor and Detect files changes in CentOS 7 VestaCP Server with Tripwire
  • Quote

Post by xorro » Fri Sep 07, 2018 8:21 pm

Install Tripwire on CentOS 7

The first step we must do is to install Tripwire on to the system. By default, tripwire is available in the CentOS 7 repository.

Login to your server and update all packages.

Code: Select all

ssh root@server
sudo yum update -y
Now install Tripwire using yum.

Code: Select all

yum -y install tripwire
After the installation, we need to generate new key files.

Tripwire works with 2 key files.

site-key: It's used to secure Tripwire configuration. So any changes to the tripwire configuration will not be applied until we generate the configuration again, and we will be prompted for the 'site-key' passphrase for that.
local-key: It's used for verifying the tripwire binary. When we want to update the tripwire system database, we need to run the tripwire command and we will be prompted for the passphrase for 'local-key'.

Let's generate new tripwire key files (site and local keys) using the command below.

Code: Select all

sudo tripwire-setup-keyfiles
The command will generate two key files 'site-key' and 'local-key', and you will be asked for the passphrase for each of them.

Type your own 'site-key' passphrase and press Enter.

Image

Type your own 'local-key' passphrase and press Enter again.

Image

Next, sign the tripwire configuration using the 'site-key'.

Type your 'site-key' passphrase.

Image

And now for signing for Tripwire policy, type your 'local-key' passphrase.

Image

Tripwire has been installed on CentOS 7, and new tripwire configuration and keys are located in the '/etc/tripwire' directory.

Configure Tripwire Policy for CentOS 7

After the tripwire installation we discussed in the first step, we need to initialize the tripwire database and make sure there is no error.

Initialize tripwire database using the tripwire command below.

Code: Select all

sudo tripwire --init
You will be asked about the 'local-key' passphrase and you will likely get the error message 'no such directory' as below.

Image

We get the error because the system doesn't have a directory and files that are already defined in the tripwire configuration. To solve this error, we need to edit the tripwire configuration 'twpol.txt' and re-sign again the tripwire configuration.

Now generate the log error from tripwire using the command below.

Code: Select all

sudo sh -c "tripwire --check | grep Filename > no-directory.txt"
All directories and files that don't exist on the CentOS 7 system are listed in the file 'mo-directory.txt'

Code: Select all

cat no-directory.txt
Image

Edit the tripwire configuration 'twpol.txt' by using the following bash script - run this script on your terminal.

Code: Select all

for f in $(grep "Filename:" no-directory.txt | cut -f2 -d:); do
sed -i "s|\($f\) |#\\1|g" /etc/tripwire/twpol.txt
done
After all this, we need to regenerate and re-sign the tripwire configuration using the twadmin command as shown below.

Code: Select all

sudo twadmin -m P /etc/tripwire/twpol.txt
Type your 'site-key' passphrase.

Reinitialize tripwire database again, and make sure you get no error.

Code: Select all

sudo tripwire --init
Reinitialize tripwire database without any error.

Image

Verifying Tripwire Configuration and Checking System

To verify tripwire configuration, we can run the system check command as below.

Code: Select all

sudo tripwire --check
And you should get a result similar to the following.

Image

So this means there is no error and no system violation found on our system.

Now we will try to add a new file under the root home directory and check again using tripwire.

Go to the root home directory and create a new file 'filename.txt'.

Code: Select all

cd ~/
touch filename.txt
Now check the system again using the tripwire command.

Code: Select all

sudo tripwire --check
And you will get the result of the new violation on the system with severity 100 as below.

Image

At this stage, Tripwire is installed and configured for CentOS 7 system.

Add New Rule to Tripwire Policy

In this step, we will show you how to add a new rule to the tripwire policy configuration 'twpol.txt'.

To perform this work, we need to define the rule name, severity, directory for monitoring, and type of files. In this step, we will create a new rule named 'Wordpress Data' for our WordPress installation in the '/var/www/' directory, with severity 'HIGH/SIG_HI', and all files in that directory are critical (both their ownership as well as source code cannot be changed).

Go to the tripwire configuration directory '/etc/tripwire' and edit the configuration file 'twpol.txt' using vim.

Code: Select all

cd /etc/tripwire/
vim twpol.txt
Go to the end of the line and paste the following WordPress rule there.

Code: Select all

# Ruleset for Wordpress
 (
   rulename = "Wordpress Data",
   severity= $(SIG_HI)
 )
 {
         /var/www        -> $(SEC_CRIT);
 }
Save and exit.

Regenerate and re-sign the configuration using the twadmin command as below.

Code: Select all

sudo twadmin -m P /etc/tripwire/twpol.txt
Type your 'site-key' passphrase.

Now we need to regenerate the tripwire database again.

Code: Select all

sudo tripwire --init
Type the 'local-key' passphrase.

A new rule set has been added and applied to the Tripwire policy configuration.

Image

Check your system using the tripwire command below.

Code: Select all

sudo tripwire --check
And you should get the result saying with no error and violation.

Image

Now go to the '/var/www/' directory and create a new file inside it.

Code: Select all

cd /var/www/
touch filename.php
Image

Do system checking using tripwire again.

Code: Select all

sudo tripwire --check
And you will get the result saying system violation in '/var/www/' directory with security level High 100.

Image

A new rule has been added and applied to the Tripwire Policy configuration.

Setup Tripwire Email Notification and Cron

In this step, we will configure notifications for specific tripwire ruleset policy and configure a cronjob for automatic system checking. We will send a report for any violation of the 'Wordpress Data' rule to email address '[email protected]'.

For email notification, tripwire provides a function 'emailto' in the configuration. And by default, tripwire is using Postfix or Sendmail to send the report via email.

Before configuring email notifications, test tripwire notification feature using the command below.

Code: Select all

sudo tripwire --test --email [email protected]
Check your email and you should get the email report from your server as below.

Image

Now go to the '/etc/tripwire' directory and edit the 'twpol.txt' configuration.

Code: Select all

cd /etc/tripwire/
vim twpol.txt
Add new line 'emailto' inside the 'Wordpress Data' rule as shown below.

Code: Select all

# Ruleset for Wordpress
 (
   rulename = "Wordpress Data",
   severity= $(SIG_HI),
   emailto = [email protected]
 )
 {
         /var/www        -> $(SEC_CRIT);
 }
Save and exit.

Regenerate and sign the configuration using the twadmin command.

Code: Select all

sudo twadmin -m P /etc/tripwire/twpol.txt
Type your 'site-key' passphrase.

And regenerate the tripwire database.

Code: Select all

sudo tripwire --init
Type your tripwire 'local-key' passphrase.

Configuration for Tripwire Email Notification has been completed.

Image

Now do some test by creating a new file again in the '/var/www/' directory.

Code: Select all

cd /var/www/
touch filename.txt
Check your system again using the command below.

Code: Select all

sudo tripwire --check --email-report
Note:

--email-report: Send report of the system to the email address defined in each rule.

Check your email and you should get the result as below on your email.


Image

Email notification for Tripwire has been enabled and applied.

Next, we'll enable automatic Tripwire system checking using cron setup. For this, create a new cron script under the root user using the crontab command below.

Code: Select all

sudo crontab -e -u root
Paste the following cron configuration.

Code: Select all

0 0 * * * tripwire --check --email-report
Save and exit.

Note:

- The cron script will do tripwire system checking on a daily basis.


Now restart the crond service on CentOS 7.

Code: Select all

systemctl restart crond
Image

Now you will get tripwire report notification to your email on daily basis.

Tripwire has been installed and configured for CentOS 7 system.
Top


Post Reply
  • Print view
1 post • Page 1 of 1

Return to “Web Server”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password