1)Install Tripwire - What Version? How? Why?

CIS 290 – LINUX Security

Lab Exercise #7: Tripwire

1)Install tripwire - what version? How? Why?

2)Backup the original files:

cd /etc/tripwire

cp -p twcfg.txt twcfg.txt.orig

cp -p twpol.txt twpol.txt.orig

3)Generate a local passphrase to protect tripwire:

tripwire-setup-keyfiles

Reply "password" to all passphrase prompts

4)Initialize the database:

tripwire --init

### Warning file system error

Wrote database file: /var/tmp/tripwire/<hostname>.twd

5)Run the first check, store results:

tripwire -m c | grep Filename > /var/tmp/firstrun.txt

6)List the initial report file:

ls /var/lib/tripwire/report.*.twr

And print it:

twprint -m r -–twrfile /var/lib/tripwire/report/<filename>.twr

7)Print the database file:

twprint -m d –-print-dbfile

8)Remove unneeded files:

vi twpol.txt to remove any files not needed to be checked.

9)Reinitialize the policy

twadmin -m P /etc/tripwire/twpol.txt

10)Reinitialize the database

tripwire -m i -OR- tripwire –init

11)Rerun the report:

tripwire -m c | grep Filename > /var/tmp/secondrun.txt

12)Setup regular run under UNIX (crontab) or anacron under LINUX:

02 * * * root /usr/sbin/tripwire -m c > /var/tmp/tripwire.`date +%Y%m%d`

10 3 * * * root cat /var/tmp/tripwire.`date +%Y%m%d` | mailx -s 'Tripwire Report'

CIS 290 – LINUX Security

Lab Exercise #7: AIDE

13)yum install aide

/etc/aide/aide.conf and /etc/aide/aide.conf.d/ - Default AIDE configuration files.

/var/lib/aide/aide.db - Default location for AIDE database.

/var/lib/aide/aide.db.new - Default location for newly-created AIDE database.

14)To generate a new database, enter:

aideinit

Sample output:

Running aide --init...

Sample output:

AIDE, version 0.13.1

### AIDE database at /var/lib/aide/aide.db.new initialized.

15)Install the newly-generated database, enter:

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

16)Next, run a manual check:

aide -c /etc/aide/aide.conf --check

17)Copy aide files offsite to a secure location. Restore to run if compromised.

18)To check a binary, run the command

touch /bin/date

aide -c /etc/aide/aide.conf --check

19)Mail notifications

vi /etc/default/aide file.

MAILTO=

20)Repeat following steps when configuration changes or software updates are applied:

aideinit

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

aide -c /etc/aide/aide.conf --check

21)Run md5sum against /bin/date