{"id":6669,"date":"2020-08-12T23:13:29","date_gmt":"2020-08-12T20:13:29","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6669"},"modified":"2024-03-14T22:37:19","modified_gmt":"2024-03-14T19:37:19","slug":"install-and-configure-tripwire-security-monitoring-tool-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-tripwire-security-monitoring-tool-on-centos-8\/","title":{"rendered":"Install and Configure Tripwire Security Monitoring tool on CentOS 8"},"content":{"rendered":"\n

In this tutorial, you will learn how to install and configure Tripwire security monitoring tool on CentOS 8. Tripwire is available is as an open source<\/a> and commercial<\/a> version. In this setup, we will learning how to install and setup the open source version of Tripwire.<\/p>\n\n\n\n

So, What is Tripwire? It is one of the leading Host-based Intrusion Detection tools. According to the their Github page, “Open Source Tripwire is a security and data integrity tool for monitoring and alerting on file & directory changes<\/em>“<\/p>\n\n\n\n

It works by “comparing the current filesystem state against a known baseline state, and alerts on any changes it detects. The baseline and check behavior are controlled by a policy file, which specifies which files or directories to monitor, and which attributes to monitor on them, such as hashes, file permissions, and ownership. When an expected change occurs, such as upgrading a package, the baseline database can be updated to the new known-good state. The policy can also be updated, for example to reduce noise or cover a newly installed package.<\/em>“<\/p>\n\n\n\n

Installing Tripwire Security Monitoring tool on CentOS 8<\/h2>\n\n\n\n

Tripwire should literally be installed on a clean OS in order to get the most out of it. If you are installing on already used system, then it will create a baseline right from when it is run for the first time.<\/p>\n\n\n\n

Follow through this guide to learn how to install and configure Tripwire on CentOS 8.<\/p>\n\n\n\n

Run system Update<\/h3>\n\n\n\n

Ensure that your system packages are up-to-date;<\/p>\n\n\n\n

dnf update<\/code><\/pre>\n\n\n\n
Install EPEL Repos on CentOS 8<\/a><\/h3>\n\n\n\n
Tripwire is not available on the default CentOS 8 repos. It is however provided by the EPEL repos which can be installed on CentOS 8 by executing the command below;<\/p>\n\n\n\n
dnf install epel-release<\/code><\/pre>\n\n\n\n
Check whether Tripwire is actually provided by the EPEL repos;<\/p>\n\n\n\n
yum provides tripwire<\/code><\/pre>\n\n\n\n
tripwire-2.4.3.7-5.el8.x86_64 : IDS (Intrusion Detection System)\nRepo        : epel\nMatched from:\nProvide    : tripwire = 2.4.3.7-5.el8<\/code><\/pre>\n\n\n\n
So you all set to roll the installation.<\/p>\n\n\n\n
Install Tripwire on CentOS 8<\/a><\/h3>\n\n\n\n
dnf install tripwire<\/code><\/pre>\n\n\n\n
Configure Tripwire Security Monitoring tool on CentOS 8<\/a><\/h3>\n\n\n\n
When Tripwire is initially set up, it creates a database that records certain file information. Then when it is run, it compares a designated set of files and directories to the information stored in the database. Any file that is added or deleted are flagged and reported. The same happens to any files that have changed from their previously recorded state in the database.<\/p>\n\n\n\n
When Tripwire is run against system files on a regular basis, any file changes will be spotted when Tripwire is run. Tripwire will report the changes, which will give system administrators a clue that they need to enact damage control measures immediately if certain files have been altered.<\/p>\n\n\n\n
Generate Tripwire Encryption Keys<\/a><\/h4>\n\n\n\n
To begin with, you need to generate Tripwire site<\/code><\/strong> and local<\/strong><\/code> encryption keys. While site keys are use to sign the configurations and policy, local keys are used to sign the database and reports. The local key is a like a private key and unique to each system while site key is a like a public key and can be shared across systems.<\/p>\n\n\n\n
The keys can be generated using Tripwire administrative and utility tool called twadmin<\/strong><\/code>. This tool allows encoding, decoding, signing, and verification of Tripwire files, and provides a means to generate and change local and site keys.<\/p>\n\n\n\n
While generating local key, it is recommended that you include the name of the system hostname on the name of the key.<\/p>\n\n\n\n
On CentOS 8 and similar derivatives, you can create the hostname using using the hostnamectl<\/strong><\/code> command as shown below.<\/p>\n\n\n\n
hostnamectl set-hostname centos8.kifarunix-demo.com<\/code><\/pre>\n\n\n\n
Next, proceed to generate the keys.<\/p>\n\n\n\n
Generate Tripwire local keys;<\/p>\n\n\n\n
twadmin -m G -L \/etc\/tripwire\/`hostname`-local.key<\/code><\/pre>\n\n\n\n
(When selecting a passphrase, keep in mind that good passphrases typically\nhave upper and lower case letters, digits and punctuation marks, and are\nat least 8 characters in length.)\n\nEnter the local keyfile passphrase: ENTER_YOUR_PASSPHRASE<\/strong>\nVerify the local keyfile passphrase: RE-ENTER_YOUR_PASSPHRASE<\/strong>\nGenerating key (this may take several minutes)...Key generation complete.<\/code><\/pre>\n\n\n\n
Generate the Tripwire site keys;<\/p>\n\n\n\n
twadmin -m G -S \/etc\/tripwire\/site.key<\/code><\/pre>\n\n\n\n
This generates and store the keys under the \/etc\/tripwire<\/code> directory.<\/p>\n\n\n\n
ls \/etc\/tripwire\/<\/code><\/pre>\n\n\n\n
centos8.kifarunix-demo.com-local.key<\/strong> site.key<\/strong> twcfg.txt twpol.txt<\/code><\/pre>\n\n\n\n
Create Tripwire Configuration file<\/a><\/h4>\n\n\n\n
The Tripwire configuration file stores system-specific information, including the location of Tripwire data files, and the settings used to send email notification. These settings are auto-generated during the installation but are subject to modification by the system admin. \/etc\/tripwire\/twcfg.txt<\/strong><\/code> is a sample plain text version of the a signed Tripwire configuration file \/etc\/tripwire\/tw.cfg<\/strong><\/code>.<\/p>\n\n\n\n
You can edit the \/etc\/tripwire\/twcfg.txt<\/code><\/strong> to update the defined parameters before generating the signed version of it.<\/p>\n\n\n\n
To generate a signed version of the Tripwire configuration, you need the site key to sign it and to the edit the file later, you will need to provide the site key passphrase.<\/p>\n\n\n\n
Run the command below to generate the Tripwire configuration.<\/p>\n\n\n\n
twadmin -m F -S \/etc\/tripwire\/site.key \/etc\/tripwire\/twcfg.txt<\/code><\/pre>\n\n\n\n
You are prompted to enter the site key passphrase.<\/p>\n\n\n\n
This command generates a encrypted binary version of the twcfg.txt, \/etc\/tripwire\/tw.cfg<\/code>.<\/p>\n\n\n\n
To read more about Tripwire configuration, refer to man twconfig<\/strong><\/code>.<\/p>\n\n\n\n
Create Tripwire Policy file<\/a><\/h4>\n\n\n\n
The Tripwire policy file describes system objects to be monitored what properties for each object should be collected and stored in the database file. Each object in the policy file is associated with a property mask, which describes what changes to the file or directory Trip\u2010 wire should monitor, and which ones can safely be ignored.<\/p>\n\n\n\n
A plain text version of Tripwire policy,\/etc\/tripwire\/twpol.txt<\/strong><\/code>, is generated during installation.<\/p>\n\n\n\n
Within the Tripwire policy configuration file, are a number of policy rules that are appliced against various parts of the system.<\/p>\n\n\n\n
See the sample section of the twpol.txt<\/code><\/strong>, comment lines removed.<\/p>\n\n\n\n
less \/etc\/tripwire\/twpol.txt<\/code><\/pre>\n\n\n\n
@@section GLOBAL\nTWROOT=\/usr\/sbin;\nTWBIN=\/usr\/sbin;\nTWPOL=\"\/etc\/tripwire\";\nTWDB=\"\/var\/lib\/tripwire\";\nTWSKEY=\"\/etc\/tripwire\";\nTWLKEY=\"\/etc\/tripwire\";\nTWREPORT=\"\/var\/lib\/tripwire\/report\";\nHOSTNAME=centos8.example.com;\n\n@@section FS\nSEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change\nSEC_SUID      = $(IgnoreNone)-SHa ;  # Binaries with the SUID or SGID flags set\nSEC_BIN       = $(ReadOnly) ;        # Binaries that should not change\nSEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often\nSEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership\nSEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership\nSIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact\nSIG_MED       = 66 ;                 # Non-critical files that are of significant security impact\nSIG_HI        = 100 ;                # Critical files that are significant points of vulnerability\n...\n...\n(\n  rulename = \"Invariant Directories\",\n  severity = $(SIG_MED)\n)\n{\n  \/                                    -> $(SEC_INVARIANT) (recurse = 0) ;\n  \/home                                -> $(SEC_INVARIANT) (recurse = 0) ;\n  \/etc                                 -> $(SEC_INVARIANT) (recurse = 0) ;\n}\n\n(\n  rulename = \"File System and Disk Administraton Programs\",\n  severity = $(SIG_HI)\n)\n{\n  \/sbin\/accton                         -> $(SEC_CRIT) ;\n  \/sbin\/badblocks                      -> $(SEC_CRIT) ;\n  \/sbin\/busybox                        -> $(SEC_CRIT) ;\n...\n...<\/code><\/pre>\n\n\n\n
The policy setup begins with setting up variables for various system binaries and directories, then the variables that defines the controls that will be applied to the specific systems files, directories and binaries, etc.<\/p>\n\n\n\n
For example, the rule name, rulename = \"Invariant Directories\"<\/code>, is assigned a medium severity. Under this rule, we have \/home<\/code> and \/etc<\/code> and the controls applied to these directories are defined by the variable, SEC_INVARIANT<\/code>.<\/p>\n\n\n\n
You can further modify the policy file as you wish including removing the directories that don’t exist on the system as well adding that are not added yet and then sign it.<\/strong><\/p>\n\n\n\n
For example, for the purposes of demoing how this works, let us assume we have a critical file called classified<\/code> under \/etc\/<\/code> directory that should not be changed and would like to report on any modification, just enter this directory under the Tripwire Data Files<\/code><\/strong> rule section.<\/p>\n\n\n\n
vim \/etc\/tripwire\/twpol.txt<\/code><\/pre>\n\n\n\n
...\n# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases\n\n(\n  rulename = \"Tripwire Data Files\",\n  severity = $(SIG_HI)\n)\n{\n...\n...\n  $(TWSKEY)\/site.key                   -> $(SEC_BIN) ;\n  \/etc\/classified                      -> $(SEC_CRIT) ; # Custom demo file\n<\/strong>\n  #don't scan the individual reports\n  $(TWREPORT)                          -> $(SEC_CONFIG) (recurse=0) ;\n}\n...<\/code><\/pre>\n\n\n\n
Also note that I have update the file and removed all the files\/directories that dont exist in my system as well as removing a number of those that exist to make it easy to demo.<\/p>\n\n\n\n
Sign policy once you are done updating it.<\/p>\n\n\n\n
twadmin -m P -S \/etc\/tripwire\/site.key \/etc\/tripwire\/twpol.txt<\/code><\/pre>\n\n\n\n
Enter the passphrase to sign the policy. You should now have the signed policy file, \/etc\/tripwire\/tw.pol<\/strong><\/code>.<\/p>\n\n\n\n
Create a System Security Baseline<\/a><\/h4>\n\n\n\n
Once you have updated your policies, you need to set the starting point for Tripwire by creating the database of the current security posture of system files and directories. To initialize Tripwire database;<\/p>\n\n\n\n
tripwire -m i<\/code><\/pre>\n\n\n\n
...\n### Continuing...\nWrote database file: \/var\/lib\/tripwire\/centos8.kifarunix-demo.com.twd\nThe database was successfully generated.<\/code><\/pre>\n\n\n\n
The baseline is now set.<\/p>\n\n\n\n
You can always update your policy file and re-initialize the database.<\/p>\n\n\n\n
To print the database, use the command, twprint -m d -d <path\/to\/*.twd><\/strong><\/code>.<\/p>\n\n\n\n
twprint -m d -d \/var\/lib\/tripwire\/centos8.kifarunix-demo.com.twd<\/code><\/pre>\n\n\n\n
Run System Integrity Check<\/a><\/h4>\n\n\n\n
After building the Tripwire database, the next step is typically to run tripwire in Integrity Checking mode. This mode scans the system for violations, as specified in the policy file.<\/p>\n\n\n\n
So before we can run an integrity check, let us edit the file we made above.<\/p>\n\n\n\n
echo \"test\" > \/etc\/classified<\/code><\/pre>\n\n\n\n
Next, run the integrity check.<\/p>\n\n\n\n
tripwire -m c<\/code><\/pre>\n\n\n\n
An integrity checking report is printed to stdout and is saved in the location specified by the REPORTFILE setting in the Tripwire configuration file. In my setup, the report is saved as, \/var\/lib\/tripwire\/report\/centos8.kifarunix-demo.com-20200811-233448.twr<\/strong><\/code>.<\/p>\n\n\n\n
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report\n\nReport generated by:          root\nReport created on:            Tue 11 Aug 2020 11:34:48 PM EAT\nDatabase last updated on:     Never\n\n===============================================================================\nReport Summary:\n===============================================================================\n\nHost name:                    centos8.kifarunix-demo.com\nHost IP address:              10.0.2.15\nHost ID:                      None\nPolicy file used:             \/etc\/tripwire\/tw.pol\nConfiguration file used:      \/etc\/tripwire\/tw.cfg\nDatabase file used:           \/var\/lib\/tripwire\/centos8.kifarunix-demo.com.twd\nCommand line used:            tripwire -m c \n\n===============================================================================\nRule Summary: \n===============================================================================\n\n-------------------------------------------------------------------------------\n  Section: Unix File System\n-------------------------------------------------------------------------------\n\n  Rule Name                       Severity Level    Added    Removed  Modified \n  ---------                       --------------    -----    -------  -------- \n  Tripwire Binaries               100               0        0        0        \n  Libraries                       66                0        0        0        \n* Tripwire Data Files             100               0        0        1        \n<\/strong>  System boot changes             100               0        0        0        \n  OS executables and libraries    100               0        0        0        \n  Security Control                100               0        0        0        \n  Login Scripts                   100               0        0        0        \n  Critical configuration files    100               0        0        0        \n  Critical system boot files      100               0        0        0        \n  (\/boot)\n  Invariant Directories           66                0        0        0        \n\nTotal objects scanned:  37883\nTotal violations found:  1\n\n===============================================================================\nObject Summary: \n===============================================================================\n\n-------------------------------------------------------------------------------\n# Section: Unix File System\n-------------------------------------------------------------------------------\n\n-------------------------------------------------------------------------------\nRule Name: Tripwire Data Files (\/etc\/classified)\nSeverity Level: 100\n-------------------------------------------------------------------------------\n\nModified:\n\"\/etc\/classified\"<\/strong>\n\n===============================================================================\nError Report: \n===============================================================================\n\nNo Errors\n\n-------------------------------------------------------------------------------\n*** End of report ***<\/code><\/pre>\n\n\n\n
You can see the modified files from the report.<\/p>\n\n\n\n
If you want to print the report later, use the twprint -m r -t {0|1|2|3|4} -r <path\/to\/*.twr><\/strong><\/code> command.<\/p>\n\n\n\n
Where {0|1|2|3|4} specifies the level of the report. For example, to print a detailed report to stdout;<\/p>\n\n\n\n
twprint -m r -t 4 -r \/var\/lib\/tripwire\/report\/centos8.kifarunix-demo.com-20200811-233448.twr<\/code><\/pre>\n\n\n\n
Below is a snippet of what attributes were changed on our file, \/etc\/classified<\/code>.<\/p>\n\n\n\n
...\nTotal objects scanned:  37883\nTotal violations found:  1\n\n===============================================================================\nObject Summary: \n===============================================================================\n\n-------------------------------------------------------------------------------\n# Section: Unix File System\n-------------------------------------------------------------------------------\n\n-------------------------------------------------------------------------------\nRule Name: Tripwire Data Files (\/etc\/classified)\nSeverity Level: 100\n-------------------------------------------------------------------------------\n  ----------------------------------------\n  Modified Objects: 1\n  ----------------------------------------\n\nModified object name:  \/etc\/classified\n\n  Property:            Expected                    Observed                    \n  -------------        -----------                 -----------                 \n  Object Type          Regular File                Regular File                \n  Device Number        64768                       64768                       \n  File Device Number   0                           0                           \n  Inode Number         4320652                     4320652                     \n  Mode                 -rw-r--r--                  -rw-r--r--                  \n  Num Links            1                           1                           \n  UID                  root (0)                    root (0)                    \n  GID                  root (0)                    root (0)                    \n* Size                 6                           5                           \n* Modify Time          Tue 11 Aug 2020 11:19:35 PM EAT\n                                                   Tue 11 Aug 2020 11:34:10 PM EAT\n* Change Time          Tue 11 Aug 2020 11:19:35 PM EAT\n                                                   Tue 11 Aug 2020 11:34:10 PM EAT\n  Blocks               8                           8                           \n* CRC32                CzvquR                      A3v0iv                      \n* MD5                  CxlGrJJJLSNHxiNbTSYRGE      DY6Pyi3A+Jb9fLTLADG6JJ\n...<\/code><\/pre>\n\n\n\n
Updating Tripwire Database<\/a><\/h4>\n\n\n\n
Once you have confirmed and validated the changes made on your system, you can then update the database using the report. This allows any differences between the database and the current system to be reconciled. This will prevent the violation from showing up in future reports. If the reported change is unexpected and potentially malicious, then the changed file should be replaced with the original version. If there is a valid reason for the change, the database must be changed to match the current files.<\/p>\n\n\n\n
To update the database with the current report;<\/p>\n\n\n\n
tripwire -m u -r \/var\/lib\/tripwire\/report\/centos8.kifarunix-demo.com-20200811-233448.twr<\/code><\/pre>\n\n\n\n
The command will open the report in a text format using your defined EDITOR. For every change that is detected, there is a check box next to it, [X]<\/strong>. You can remove the “x” from the adjacent box to prevent updating the database with the new values for this object or simply leave it to make the updates.<\/p>\n\n\n\n
...\nTotal objects scanned:  37883\nTotal violations found:  1\n\n===============================================================================\nObject Summary:\n===============================================================================\n\n-------------------------------------------------------------------------------\n# Section: Unix File System\n-------------------------------------------------------------------------------\n\n-------------------------------------------------------------------------------\nRule Name: Tripwire Data Files (\/etc\/classified)\nSeverity Level: 100\n-------------------------------------------------------------------------------\n\nRemove the \"x\" from the adjacent box to prevent updating the database\nwith the new values for this object.\n\nModified:\n[x] \"\/etc\/classified\"<\/strong>\n\n===============================================================================\nObject Detail:\n===============================================================================\n\n-------------------------------------------------------------------------------\n  Section: Unix File System\n-------------------------------------------------------------------------------\n...<\/code><\/pre>\n\n\n\n
Once you have made the changes, save and exit the report.<\/p>\n\n\n\n
You are then prompted to enter your local passphrase key to update the database.<\/p>\n\n\n\n
Configure Tripwire to Send Report via Email<\/a><\/h3>\n\n\n\n
You can setup a cron job to run Tripwire checks at specific periods of time and deliver the reports to your mail inbox.<\/p>\n\n\n\n
The email program and report level configuration settings are defined on the \/etc\/tripwire\/twcfg.txt<\/strong><\/code>. Tripwire can use sendmail MTA to deliver your emails.<\/p>\n\n\n\n
Deliver Mails via Postfix and Gmail SMTP Relay server<\/h4>\n\n\n\n
To be able to sent email, install and configure Postfix with SMTP server for mail relay. In our setup, we use Gmail SMTP server to relay our mails via Postfix.<\/p>\n\n\n\n
yum install postfix cyrus-sasl-plain mailx<\/code><\/pre>\n\n\n\n
Next, configure Postfix to use Gmail for mail relay on CentOS 8.<\/p>\n\n\n\n
Insert the following lines to the end of Postfix main configuration file, \/etc\/postfix\/main.cfg<\/code>. Replace the value of the myhostname<\/strong><\/code> parameter.<\/p>\n\n\n\n
myhostname = centos8.kifarunix-demo.com\nrelayhost = [smtp.gmail.com]:587\nsmtp_use_tls = yes\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_password_maps = hash:\/etc\/postfix\/sasl_passwd\nsmtp_sasl_security_options = noanonymous\nsmtp_sasl_tls_security_options = noanonymous<\/code><\/pre>\n\n\n\n
You can update the Postfix config by executing the command below, of course after replacing your hostname value.<\/p>\n\n\n\n
cat << 'EOL' >> \/etc\/postfix\/main.cf\nmyhostname = centos8.kifarunix-demo.com\nrelayhost = [smtp.gmail.com]:587\nsmtp_use_tls = yes\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_password_maps = hash:\/etc\/postfix\/sasl_passwd\nsmtp_sasl_security_options = noanonymous\nsmtp_sasl_tls_security_options = noanonymous\nEOL<\/code><\/pre>\n\n\n\n
Update Gmail relay account credentials on \/etc\/postfix\/sasl_passwd<\/strong><\/code>. Replace the gmail account and its password accordingly.<\/p>\n\n\n\n
echo \"[smtp.gmail.com]:587 USERNAME@gmail.com:PASSWORD\" > \/etc\/postfix\/sasl_passwd<\/code><\/pre>\n\n\n\n
Hash the password file and set the proper ownership and permissions.<\/p>\n\n\n\n
postmap \/etc\/postfix\/sasl_passwd<\/code><\/pre>\n\n\n\n
chown root:postfix \/etc\/postfix\/sasl_passwd*\nchmod 640 \/etc\/postfix\/sasl_passwd*<\/code><\/pre>\n\n\n\n
Start and enable postfix to run on system boot;<\/p>\n\n\n\n
systemctl enable --now postfix<\/code><\/pre>\n\n\n\n
Testing the email configuration using Tripwire;<\/p>\n\n\n\n
tripwire --test --email analyst@gmail.com<\/code><\/pre>\n\n\n\n
On maillog<\/code> lines, you should see delivery status with status=sent (250 2.0.0 OK...<\/strong><\/code><\/p>\n\n\n\n
Also, check inbox, you should receive email with subject, Test email message from Tripwire<\/strong><\/code>. Otherwise, check your Postfix configs.<\/p>\n\n\n\n
Now, you need to explicitly specify which report you want to receive email for. So edit the policy configuration file, \/etc\/tripwire\/twpol.txt<\/strong><\/code>.<\/p>\n\n\n\n
vim \/etc\/tripwire\/twpol.txt<\/code><\/pre>\n\n\n\n
Once you identify the report that you need to receive email for, add the emailto<\/code>=<\/strong> line to the rule directive section. Give your email address as the value to this parameter. See example below, in our demo above, we added a custom file to Tripwire Data Files<\/code>“<\/strong> rule so we can be notified on any changes made to the \/etc\/classified<\/strong><\/code> file.<\/p>\n\n\n\n
(\n  rulename = \"Tripwire Data Files\",\n  severity = $(SIG_HI),\n  emailto  = analyst@gmail.com<\/strong>\n)\n{\n  $(TWDB)                              -> $(SEC_CONFIG) -i ;\n  $(TWPOL)\/tw.pol                      -> $(SEC_BIN) -i ;\n  $(TWPOL)\/tw.cfg                      -> $(SEC_BIN) -i ;\n  $(TWLKEY)\/$(HOSTNAME)-local.key      -> $(SEC_BIN) ;\n  $(TWSKEY)\/site.key                   -> $(SEC_BIN) ;\n  \/etc\/classified                      -> $(SEC_CRIT) ; # Custom demo file\n  $(TWREPORT)                          -> $(SEC_CONFIG) (recurse=0) ;\n}\n...<\/code><\/pre>\n\n\n\n
 Resign the policy once you are done updating it.<\/p>\n\n\n\n
twadmin -m P -S \/etc\/tripwire\/site.key \/etc\/tripwire\/twpol.txt<\/code><\/pre>\n\n\n\n
For any changes made to the file under the rule, Tripwire Data Files<\/code><\/strong>, you will be notified of the changes via email.<\/p>\n\n\n\n
Let’s modify our file and run the checks;<\/p>\n\n\n\n
echo \"test\" >> \/etc\/classified<\/code><\/pre>\n\n\n\n
Run the checks and email the report;<\/p>\n\n\n\n
tripwire -m c -M<\/code><\/pre>\n\n\n\n
Below is a snippet of the sample email report.<\/p>\n\n\n\n
\"install<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Install a cronjob to automate this task;<\/p>\n\n\n\n
sudo crontab -e<\/code><\/pre>\n\n\n\n
0 18 * * * \/usr\/sbin\/tripwire -m c -M<\/code><\/pre>\n\n\n\n
The above cronjob will run everyday at 6 pm and sent the report to your inbox.<\/p>\n\n\n\n
Reference<\/h3>\n\n\n\n