Contents
1. Tripwire
1.1 Installation, Configuration
① Add Repository
|
1 2 |
# zypper addrepo https://download.opensuse.org/repositories/security/16.0/security.repo # zypper refresh |
➁Install
|
1 |
# zypper -n install tripwire |
➂ Creating a Local Key Passphrase
|
1 2 3 4 5 6 7 8 9 |
# twadmin --generate-keys -L /etc/tripwire/${HOSTNAME}-local.key (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: Verify the local keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. |
④Creating a Site Key Passphrase
|
1 2 3 4 5 6 7 8 9 |
# twadmin --generate-keys -S /etc/tripwire/site.key (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: Verify the site keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. |
⑤ Configuration File Edit
|
1 2 3 4 5 |
# vi /etc/tripwire/twcfg.txt Add to the last line LOOSEDIRECTORYCHECKING =true REPORTLEVEL =4 |
⑥create a Tripwire configuration file (cryptographically signed version)
|
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ← Site passphrase Wrote configuration file: /etc/tripwire/tw.cfg |
Delete Tripwire configuration file (text version)
|
1 |
# rm -f /etc/tripwire/twcfg.txt |
※Restoring the Tripwire configuration file (text version)
# twadmin -m f -c /etc/tripwire/tw.cfg > /etc/tripwire/twcfg.txt
⑦ Policy File Text Version Creation
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
# vi /etc/tripwire/twpol.txt @@section GLOBAL TWROOT=/usr/sbin; TWBIN=/usr/sbin; TWPOL=/etc/tripwire; TWDB=/var/lib/tripwire; TWSKEY=/etc/tripwire; TWLKEY=/etc/tripwire; TWREPORT=/var/lib/tripwire/report; HOSTNAME=myhostname; Device = +pugsdr-intlbamcCMSH ; Dynamic = +pinugtd-srlbamcCMSH ; Growing = +pinugtdl-srbamcCMSH ; IgnoreAll = -pinugtsdrlbamcCMSH ; IgnoreNone = +pinugtsdrbamcCMSH-l ; ReadOnly = +pinugtsdbmCM-rlacSH ; Temporary = +pugt ; @@section FS ( rulename = "Tripwire Binaries", ) { $(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twprint -> $(ReadOnly) ; } ( rulename = "Tripwire Data Files", ) { $(TWDB) -> $(Dynamic) -i ; $(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(ReadOnly) ; # don't scan the individual reports $(TWREPORT) -> $(Dynamic) (recurse=0) ; } ( rulename = "Global Configuration Files", ) { /etc -> $(IgnoreNone) -SHa ; } ( rulename = "OS Boot Files and Mount Points", ) { /boot -> $(ReadOnly) ; } ( rulename = "OS Devices and Misc Directories", ) { /opt -> $(Dynamic) ; } ( rulename = "OS Binaries and Libraries", ) { /bin -> $(ReadOnly) ; /lib -> $(ReadOnly) ; /lib64 -> $(ReadOnly) ; /sbin -> $(ReadOnly) ; /usr/bin -> $(ReadOnly) ; /usr/lib -> $(ReadOnly) ; /usr/lib64 -> $(ReadOnly) ; /usr/sbin -> $(ReadOnly) ; } ( rulename = "User Binaries and Libraries", ) { /usr/local -> $(ReadOnly) ; /usr/local/bin -> $(ReadOnly) ; /usr/local/etc -> $(ReadOnly) ; /usr/local/include -> $(ReadOnly) ; /usr/local/lib -> $(ReadOnly) ; /usr/local/sbin -> $(ReadOnly) ; /usr/local/share -> $(ReadOnly) ; } ( rulename = "Root Directory and Files", ) { /root -> $(IgnoreNone) -SHa ; } ( rulename = "Monitor Filesystems", ) { /home -> $(ReadOnly) ; # Modify as needed /usr -> $(ReadOnly) ; /var -> $(ReadOnly) ; } |
⑧Policy File Settings
|
1 2 |
# cd /etc/tripwire/ # vi twpolmake.pl |
Contents of twpolmake.pl
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
#!/usr/bin/perl # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
⑨Policy File Optimizations
|
1 |
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑩Create policy file (cryptographically signed version) based on optimized policy file
|
1 2 3 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←Enter the site passphrase Wrote policy file: /etc/tripwire/tw.pol |
⑪Create database and check operation
|
1 2 3 4 5 6 7 8 9 |
# tripwire --init Please enter your local passphrase: ← [Enter "Local Passphrase"] Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** The object: "/boot/grub2/i386-pc" is on a different file system...ignoring. The object: "/boot/grub2/x86_64-efi" is on a different file system...ignoring. Wrote database file: /var/lib/tripwire/Lepard.twd The database was successfully generated. |
⑫Create test files
|
1 |
# echo test > /root/test.txt |
⑬Check Tripwire operation
|
1 |
# tripwire --check |
If successful, it will display as follows:
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check…
The object: "/boot/grub2/i386-pc" is on a different file system…ignoring.
The object: "/boot/grub2/x86_64-efi" is on a different file system…ignoring.
Wrote report file: /var/lib/tripwire/report/Lepard-20251020-164221.twr
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Mon Oct 20 16:42:21 2025
Database last updated on: Never
===============================================================================
Report Summary:
Host name: Lepard
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/Lepard.twd
Command line used: tripwire --check
=========================================================================
Rule Summary:
Section: Unix File System
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
- Monitor Filesystems 0 0 0 5
OS Binaries and Libraries 0 0 0 0
Tripwire Binaries 0 0 0 0
User Binaries and Libraries 0 0 0 0
Tripwire Data Files 0 0 0 0
Global Configuration Files 0 0 0 0
(/etc)
OS Boot Files and Mount Points 0 0 0 0
(/boot) - Root Directory and Files 0 1 0 0
(/root)
Total objects scanned: 154125
Total violations found: 6
=========================================================================
Object Summary:
# Section: Unix File System
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
Modified:
"/var/log/journal/406942affffa4233817de9dd68899f18/system.journal"
"/var/log/mail"
"/var/log/mail.info"
"/var/log/messages"
"/var/log/vmware-vmsvc-root.log"
Rule Name: Root Directory and Files (/root)
Severity Level: 0
Added:
"/root/test.txt"
=========================================================================
Error Report:
No Errors
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
Delete test files
|
1 |
# rm -f /root/test.txt |
1.2 Schedule Tripwire to run regularly
①Creating an Automated Script for Tripwire Email Notifications
|
1 2 |
# cd /srv/www/system # vi tripwire.sh |
Contents of "tripwire.sh"
Enter the local passphrase and site passphrase you set for each of LOCALPASS and SITEPASS in the "xxxxxxxx" fields.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase Setup LOCALPASS=xxxxx # Local passphrase SITEPASS=xxxxx # Site passphrase #Specify notification email address MAIL="mail address" cd /etc/tripwire # Tripwire Check Execution tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # Policy File Update twadmin --create-polfile -S /etc/tripwire/site.key -Q $SITEPASS /etc/tripwire/twpol.txt rm -f twpol.txt* *.bak # Database Update rm -f /var/lib/tripwire/*.twd* tripwire --init -P $LOCALPASS |
|
1 |
# chmod 700 tripwire.sh |
②Add Tripwire to cron so it runs regularly
|
1 2 |
# crontab -e 0 3 * * * /srv/www/system/tripwire.sh |
Execute the following command and verify that a notification is delivered to the specified email address.
|
1 |
# /srv/www/system/tripwire.sh |
2. Logwatch
① Logwatch Installation
|
1 |
# zypper -n install logwatch |
② Edit configuration file
Copy the sample files to the installation directory.
|
1 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf |
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/logwatch/conf/logwatch.conf # Line 77 : add Set the email address where you want to receive notifications #MailTo = root MailTo = <mail.address> # Line 116 : add Set the level of detail for log notifications #Detail = Low Detail = High |
③Output Logwatch reports
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# logwatch --output stdout ################### Logwatch 7.13 (07/22/25) #################### Processing Initiated: Mon Oct 20 16:59:01 2025 Date Range Processed: yesterday ( 2025-Oct-19 ) Period is day. Detail Level of Output: 10 Type of Output/Format: stdout / text Logfiles for Host: Lepard ################################################################## --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/sda2 18G 6.9G 11G 39% / /dev/sda2 18G 6.9G 11G 39% /boot/grub2/x86_64-efi /dev/sda2 18G 6.9G 11G 39% /opt /dev/sda2 18G 6.9G 11G 39% /srv /dev/sda2 18G 6.9G 11G 39% /boot/grub2/i386-pc /dev/sda2 18G 6.9G 11G 39% /home /dev/sda2 18G 6.9G 11G 39% /.snapshots /dev/sda2 18G 6.9G 11G 39% /root /dev/sda2 18G 6.9G 11G 39% /usr/local /dev/sda2 18G 6.9G 11G 39% /var ---------------------- Disk Space End ------------------------- --------------------- lm_sensors output Begin ------------------------ No sensors found! Make sure you loaded all the kernel drivers you need. Try sensors-detect to find out which these are. ---------------------- lm_sensors output End ------------------------- ###################### Logwatch End ######################### |
④ Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.
If the following command displays output similar to the example below, rewrite the Perl code on the corresponding line.
|
1 |
# logwatch --output mail |
Possible precedence problem between ! and string eq at /usr/lib/perl5/vendor_perl/5.42.0/Date/Manip/Date.pm line 2695.
Possible precedence problem between ! and string eq at /usr/lib/perl5/vendor_perl/5.42.0/Date/Manip/Delta.pm line 1117.
Rewrite as follows:
|
1 2 3 4 5 6 7 |
# vi /usr/lib/perl5/vendor_perl/5.42.0/Date/Manip/Date.pm 2695行目 if (! ref($date) eq 'Date::Manip::Date') { → if ($date ne 'Date::Manip::Date') { # vi /usr/lib/perl5/vendor_perl/5.42.0/Date/Manip/Delta.pm 1117行目 if (! ref($delta) eq 'Date::Manip::Delta') { → if ($delta ne 'Date::Manip::Delta') { |
The report will now be sent to the specified email address.