Tripwire
1.Install
# dnf -y install tripwire
Installed:
tripwire-2.4.3.7-16.el9.x86_64
Complete!
2.Passphrase setting
Set site passphrase and local passphrase
# tripwire-setup-keyfiles
------------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
------------------------------------------------
Creating key files…
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: [site pass]
Verify the site keyfile passphrase: [site pass]
Generating key (this may take several minutes)…Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: [local pass]
Verify the local keyfile passphrase: [local pass]
Generating key (this may take several minutes)…Key generation complete.
------------------------------------------------
Signing configuration file…
Please enter your site passphrase: [site pass]
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
------------------------------------------------
Signing policy file…
Please enter your site passphrase: [site pass]
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
3.Tripwire Configuration
①Configuration File Edit
# vi /etc/tripwire/twcfg.txt
Line 9 : change
LOOSEDIRECTORYCHECKING =true
Line 12 : change
Level 4 provides the most detailed report of the five levels from "0" to "4".
REPORTLEVEL =4
②Create a Tripwire configuration file (cryptographically signed version)
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←site pass
Wrote configuration file: /etc/tripwire/tw.cfg
③Delete Tripwire configuration file (text version)
# rm -f /etc/tripwire/twcfg.txt
④Policy File Settings
# cd /etc/tripwire/
# vi twpolmake.pl
Contents of twpolmake.pl
#!/usr/bin/perl
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
⑤Policy File Optimizations
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
⑥Create policy file (cryptographically signed version) based on optimized policy file
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: ←site pass
Wrote policy file: /etc/tripwire/tw.pol
⑦Create database and check operation
# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←local pass
Create test files
# echo test > /root/test.txt
Check Tripwire operation
# tripwire -m c -s -c /etc/tripwire/tw.cfg
If it displays as shown below, it's OK.
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Fri 03 Jul 2026 02:30:21 PM JST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: Lepard
Host IP address: 192.168.11.83
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/Lepard.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
(/sbin/runlevel)
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Critical configuration files 100 0 0 0
* Root config files 100 1 0 0
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
(/proc/kcore)
Total objects scanned: 47684
Total violations found: 2
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/Lepard.twd"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/root/test.txt"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Delete test files
# rm -f /root/test.txt
⑧Create a script for reporting results via email
# cd /var/www/system
# vi tripwire.sh
#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
#Passphrase Setup
LOCALPASS=xxxxx # local pass
SITEPASS=xxxxx # site pass
#Specify notification email address
MAIL="[your mail address] "
cd /etc/tripwire
#Tripwire Check Execution
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL
#Policy File Update
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
#Database Update
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
# chmod 700 tripwire.sh
Add to cron
# crontab -e
0 3 * * * /var/www/system/tripwire.sh
Confirmation that the results of the tripwire execution are notified to the specified e-mail address
# /var/www/system/tripwire.sh
Chkrootkit
Install the rootkit detection tool chkrootkit to check whether a rootkit has been installed on the Linux server.
Since chkrootkit performs checks using the following command, it becomes ineffective if the command itself has been tampered with by a rootkit. Therefore, it is advisable to install it during the initial stages after Linux installation.
【Commands used by chkrootkit】
awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname
Note that chkrootkit can only detect known rootkits and cannot detect new rootkits.
①Download and install chkrootkit
# cd /usr/local/src
# wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz
# tar xvf chkrootkit-0.55.tar.gz
➁Create /root/bin directory and move chkrootkit command to that directory
# mkdir -p /root/bin
# mv chkrootkit-0.55/chkrootkit /root/bin
➂Check chkrootkit.
# chkrootkit | grep INFECTED
If nothing is displayed, there is no problem.
If the message "Checking `chsh'… INFECTED" appears, compare it with the information in the RPM database.
Check the RPM package for chsh
# rpm -qf $(which chsh)
util-linux-user-2.37.4-25.el9.x86_64
Check whether the specified package has been modified compared to when it was originally installed
# rpm -V util-linux-user
No output(If there are no differences, nothing will be output.)---Since no differences were found, this can be determined to be a false positive.
④Create chkrootkit periodic execution script and change permissions
# vi /etc/cron.daily/chkrootkit
Scheduled Script Contents
#!/bin/bash
PATH=/usr/bin:/bin:/root/bin
LOG=/tmp/$(basename ${0})
# Run chkrootkit
chkrootkit > $LOG 2>&1
# log output
cat $LOG | logger -t $(basename ${0})
# SMTPS bindshell false positive response
if [ ! -z "$(grep 465 $LOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $LOG
fi
# Support for Suckit false positives when updating upstart package
if [ ! -z "$(grep Suckit $LOG)" ] && \
[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then
sed -i '/Suckit/d' $LOG
fi
# Send mail to root only when rootkit is detected
[ ! -z "$(grep INFECTED $LOG)" ] && \
grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root
Add execution permission to chkrootkit execution script
# chmod 700 /etc/cron.daily/chkrootkit
⑤Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command
# cd /root
# mkdir /root/chkrootkit_cmd
# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/
# ls -l /root/chkrootkit_cmd/
total 2668
-rwxr-xr-x 1 root root 714928 Jul 3 15:05 awk
-rwxr-xr-x 1 root root 44648 Jul 3 15:05 cut
-rwxr-xr-x 1 root root 27936 Jul 3 15:05 echo
-rwxr-xr-x 1 root root 32 Jul 3 15:05 egrep
-rwxr-xr-x 1 root root 291792 Jul 3 15:05 find
-rwxr-xr-x 1 root root 40552 Jul 3 15:05 head
-rwxr-xr-x 1 root root 40472 Jul 3 15:05 id
-rwxr-xr-x 1 root root 140744 Jul 3 15:05 ls
-rwxr-xr-x 1 root root 160616 Jul 3 15:05 netstat
-rwxr-xr-x 1 root root 144536 Jul 3 15:05 ps
-rwxr-xr-x 1 root root 115544 Jul 3 15:05 sed
-rwxr-xr-x 1 root root 917872 Jul 3 15:05 ssh
-rwxr-xr-x 1 root root 32504 Jul 3 15:05 strings
-rwxr-xr-x 1 root root 32232 Jul 3 15:05 uname
⑥Run chkrootkit on the copied command
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED
Checking `chsh'... INFECTED
Checking `chsh'… It says "INFECTED," but this is a false positive.
⑦Compresses backed up commands
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd
chkrootkit_cmd/
chkrootkit_cmd/awk
chkrootkit_cmd/cut
chkrootkit_cmd/echo
chkrootkit_cmd/egrep
chkrootkit_cmd/find
chkrootkit_cmd/head
chkrootkit_cmd/id
chkrootkit_cmd/ls
chkrootkit_cmd/netstat
chkrootkit_cmd/ps
chkrootkit_cmd/strings
chkrootkit_cmd/sed
chkrootkit_cmd/ssh
chkrootkit_cmd/uname
# ls -l
total 7488
-rw-r--r-- 1 root root 2590063 Mar 25 23:57 4-5-12
-rw-------. 1 root root 1305 Jun 30 15:28 anaconda-ks.cfg
drwxr-xr-x 2 root root 24 Jul 3 14:47 bin
drwxr-xr-x 2 root root 172 Jul 3 15:05 chkrootkit_cmd
-rw-r--r-- 1 root root 1244819 Jul 3 15:07 chkrootkit_cmd.tar.gz
drwxrwxr-x 22 root root 4096 Jul 2 14:19 nagios-4.5.12
drwxr-xr-x 15 root root 4096 Jul 2 14:24 nagios-plugins-2.5
-rw-r--r-- 1 root root 2752957 Apr 1 00:47 nagios-plugins-2.5.tar.gz
drwxrwxr-x 10 root root 4096 Jul 2 14:45 nrpe-4.1.3
-rw-r--r-- 1 root root 526925 Dec 11 2024 nrpe-4.1.3.tar.gz
-rw-r--r-- 1 root root 526925 Dec 11 2024 nrpe-4.1.3.tar.gz.1
drwx------ 3 root root 21 Jul 2 08:47 snap
⑧Send chkrootkit use command (compressed version) to root by e-mail
# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root
⑨Download and save chkrootkit_cmd.tar.gz file to Windows
⑩Delete commands on the backed up server
# rm -f chkrootkit_cmd.tar.gz
