Tripwire
1.Install
# dnf -y install tripwire
Installed:
tripwire-2.4.3.7-20.el10_2.x86_64
Complete!
2.Passphrase Setup
Set the site passphrase and local passphrase
# tripwire-setup-keyfiles
------------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
------------------------------------------------
Creating key files…
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: [site pass]
Verify the site keyfile passphrase: [site pass]
Generating key (this may take several minutes)…Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: [local pass]
Verify the local keyfile passphrase: [local pass]
Generating key (this may take several minutes)…Key generation complete.
------------------------------------------------
Signing configuration file…
Please enter your site passphrase: [site pass]
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
------------------------------------------------
Signing policy file…
Please enter your site passphrase: [site pass]
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
3.Tripwire Configuration
①Configuration File Settings
# vi /etc/tripwire/twcfg.txt
Line 9 : Change
Change "LOOSEDIRECTORYCHECKING" to "true"
Line 12:Change as needed (maximum report level: 4)
REPORTLEVEL =4
②Create a configuration file (encrypted signature version)
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←site pass
Wrote configuration file: /etc/tripwire/tw.cfg
③Deleting the Tripwire configuration file (text version)
# rm -f /etc/tripwire/twcfg.txt
④Optimize Policy
# cd /etc/tripwire/
# vi twpolmake.pl
Policy Optimization Script Contents
#!/usr/bin/perl
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
⑤Policy File Optimization
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
⑥Create a policy file (encrypted and signed version) based on the optimized policy file.
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: ←site pass
Wrote policy file: /etc/tripwire/tw.pol
⑦Database Creation
# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←local pass
⑧Functionality Verification
Create test file
# echo test > /root/test.txt
Check Tripwire operation
# tripwire -m c -s -c /etc/tripwire/tw.cfg
If successful, the following display appears
-------------------------------------------------------------------------------
Added:
"/root/test.txt"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Delete the test file.
# rm -f /root/test.txt
⑧Create a script (tripwire.sh) for reporting results via email and set it to run automatically.
# cd /var/www/system
# vi tripwire.sh
#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
#Passphrase Setup
LOCALPASS=xxxxx # local pass
SITEPASS=xxxxx # site pass
#Specify notification email address
MAIL="[your mail address] "
cd /etc/tripwire
#Tripwire Check Execution
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL
#Policy File Update
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
#Database Update
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
# chmod 700 tripwire.sh
Add to cron
# crontab -e
0 3 * * * /var/www/system/tripwire.sh
Execute the following and verify that the results are delivered to the specified email address.
# /var/www/system/tripwire.sh
Logwatch
①Install
# dnf -y install logwatch
②Editing Configuration Files
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf
# vi /etc/logwatch/conf/logwatch.conf
Line 77 : Add the email address where you want to receive notifications
#MailTo = root
MailTo = [Email address]]
Line 116 : Set the level of detail for log notifications
#Detail = Low
Detail = High
③Generate a Logwatch report
# logwatch --output stdout
The following message appears
################### Logwatch 7.11 (07/22/24) ####################
Processing Initiated: Fri Jun 5 09:02:50 2026
Date Range Processed: yesterday
( 2026-Jun-04 )
Period is day.
Detail Level of Output: 10
Type of Output/Format: stdout / text
Logfiles for Host: Lepard
##################################################################
--------------------- Kernel Audit Begin ------------------------
Number of audit daemon starts: 1
Number of audit initializations: 1
**Unmatched Entries**
auditd[1136]: audit dispatcher initialized with q_depth=2000 and 1 active plugins: 1 Time(s)
---------------------- Kernel Audit End -------------------------
~~~~~~~~~~~~~~(Omitted)~~~~~~~~~~~~~~~~~~~~
--------------------- lm_sensors output Begin ------------------------
No sensors found!
Make sure you loaded all the kernel drivers you need.
Try sensors-detect to find out which these are.
---------------------- lm_sensors output End -------------------------
###################### Logwatch End #########################
④Test whether reports are being delivered to the specified address. Check to see if you have received a log report email like the one shown above.
# /etc/cron.daily/0logwatch
DNS Update
Whenever the internet connection is lost or the router reboots, causing the global IP address to change, you must access the dynamic DNS service to notify it of the new IP address.
Create a dedicated Python file and schedule it for regular execution via Cron.
This time, it's about DNS settings in Valudomain.
# cd /var/www/system
# vi ddnsset.py
Contents of ddnsset.py
#setddns.py
import requests
import ipaddress
from datetime import datetime
from pathlib import Path
# SETTING DATA
MY_DOMAIN = "example.jp" ←Self-hosted domain
MY_PASS = "xxxxxxxxxx" ←Password
MY_HOSTNAME = "xxxx" ←Host name
OUT_FILE = Path("/tmp/ipadress") ←IP Address Log File
def time_msg():
now = datetime.now()
return now.strftime("%Y/%m/%d %H:%M:%S")
def is_valid_ip(ip_str):
try:
ipaddress.ip_address(ip_str)
return True
except ValueError:
return False
def main():
# Check Global IP Address
url_get_ip = "https://dyn.value-domain.com/cgi-bin/dyn.fcg?ip"
try:
response = requests.get(url_get_ip, timeout=10)
response.raise_for_status()
current_ip = response.text.strip()
except requests.RequestException as e:
print(f"{time_msg()} Failed to get IP: {e}")
return
# IP check
mssg = time_msg()
if not current_ip:
print(f"{mssg} invalid IP NULL")
return
if not is_valid_ip(current_ip):
print(f"{mssg} invalid IP={current_ip}")
return
# Read previous IP
previous_ip = ""
if OUT_FILE.exists():
with open(OUT_FILE, "r") as f:
previous_ip = f.read().strip()
if current_ip == previous_ip:
print(f"{time_msg()} no change IP={current_ip}")
return
else:
print(f"change IP from {previous_ip} to {current_ip}")
# Update DDNS
mssg = time_msg()
print(f"{mssg} access to value-domain")
url_set_ddns = (
f"https://dyn.value-domain.com/cgi-bin/dyn.fcg?"
f"d={MY_DOMAIN}&p={MY_PASS}&h={MY_HOSTNAME}"
)
try:
response = requests.get(url_set_ddns, timeout=10)
response.raise_for_status()
result = ' '.join(response.text.strip().split())
except requests.RequestException as e:
print(f"{time_msg()} Failed to update DDNS: {e}")
return
mssg = time_msg()
print(f"{mssg} {MY_HOSTNAME}.{MY_DOMAIN} {result} IP={current_ip}")
# Save the IP address only if the DDNS update is successful
if "status=0" in result:
with open(OUT_FILE, "w") as f:
f.write(current_ip)
print(f"{mssg} Successfully saved new IP: {current_ip}")
else:
print(f"{mssg} DDNS update failed, IP not saved")
if __name__ == "__main__":
main()
IP Address Log File Creation
# touch /tmp/ipadress
Run periodically
# crontab -e
* 00 * * * /usr/bin/python3 /var/www/system/ddnsset.py >> /var/log/ddns_updater.log 2>&1
Disk Usage Check Script
1. Script creation
# cd /var/www/system
# vi disk_capacity_check.sh
Contents of disk_capacity_check.sh
#!/bin/bash
#Specify notification email address
MAIL="<your mailaddress>"
DVAL=`/bin/df / | /usr/bin/tail -1 | /bin/sed 's/^.* \([0-9]*\)%.*$/\1/'`
if [ $DVAL -gt 80 ]; then
echo "Disk usage alert: $DVAL %" | mail -s "Disk Space Alert in `hostname`" $MAIL
fi
# chmod 700 disk_capacity_check.sh
2. Execution Confirmation
①Check the current usage rate
# df -h
It will be displayed as follows:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rl-root 25G 6.4G 19G 26% /
devtmpfs 1.8G 0 1.8G 0% /dev
tmpfs 1.8G 0 1.8G 0% /dev/shm
tmpfs 725M 9.4M 715M 2% /run
tmpfs 1.0M 0 1.0M 0% /run/credentials/systemd-journald.service
/dev/loop2 128K 128K 0 100% /var/lib/snapd/snap/hello-world/29
/dev/loop4 50M 50M 0 100% /var/lib/snapd/snap/snapd/26865
/dev/loop1 106M 106M 0 100% /var/lib/snapd/snap/core/17292
/dev/loop3 67M 67M 0 100% /var/lib/snapd/snap/core24/1643
/dev/loop0 74M 74M 0 100% /var/lib/snapd/snap/certbot/5603
/dev/nvme0n1p2 2.0G 437M 1.6G 23% /boot
tmpfs 1.0M 0 1.0M 0% /run/credentials/getty@tty1.service
tmpfs 363M 16K 363M 1% /run/user/1000
②Create dummy files to achieve a usage rate of 80% or higher (in this example, a file named dummyfile approximately 15GB in size).
# dd if=/dev/zero of=dummyfile bs=1M count=15000
③Confirm again
# df -h
Verify that it is running and has reached over 80%.
④Run the disk capacity check script
# /var/www/system/disk_capacity_check.sh
An email with the subject line "Disk usage alert: 85%" will be sent to the specified email address.
⑤Delete the created "dummyfile"
# rm dummyfile
⑥cheduled Execution Settings
# crontab -e
30 2 * * * /var/www/system/disk_capacity_check.sh