Nowadays, I am trying to harden my servers. I use a benchmark tool named as lynis. After scanning my system, I try to follow lynis recommendations. One of them is using a integrity scan tool for watching file system changes.

Tripwire can be installed from epel with

yum install tripwire

After installation, you should configure several configuration files.

/etc/tripwire/twpol.txt
/etc/tripwire/twcfg.txt

The twpol.txt policy file provides files and directories to watch with severities. Also you can group them. And also for each group you can add email receiver. However only I want to receive emails, so, I edited twcfg.txt file and set GLOBALEMAIL. Do not forget to check files/directories if exists before finalizing configuration. I did some bash magic for preparing twpol.txt.

Then execute

tripwire-setup-keyfiles
tripwire --init

This command request two password, site, local, may be same, for securing configurations. Then you can delete “twpol.txt” and “twcfg.txt” for hiding configurations. However you can regenerate last configurations with

twadmin -m f > /etc/tripwire/twcfg.txt
twadmin -m p > /etc/tripwire/twpol.txt

If you edit your policy file, twpol.txt, and add/remove files/folders you should update tripwire with

twadmin -m P /etc/tripwire/twpol.txt

and also If you modify config file, twcfg.txt, then you should run

twadmin -m F /etc/tripwire/twcfg.txt

Now, it is time to check/scan the system. For an interactive scan (viewing result inside vim) and accepting/rejecting changes

tripwire -m c -I

The report is human readable and it is very easy to accept changes or reject. In here, the term rejecting is for manual process of finding modifications and revert them. And accepting is for updating policy for modifications.

For automated scans and emailing results, such for cron jobs, you can use

/usr/sbin/tripwire -m c -M -s -n

File integrity scanning is good for watching modifications of files. However It can not be a standalone security tool. Because after a modification, this tools can not revert modifications. However some scripts can be developed to automate replacing original files, such as configuration files. On the other hand, this reports can be helpful for managing user and selinux rights for further denials of modifications.