Nowadays, I am trying to harden my servers. I use a benchmark tool named as lynis. After scanning my system, I try to follow lynis recommendations. One of them is using a integrity scan tool for watching file system changes.
Tripwire can be installed from epel with
yum install tripwire
After installation, you should configure several configuration files.
The twpol.txt policy file provides files and directories to watch with severities. Also you can group them. And also for each group you can add email receiver. However only I want to receive emails, so, I edited twcfg.txt file and set GLOBALEMAIL. Do not forget to check files/directories if exists before finalizing configuration. I did some bash magic for preparing twpol.txt.
This command request two password, site, local, may be same, for securing configurations. Then you can delete “twpol.txt” and “twcfg.txt” for hiding configurations. However you can regenerate last configurations with
twadmin -m f > /etc/tripwire/twcfg.txt
twadmin -m p > /etc/tripwire/twpol.txt
If you edit your policy file, twpol.txt, and add/remove files/folders you should update tripwire with
twadmin -m P /etc/tripwire/twpol.txt
and also If you modify config file, twcfg.txt, then you should run
twadmin -m F /etc/tripwire/twcfg.txt
Now, it is time to check/scan the system. For an interactive scan (viewing result inside vim) and accepting/rejecting changes
tripwire -m c -I
The report is human readable and it is very easy to accept changes or reject. In here, the term rejecting is for manual process of finding modifications and revert them. And accepting is for updating policy for modifications.
For automated scans and emailing results, such for cron jobs, you can use
/usr/sbin/tripwire -m c -M -s -n
File integrity scanning is good for watching modifications of files. However It can not be a standalone security tool. Because after a modification, this tools can not revert modifications. However some scripts can be developed to automate replacing original files, such as configuration files. On the other hand, this reports can be helpful for managing user and selinux rights for further denials of modifications.