在这篇文章中，我们将查看如何在Ubuntu 18.04上安装和配置TripWire。
Tripwire是一种开源基于主机的入侵检测系统。
TripWire可以检查文件完整性，它将监控和警报文件/目录更改。

Tripwire如何工作

TripWire检查将当前文件系统状态与已知的基线状态和警报进行比较它检测到的任何更改。
基线和检查行为由策略文件控制，该策略文件指定要监视的文件或者目录，以及哪些属性来监视它们，例如哈希，文件权限和所有权。

当发生预期的更改时，例如升级包，基线数据库可以更新为新的已知状态。
例如，策略也可以更新，以减少噪音或者覆盖新安装的包。

在Ubuntu 18.04上安装Tripwire

APT存储库提供Ubuntu 18.04的Tripwire包。
通过运行安装它：

$sudo apt-get install tripwire

这个安装是一个互动过程，它会问你几个问题。

我们现在会提示我们输入密码，输入我们选择的密码。

重新执行上面输入的密码以确认。

我们还需要设置本地密码短语：

重新输入密码以确认并按<确定>

在成功安装时，我们将获得如下成功的安装消息：

创建TripWire键并初始化数据库。

既然安装已经成功，我们需要生成密钥和初始化数据库，以便TripWire可以开始工作。

$sudo su 
# cd /etc/tripwire/
# ls -1
server-01-local.key
site.key
tw.cfg
tw.pol
twcfg.txt
twpol.txt

我们将修改TWCFG.TXT文件ReportLevel至4，这是最大值。

ROOT          =/usr/sbin
POLFILE       =/etc/tripwire/tw.pol
DBFILE        =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE    =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE   =/etc/tripwire/site.key
LOCALKEYFILE  =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR        =/usr/bin/editor
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL   =4
SYSLOGREPORTING =true
MAILMETHOD    =SMTP
SMTPHOST      =localhost
SMTPPORT      =25
TEMPDIRECTORY =/tmp

更改后生成配置文件：

# twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase: <Enter-your-passphrase>
Wrote configuration file: /etc/tripwire/tw.cfg

优化TripWire策略文件

使用以下内容创建Twpolmake.pl文件：

# vim twpolmake.pl

添加：

#!/usr/bin/perl
# Tripwire Policy File customize tool
# —————————————————————-
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# —————————————————————-
# Usage:
#     perl twpolmake.pl {Pol file}
# —————————————————————-
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/) {
        $INRULE=1 ;
    }
    elsif ( /^}/) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq ’/sbin/e2fsadm’ ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#/;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;

创建配置：

# perl twpolmake.pl twpol.txt > twpol.txt.new 
# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new 
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol

创建TripWire数据库：

# tripwire -m i -s -c tw.cfg
Please enter your local passphrase: 
### Warning: File system error.
### Filename: /var/lib/tripwire/server-01.twd
### No such file or directory
### Continuing...

我们可以使用命令打印数据库：

# twprint -m d -d /path/to/database.twd
E.g
# twprint -m d -d /var/lib/tripwire/server-01.twd

更新数据库

最简单的更新形式更新数据库，其中包含报告文件中的所有更改：

# tripwire --update --accept-all

通过手动执行检查来测试TripWire：

# tripwire -m c -s -c /etc/tripwire/tw.cfg 
Open Source Tripwire(R) 2.4.3.1 Integrity Check Report

Report generated by:          root
Report created on:            Sat Jun  9 07:32:25 2016
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    server-01
Host IP address:              127.0.1.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/server-01.twd
Command line used:            tripwire -m c -s -c /etc/tripwire/tw.cfg 

===============================================================================
Rule Summary: 
===============================================================================

——————————————————————————-
  Section: Unix File System
——————————————————————————-

  Rule Name                       Severity Level    Added    Removed  Modified 
  ———                       ————–    —–    ——-  ——– 
  Other binaries                  66                0        0        0        
  Tripwire Binaries               100               0        0        0        
  Other libraries                 66                0        0        0        
  Root file-system executables    100               0        0        0        
* Tripwire Data Files             100               1        0        0        
  System boot changes             100               0        0        0        
  Root file-system libraries      100               0        0        0        
  (/lib)
  Critical system boot files      100               0        0        0        
  Other configuration files       66                0        0        0        
  (/etc)
  Boot Scripts                    100               0        0        0        
  Security Control                66                0        0        0        
  Root config files               100               0        0        0        
  Devices & Kernel information    100               0        0        0        
  (/dev)
  Invariant Directories           66                0        0        0        

Total objects scanned:  14492
Total violations found:  1

===============================================================================
Object Summary: 
===============================================================================

——————————————————————————-
# Section: Unix File System
——————————————————————————-

——————————————————————————-
Rule Name: Tripwire Data Files (/var/lib/tripwire/server-01.twd)
Severity Level: 100
——————————————————————————-

Added:
"/var/lib/tripwire/server-01.twd"

===============================================================================
Error Report: 
===============================================================================

No Errors

——————————————————————————-
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use –version. This is free software which Jan be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

如果没有遇到错误，则tripwire数据文件位于：/var/lib/tripwire/< servername>.twdscan结果保存在/var/lib/tripwire/eport /目录下：

# ls /var/lib/tripwire/report/
server-01-20160609-073225.twr

要打印此报告，请使用语法：

# twprint -m r -t [0-4] -r /path/to/reportfile.twr

-t参数指定报表详细级别，其中0是报表内容的单行摘要，4显示所有已更改的对象上的所有收集的属性。
报告级别默认为3如果未在命令行或者reportlevel config file选项上指定，则默认为3 .Example：

# twprint -m r -t 4 -r /var/lib/tripwire/report/server-01-20160609-073225.twr

此外，请注意我们可以手动更新此报告：

# tripwire -m u -a -s -c /etc/tripwire/tw.cfg -r /var/lib/tripwire/report/server-01-20160609-073225.twr 
Please enter your local passphrase:

更新政策

策略更新模式修改当前的TripWire策略而不会丢失现有基准。

# tripwire --update-policy updated-policy.txt

这将与新策略一起检查作为更新过程的一部分。
如果此检查检测到更改，则默认行为是在不更新策略或者数据库的情况下显示更改和退出。
要接受更改并继续策略更新，请使用-z低/-secure模式低命令行选项。

测试电子邮件配置

要测试电子邮件配置：

# tripwire --test --email Hyman@theitroad

这将测试电子邮件发送到指定地址，使用配置文件中指定的电子邮件设置。