Linux Intrusion Detection With Tripwire On Ubuntu and Debian: Part 3

Previously we looked at installing and configuring Tripwire to catch intruders that may be making changes to your system. Today we’ll be concluding the tutorial by showing you how to set Tripwire to regularly scan your system and send notifications to you in the event of changes.

Mailutils

We will be using the mail command to send the results of the Tripwire check, which was installed with the mailutils package from before. This command will allow us to pipe the output of a command to it, and it will send it as the body of the email. Let’s look at this in an example:
sudo tripwire –check | mail -s “Tripwire test email” address@example.com
So let’s look over what we are doing here. To start with, we are running the Tripwire check that we have seen before. The output of this command is then piped to the mail command. The -s flag specifies that the following string should be used as the email’s subject. The line then ends with the email address to which the email is to be sent. You can customize the subject to fit your requirements, and change the email address to one you want to receive the reports from Tripwire.
Once you have made the changes and executed the command, you will need to check your mailbox for the email. The email may be sent to your spam folder, so it’s worth checking there for the email if you don’t see it in your inbox. If the email doesn’t make it to you then you’ll need to start debugging with the /var/log/mail.log file, or checking root’s email on the server for bounce messages.
With the email received successfully you can now configure a cron task to run the checks for you. Depending on how paranoid or concerned you are, you can run the check as often as you want. For this example, we’ll be configuring Tripwire to perform a check every night at 1am.  First we need to edit the cron table:
sudo crontab -e
With the file open, add the following line to the end with the adjustments to the tripwire command that you made earlier:
0 1 * * * /usr/sbin/tripwire –check | /usr/bin/mail -s “Tripwire test email” address@example.com
Note that we don’t need the sudo command now, and we are specifying exact path names for the commands. With the line in place you can save and exit, which will prompt Tripwire to carry out its nightly checks for you. You should be able to check the email every morning for changes, and if no email comes it’s a sign that the cron table has likely been tampered with.
One final thing to note is what to do in the event that you change something that triggers Tripwire. In this case you can run the Tripwire check with the –interactive flag:
sudo tripwire –check –interactive
This will put the output of the check into the default text editor with some additional lines near the top.  These lines will be prefixed with an x in square brackets “[x]”. You will be shown for each of the checks that Tripwire does the files that were added, modified and deleted. Saving and exiting the file will cause Tripwire to accept that all files marked with the x are changes that you intended to make, and it no longer needs to alert for them. You’ll need to check all the files that it alerts for, and ensure that you are happy with accepting the changes. You can remove the x leaving empty square brackets “[]” for files you aren’t happy with. When you save and exit the file, the files that weren’t marked with an x will still be flagged as alerts by Tripwire. You will be prompted for your local passphrase in order for Tripwire to update these changes to its database.
At this point Tripwire is set up, and should now let you know if anything is changed on your server. Note here that this only covers the settings defined in the basic policy configuration we looked at earlier. To ensure that you are protecting all the elements of your server that need protecting (for example websites), you’ll need to create your own policy rules to monitor those for you.