Tripwire is a file and directory integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Any differences are flagged
and logged, including added or deleted entries. When run against system files on a regular basis, any changes in critical system files will be spotted -- and appropriate damage control measures can be taken
immediately. With Tripwire, system administrators can conclude with a high degree of certainty that a given set of files remain free of unauthorized modifications if Tripwire reports no changes.
These installation instructions assume:
Commands are Unix-compatible.
The source path is /var/tmp -other paths are possible.
Installations were tested on Red Hat Linux 6.1 and 6.2.
All steps in the installation will happen in super-user account root.
Tripwire version number is 1.3.1-1
These are the package(s) required and Tripwire Homepage:
You must be sure to download: Tripwire-1.3.1-1.tar.gz
You need to decompress the Tarballs, It is a good idea to make a list of files on the system before you install it, and one afterwards, and then compare them using diff to find out what file it placed where. Simply
run find /* > Tripwire1 before and find /* > Tripwire2 after you install the tarball, and use diff Tripwire1 Tripwire2 > Tripwire-Installed
to get a list of what changed.
[root@deep] /# cp Tripwire-version.tar.gz /var/tmp
[root@deep] /# cd /var/tmp
[root@deep ]/tmp# tar xzpf Tripwire-version.tar.gz
|
Move into the new Tripwire directory and Edit the utils.c file (vi +462 src/utils.c) and change the line:
else if (iscntrl(*pcin)) {
|
To read:
else if (!(*pcin & 0x80) && iscntrl(*pcin)) {
|
Edit the config.parse.c file, vi +356 src/config.parse.c and change the line:
To read:
Edit the config.h file, vi +106 include/config.h and change the line:
#define CONFIG_PATH "/usr/local/bin/tw"
#define DATABASE_PATH "/var/tripwire"
|
To read:
#define CONFIG_PATH "/etc"
#define DATABASE_PATH "/var/spool/tripwire"
|
Edit the config.h file, vi +165 include/config.h and change the line:
#define TEMPFILE_TEMPLATE "/tmp/twzXXXXXX"
|
To read:
#define TEMPFILE_TEMPLATE "/var/tmp/.twzXXXXXX"
|
Edit the config.pre.y file vi +66 src/config.pre.y and change the line:
To read:
Edit the Makefile, vi +13 Makefile and change the line:
DESTDIR = /usr/local/bin/tw
|
To read:
To read:
DATADIR = /var/spool/tripwire
|
To read:
To read:
To read:
CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions
|
[root@deep ]/tw_ASR_1.3.1_src# make
[root@deep ]/tw_ASR_1.3.1_src# make install
|
[root@deep ]/tw_ASR_1.3.1_src# chmod 700 /var/spool/tripwire/
[root@deep ]/tw_ASR_1.3.1_src# chmod 500 /usr/sbin/tripwire
[root@deep ]/tw_ASR_1.3.1_src# chmod 500 /usr/sbin/siggen
[root@deep ]/tw_ASR_1.3.1_src# rm -f /usr/sbin/tw.config
|
The above commands make and make install will configure the software to ensure your system has the necessary functionality and libraries to successfully compile the package, compile all source files into
executable binaries, and then install the binaries and any supporting files into the appropriate locations.
The chmod command will change the default mode of tripwire directory to be 700 drwx------ only readable, writable, and executable by the super-user root. It will make
the binary /usr/sbin/tripwire only readable, and executable by the super-user root -r-x------ and finally make the siggen program under /usr/sbin directory only executable
and readable by root.
The rm command as used above will remove the file tw.config under /usr/sbin. We don't need this file since we will create a new one under /etc
directory later.
Do Cleanup later:
[root@deep] /# cd /var/tmp
[root@deep ]/tmp# rm -rf tw_ASR_version/ Tripwire-version.tar.gz
|
The
rm command as used above will remove all the source files we have used to compile and install Tripwire. It will also remove the Tripwire compressed archive from the
/var/tmp directory.