[CentOS] Tripwire on CentOS: Installation/Config Step-by-Step

Thu Jun 15 00:33:48 UTC 2006
karl at klxsystems.net <karl at klxsystems.net>

Thanks to everyone who responded earlier with locations of the RPM bits. 
In thanks, here's a step-by-step of how I got things working.  6 minute
response by two separate people shows this is a thriving community.  rad.

This how-to covers my current method for installing Tripwire 2.3 on our
CentOS servers.  It's working great, feel free to clarify/ comment on the
steps if you see something mis-stated.

1.	Get the RPM, done from the /tmp directory:
	wget
http://centos.karan.org/el4/extras/stable/i386/RPMS/tripwire-2.3.1-21.i386.rpm
(would be nice to have an MD5 checksum to verify this package is secure)

2.	Install the Tripwire RPM:
	rpm -ivh tripwire-2.3.1-21.i386.rpm

3.	Configure your two tw files:

cd /etc/tripwire

vi twcfg.txt
MAILMETHOD             =SMTP
SMTPHOST                =yourhost

(fqdn wasn't required in mine, but might be for you)

This basically sets up delivery of mail reports for you, it works in
concert with twpol.txt's per-item alert entries.  Your needs may be
different, but I have a central host that manages mail for this kind of
thing.

vi twpol.txt
enter your email address where required, it usually looks like this:

  rulename = "Tripwire Binaries",
  severity = $(SIG_HI),
  emailto = yourname at yourdomain.com

Beware, if there's a line _immediately_below it, put a comma at the end of
your email address or you'll get syntax errors.  Most of these chunks
don't, but line 990 does.  There are a million entries, so use
search/replace or sed if you want to save time.

4.	Create the Site Key for this box.
	/usr/sbin/tripwire-setup-keyfiles
	(Enter a pass phrase).

5.	Make a config file that will work with this specific key:
	twadmin --create-cfgfile --site-keyfile /etc/tripwire/site.key twcfg.txt

6.	Edit the Tripwire Policy file for any last changes, just a re-check of
what you did, maybe lessen the severity for example of something you know
isn't a big deal.

7.	Invoke the policy file to work on this instance of Tripwire:
	twadmin --create-polfile twpol.txt

8.	Initialize the Tripwire Database:
	tripwire –init
	(If you see errors that mention files not found, comment them out of the
twpol.txt file and rerun step 7 command, and the above tripwire --init).

9.	Testing it out at the command line:
	tripwire --check –interactive

Rad, it works.

10.  Go and check out your /etc/cron.daily for a file called
twipwire-check, should be dated April 27, 2005, I think TW puts it there. 
I think this just runs by default, will know tomorrow.

Basically this is a jump in the right direction, good luck, feel free to
comment, and thanks to the list for the help on locating the tool, as well
as the recommendations on the other similar tools.

-karlski