Tripwire Monitoring your WordPress Install

Sure! Here’s a step-by-step guide on how to install and configure Tripwire on Ubuntu 22.04:

Prerequisites

• A Ubuntu 22.04 server
• A user account with sudo privileges

Step 1: Install Tripwire

1. Open a terminal window on your Ubuntu server.
2. Install the Tripwire package by running the following command:

sudo apt-get update && sudo apt-get install tripwire

Step 2: Generate Tripwire Configuration Files

1. Initialize the Tripwire database by running the following command:

sudo tripwire --init

2. During the initialization process, you will be prompted to set a passphrase. Choose a strong passphrase and keep it safe, as you will need it later to update the Tripwire database and to generate reports.
3. After the initialization process completes, Tripwire will create two policy files: /etc/tripwire/twpol.txt and /etc/tripwire/twpol.txt.vdb.

Step 3: Configure Tripwire

1. Open the Tripwire policy file

   /etc/tripwire/twpol.txt

   in a text editor:

sudo nano /etc/tripwire/twpol.txt

2. Scroll down to the section SITE CONFIGURATION SPECIFICATION, and edit the following parameters:

SITE_PASSPHRASE = <your-passphrase>
SITE_KEYFILE = /etc/tripwire/site.key

Replace <your-passphrase> with the passphrase you set during the initialization process.

3. Scroll down to the section FILESYSTEM OBJECTS SPECIFICATION, and add the directories and files that you want to monitor. For example, to monitor the entire /var/www directory, add the following lines:

(
  rulename = "var_www",
  severity = $(SIG_HI),
  )
  /var/www -> $(SEC_CRIT) ;

4. Save and close the file.

Step 4: Update Tripwire Database

1. After configuring Tripwire, update the database by running the following command:

sudo tripwire --update

Step 5: Test Tripwire

1. Test Tripwire by running the following command:

sudo tripwire --check

2. If Tripwire detects any changes, it will display a report detailing the differences between the current and expected states of the monitored files and directories.

Step 6: Schedule Automatic Reports

1. To receive automatic Tripwire reports via email, you can configure a cron job to generate and send a report on a regular basis. Open the crontab file by running the following command:

sudo crontab -e

2. Add the following line to the file to generate and send a report every day at 4:00 AM, replacing <your-email> with your email address:

0 4 * * * /usr/sbin/tripwire --check | /usr/bin/mail -s "Tripwire Report" <your-email>

3. Save and close the file.

That’s it! You have successfully installed and configured Tripwire on your Ubuntu 22.04 server. Remember to keep your Tripwire passphrase safe and up-to-date, and to regularly review the Tripwire reports to ensure the integrity and security of your system.

Here’s an example Tripwire install configuration that watches a WordPress installation:

# This is a Tripwire configuration file that watches a WordPress installation.

# Initialization
INIT_LOW = /var/lib/tripwire/wordpress/init_low.txt
INIT_MED = /var/lib/tripwire/wordpress/init_med.txt
INIT_HIGH = /var/lib/tripwire/wordpress/init_high.txt

# Policy
POLFILE = /etc/tripwire/twpol.txt

# Database
DBFILE = /var/lib/tripwire/wordpress/twdatabase.txt
REPORTFILE = /var/lib/tripwire/wordpress/twreport.txt

# Directories and Files to Monitor
(
  rulename = "wordpress_files",
  severity = $(SIG_HI),
  )
  /var/www/html/wordpress/wp-admin -> $(SEC_CRIT) ;
  /var/www/html/wordpress/wp-content -> $(SEC_CRIT) ;
  /var/www/html/wordpress/wp-includes -> $(SEC_CRIT) ;
  /var/www/html/wordpress/index.php -> $(SEC_CRIT) ;
  /var/www/html/wordpress/wp-config.php -> $(SEC_CRIT) ;
  /var/www/html/wordpress/.htaccess -> $(SEC_CRIT) ;
)

# Ignore directories and files
IGNORE_ALL_CHANGES = /var/www/html/wordpress/wp-content/cache
IGNORE_ALL_CHANGES = /var/www/html/wordpress/wp-content/uploads
IGNORE_ALL_CHANGES = /var/www/html/wordpress/wp-content/plugins/hello.php
IGNORE_ALL_CHANGES = /var/www/html/wordpress/wp-content/themes/twentytwenty/

# Email Notifications
MAILMETHOD = SENDMAIL
MAILPROGRAM = /usr/sbin/sendmail
MAILTO = yo********@*****le.com

This configuration file monitors the WordPress installation directory /var/www/html/wordpress, and specifies that any changes to the monitored files and directories will trigger a critical security alert. The IGNORE_ALL_CHANGES statements exclude directories and files from being monitored.

This configuration file also specifies the email address to which the Tripwire notifications will be sent using the MAILTO parameter.

Note: This configuration is just an example, and you may need to modify it depending on your specific needs and configuration.