1. Install, Compile and Optimize

1. Install, Compile and Optimize
Prev	Chapter 18. Linux Tripwire ASR 1.3.1	Next

As explained in the [Tripwire ASR goals]:

With the advent of increasingly sophisticated and subtle account break-ins on Unix systems, the need for tools to aid in the detection of unauthorized modification of files becomes clear. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.

Tripwire is a file and directory integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Any differences are flagged and logged, including added or deleted entries. When run against system files on a regular basis, any changes in critical system files will be spotted -- and appropriate damage control measures can be taken immediately. With Tripwire, system administrators can conclude with a high degree of certainty that a given set of files remain free of unauthorized modifications if Tripwire reports no changes.

These installation instructions assume:

Commands are Unix-compatible.
The source path is /var/tmp -other paths are possible.
Installations were tested on Red Hat Linux 6.1 and 6.2.
All steps in the installation will happen in super-user account root.
Tripwire version number is 1.3.1-1

These are the package(s) required and Tripwire Homepage:

http://www.tripwiresecurity.com/

You must be sure to download: Tripwire-1.3.1-1.tar.gz

You need to decompress the Tarballs, It is a good idea to make a list of files on the system before you install it, and one afterwards, and then compare them using diff to find out what file it placed where. Simply run find /* > Tripwire1 before and find /* > Tripwire2 after you install the tarball, and use diff Tripwire1 Tripwire2 > Tripwire-Installed to get a list of what changed.

          [root@deep] /# cp Tripwire-version.tar.gz /var/tmp
          [root@deep] /# cd /var/tmp
          [root@deep ]/tmp# tar xzpf Tripwire-version.tar.gz

Move into the new Tripwire directory and Edit the utils.c file (vi +462 src/utils.c) and change the line:

          else if (iscntrl(*pcin)) {

To read:

          else if (!(*pcin & 0x80) && iscntrl(*pcin)) {

Edit the config.parse.c file, vi +356 src/config.parse.c and change the line:

          rewind(fpout);

To read:

          else {
          rewind(fpin);
          }

Edit the config.h file, vi +106 include/config.h and change the line:

          #define CONFIG_PATH     "/usr/local/bin/tw"
          #define DATABASE_PATH   "/var/tripwire"

To read:

          #define CONFIG_PATH     "/etc"
          #define DATABASE_PATH   "/var/spool/tripwire"

Edit the config.h file, vi +165 include/config.h and change the line:

          #define TEMPFILE_TEMPLATE "/tmp/twzXXXXXX"

To read:

          #define TEMPFILE_TEMPLATE "/var/tmp/.twzXXXXXX"

Edit the config.pre.y file vi +66 src/config.pre.y and change the line:

          #ifdef TW_LINUX

To read:

          #ifdef TW_LINUX_UNDEF

Edit the Makefile, vi +13 Makefile and change the line:

          DESTDIR = /usr/local/bin/tw

To read:

          DESTDIR = /usr/sbin

          DATADIR = /var/tripwire

To read:

          DATADIR = /var/spool/tripwire

          LEX     = lex

To read:

          LEX     = flex

          CC=gcc

To read:

          CC=egcs

          CFLAGS = -O

To read:

          CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions

          [root@deep ]/tw_ASR_1.3.1_src# make
          [root@deep ]/tw_ASR_1.3.1_src# make install

          [root@deep ]/tw_ASR_1.3.1_src# chmod 700  /var/spool/tripwire/
          [root@deep ]/tw_ASR_1.3.1_src# chmod 500 /usr/sbin/tripwire
          [root@deep ]/tw_ASR_1.3.1_src# chmod 500 /usr/sbin/siggen
          [root@deep ]/tw_ASR_1.3.1_src# rm -f  /usr/sbin/tw.config

The above commands make and make install will configure the software to ensure your system has the necessary functionality and libraries to successfully compile the package, compile all source files into executable binaries, and then install the binaries and any supporting files into the appropriate locations.
The chmod command will change the default mode of tripwire directory to be 700 drwx------ only readable, writable, and executable by the super-user root. It will make the binary /usr/sbin/tripwire only readable, and executable by the super-user root -r-x------ and finally make the siggen program under /usr/sbin directory only executable and readable by root.
The rm command as used above will remove the file tw.config under /usr/sbin. We don't need this file since we will create a new one under /etc directory later.

Do Cleanup later:

          [root@deep] /# cd /var/tmp
          [root@deep ]/tmp# rm -rf tw_ASR_version/ Tripwire-version.tar.gz

The rm command as used above will remove all the source files we have used to compile and install Tripwire. It will also remove the Tripwire compressed archive from the /var/tmp directory.