A Simple Puppet Recipe for Tripwire
Since I failed to find a good description of how to do this on the web, I thought I’d share my recipe for using puppet to manage tripwire. This method will take care of running the initialization on the first puppetd run on a new machine, and update the policy file if its changed. It also has puppet managing your site.key, twcfg.txt, twpol.txt, and the daily cron to run the checks. Its an extremely simple setup, but gets the job done.
I’ll start with the tripwire.pp file for puppet, in this file you’ll define your tripwire class and associated files and packages:
class tripwire {
file { "/etc/tripwire/Makefile":
owner => root,
group => root,
mode => 440,
source => "puppet:///etc/tripwire/Makefile",
require => Package[tripwire],
}
file { "/etc/tripwire/site.key":
owner => root,
group => root,
mode => 440,
source => "puppet:///etc/tripwire/site.key",
require => Package[tripwire],
}
file { "/etc/tripwire/twcfg.txt":
owner => root,
group => root,
mode => 440,
source => "puppet:///etc/tripwire/twcfg.txt",
require => Package[tripwire],
}
file { "/etc/tripwire/twpol.txt":
owner => root,
group => root,
mode => 440,
source => "puppet:///etc/tripwire/twpol.txt",
require => Package[tripwire],
}
file { "/etc/cron.daily/tripwire-check":
owner => root,
group => root,
mode => 755,
source => "puppet:///etc/cron.daily/tripwire-check",
require => Package[tripwire],
}
file { "/var/lib/tripwire/tripwire.twd":
owner => root,
group => root,
mode => 440,
}
package {
"tripwire":
ensure => "installed",
}
exec {
"make -C /etc/tripwire":
cwd => "/etc/tripwire",
path => ["/bin", "/usr/bin" ],
creates => "/var/lib/tripwire/tripwire.twd",
timeout => 10000
}
exec {
"tripwire --update-policy -Z low --local-passphrase '' --site-passphrase '' --quiet /etc/tripwire/twpol.txt":
cwd => "/etc/tripwire",
path => ["/sbin", "/usr/sbin" ],
timeout => 10000,
refreshonly => "true",
subscribe => File["/etc/tripwire/twpol.txt"],
}
}
You’ll notice there is a Makefile defined, this will make remote management much simpler, it contains some simple house keeping items. I do not use all these within my puppet implementation, however:
all: tw.cfg tw.pol /var/lib/tripwire/tripwire.twd
clean:
/bin/rm -f /etc/tripwire/local.key /etc/tripwire/tw.cfg /etc/tripwire/tw.pol /var/lib/tripwire/tripwire.twd
init: clean /var/lib/tripwire/tripwire.twd
local.key:
/usr/sbin/twadmin --generate-keys --local-keyfile local.key --local-passphrase ''
tw.cfg: site.key twcfg.txt
/usr/sbin/twadmin --create-cfgfile --site-keyfile site.key --site-passphrase '' twcfg.txt
tw.pol: tw.cfg twpol.txt
if [ -f tw.pol -a -f /var/lib/tripwire/tripwire.twd ]; \
then /usr/sbin/tripwire --update-policy --local-passphrase '' --quiet --secure-mode low --site-passphrase '' twpol.txt; \
else /usr/sbin/twadmin --create-polfile --site-passphrase '' twpol.txt; \
fi
/var/lib/tripwire/tripwire.twd: local.key site.key
/usr/sbin/tripwire --init --local-passphrase ''
My twcfg.txt is very simple:
# required DBFILE = /var/lib/tripwire/tripwire.twd LOCALKEYFILE = /etc/tripwire/local.key POLFILE = /etc/tripwire/tw.pol REPORTFILE = /var/lib/tripwire/report/$(DATE).twr SITEKEYFILE = /etc/tripwire/site.key # e-mail notification EMAILREPORTLEVEL = 3 GLOBALEMAIL = email@domain.tld MAILMETHOD = SENDMAIL MAILNOVIOLATIONS = false MAILPROGRAM = /usr/sbin/sendmail -oi -t # other EDITOR = /usr/bin/vim LATEPROMPTING = false LOOSEDIRECTORYCHECKING = false REPORTLEVEL = 4 SYSLOGREPORTING = true TEMPDIRECTORY = /var/tmp
Other than including the tripwire class within your site.pp file, thats about it.
Credit: The makefile was created by Steve Coile.
