Introduction

If you use tripwire, you may have to review and accept changes on a daily basis. Logging into multiple servers to accept the changes is troublesome. Enter CentralWire: a web-based centralized console to review and accept changes detected by tripwire.

Note that Tripwire is a registered trademark of Tripwire, Inc. and that the CentralWire project is NOT in association with the Tripwire, Inc.

Features

  • It lists all your servers and their statuses (has changes, no changes or no report) on a single web page.
  • You can review the changes.
  • You can accept the changes for one server or for all the servers listed in one step.
  • It integrates with LDAP for authentication.

Requirements

  • CentralWire is a standard Java web application and should run on all web containers supporting the Servlet specification v2.4 and JRE 5 or later. It has been tested with Tomcat 6 and Jetty 6.
  • It needs a database that supports character large objects (CLOB). It is been tested with PostgreSQL 8.2.

Installation

Get the war file

Get the latest file from https://sourceforge.net/projects/centralwire/files/. Suppose that it is centralwire-1.0.0.war. Put it into a directory, say, /usr/share/webapps.

Set up the database and database user

CentralWire will login as that user to access the database. Take PostgreSQL as an example. Issue the following commands on the database server host as root.

su postgres
createuser -S -D -R -P centralwire
  Enter password for new role: 123  <-- Use a better password!
  Enter it again: 123
createdb -E Unicode centralwire
psql template1
  grant all on database centralwire to centralwire;

To test if it is working, try to connect to database server host (let's say it is db.foo.com) from the web container host (let's say it is web.foo.com):

psql -h db.foo.com -p 5432 -U centralwire centralwire
  Password for user centralwire: 123

Make sure that you can connect successful before proceeding.

Install the JDBC driver into your web container

Take Tomcat and PostgreSQL as an example. Obtain the PostgreSQL jdbc driver jar file from http://jdbc.postgresql.org/download.html and put it into the tomcat/lib directory. Restart Tomcat to let it take effect.

Register the .war file with your web container

For example, if you're using Tomcat, create a centralwire.xml file in the tomcat/conf/Catalina/localhost/ directory. The content should be like:

<Context docBase="/usr/share/webapps/centralwire-1.0.0.war">
        <Resource name="jdbc/centralwire" auth="Container" type="javax.sql.DataSource"
                driverClassName="org.postgresql.Driver" url="jdbc:postgresql://db.foo.com:5432/centralwire"
                username="centralwire" password="123" maxActive="5" maxIdle="10"
                maxWait="-1" />
        <Parameter name="ldap.server.url" value="ldap://ldap.foo.com/dc=foo,dc=com" />
        <Parameter name="ldap.user.filter" value="(uid={0})" />
        <Parameter name="ldap.user.base" value="ou=people" />
        <Parameter name="ldap.group.filter" value="(uniqueMember={0})" />
        <Parameter name="ldap.group.base" value="ou=groups" />
        <Parameter name="role.admin" value="admin" />
</Context>

The file above makes the following assumptions. Most likely you'll want to change:

  • It assumes your database server is running on db.foo.com.
  • It assumes that the password of the centralwire database user is "123". You should definitely use a more complicated password.
  • If you aren't using PostgreSQL, the driverClassName and the url for the resource should be changed. For example, for MySQL, the driverClassName should be com.mysql.jdbc.Driver and the url should be jdbc:mysql://db.foo.com/centralwire.
  • It assumes you have an LDAP server on ldap.foo.com and the user accounts are stored in ou=people,dc=foo,dc=com such as uid=kent,ou=people,dc=foo,dc=com. It assumes that there is an group (groupOfUniqueNames in LDAP term) named "admin" in ou=groups,dc=foo,dc=com and only its members can access the CentralWire application.
  • If you're using Active Directory, you may try (untested):
    <Context>
            <Resource .../>
            <Parameter name="ldap.server.url" value="ldap://ad.foo.com/dc=foo,dc=com" />
            <Parameter name="ldap.user.filter" value="(sAMAccountName={0})" />
            <Parameter name="ldap.user.base" value="ou=accounts" />
            <Parameter name="ldap.group.filter" value="(member={0})" />
            <Parameter name="ldap.group.base" value="ou=groups" />
            <Parameter name="role.admin" value="admin" />
    </Context>
  • If you aren't using Tomcat, consult the documentation of your web container to see how to deploy a war file, how to specify context parameters and how to provide a data source to it.

To see if it is working, start Tomcat and try go to http://web.foo.com:8080/centralwire/app (assuming that Tomcat is running on host web.foo.com). You should see a login screen. If not, check the end of tomcat/logs/catalina.out for error messages.

Set up the SSH shell accounts

In order for CentralWire to obtain the tripwire reports and accept the changes, CentralWire needs to log into the servers using a specified user account with SSH. So, on each server to be managed by CentralWire, create a shell user account. The best way is to create it in LDAP. If you'd like to create it as a local user account:

useradd centralwire
passwd centralwire
Enter new UNIX password: 456  <-- Use a better password!
Retype new UNIX password: 456

Run visudo and add the following lines to the sudoers file so that that user account above has the right to run tripwire:

centralwire ALL=NOPASSWD: /usr/sbin/tripwire -m u *
centralwire ALL=NOPASSWD: /usr/sbin/twprint -m r *

Configure the CentralWire web application

Go to http://web.foo.com:8080/centralwire/app/config to configure the CentralWire web application. You should at least tell it the shell user name ("centralwire" in this example) and the password ("456" in this example).

Use CentralWire

Now, you are about to use it. However, the installation is NOT secure. Please follow this page to secure it. Then follow this page to use it.