HOWTO Setup Tripwire: Difference between revisions

Setting Up a Tripwire Installation

hostname ~ # emerge tripwire mktwpol
hostname ~ # cd /etc/tripwire
hostname ~ # emacs -nw /etc/tripwire/twpol-GENERIC.txt     (change HOSTNAME= to the proper hostname; no domain/no FQDN)
hostname ~ # emacs -nw /etc/tripwire/twcfg.txt     (change /bin/nano to /usr/bin/vi for use during updating, for example)

Create the keys, and sign the policy and configuration files:

hostname ~ # cd /etc/tripwire ; /bin/bash twsetup.sh   (supply site- and local-key multiple times to setup, site-key another couple of times to sign tw.pol and tw.cfg)

Now initialize everything (creates the database file /var/lib/tripwire/$hostname.twd)

hostname ~ # tripwire --init

Create the list of files we want to fingerprint and monitor:

hostname ~ # /usr/local/bin/mktwpol.sh > /etc/tripwire/twpol.txt

(If you don't have this on your system, grab it HERE, name it /usr/local/bin/mktwpol.sh, and make it executable with chmod u+x /usr/local/bin/mktwpol.sh

Generate a Report

hostname ~ # tripwire --check

The first time you do this, there may be a few files not found. Go through these, one by one, and either find the proper location of the file, or comment them out in the twpol.txt. Sometimes files are re-located from what's in the original twpol.txt - like, a binary moved from /bin/ to /usr/bin/ or maybe from /sbin/ to /usr/sbin/.

File System Error Messages

To get rid of "File system error." messages where the file or folder does not exist, first check to see if the file has been re-located (somewhat common when updating packages), or comment out the culprits from /etc/tripwire/twpol.txt if it's truly disappeared.

hostname ~ # emacs -nw /etc/tripwire/twpol.txt

A BETTER WAY:

hostname ~ # /usr/sbin/mktwpol.sh /etc/tripwire/mktwpol-default.rules > /etc/tripwire/twpol.txt

Check the resulting /etc/tripwire/twpol.txt file for sanity... for example, if the ruleset was incorrect or unspecified during invocation of mktwpol.sh, you may see a very-short twpol.txt file that only references the tripwire files :-(

Then, update the policy file, delete and re-init the db:

hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
hostname ~ # rm /var/lib/tripwire/$hostname.twd*
hostname ~ # tripwire --init

Now, run a check, followed by an update. This shifts files around (mainly creates /var/lib/tripwire/$hostname.twd.bak) which will be flagged as "changed" on the next run, so re-run the check/update:

hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr
hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr

After System Changes

After you emerge packages or change config files:

hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<a_previous_integrity_report>.twr

Tidying Up

After a while, the /var/lib/tripwire/report/ directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old.

Troubleshooting

An error of: Fatal Exception st9exception indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the steps under File System Error Messages.