HOWTO Setup Tripwire: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 1: | Line 1: | ||
=== Setting Up a Tripwire Installation === | === Setting Up a Tripwire Installation === | ||
# emerge tripwire | <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge tripwire''' | ||
# cd /etc/tripwire | <font color=red>hostname</font> <font color=blue>~ #</font> '''cd /etc/tripwire''' | ||
sh ./twinstall.sh ''#supply site- and local-key 4 times to setup, site-key a fifth time to sign tw.pol'' | <font color=red>hostname</font> <font color=blue>~ #</font> '''sh ./twinstall.sh''' ''#supply site- and local-key 4 times to setup, site-key a fifth time to sign tw.pol'' | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --init''' | |||
# tripwire --init | <font color=red>hostname</font> <font color=blue>~ #</font> '''twadmin --create-polfile twpol.txt''' | ||
# twadmin --create-polfile twpol.txt | <font color=red>hostname</font> <font color=blue>~ #</font> '''twadmin --create-polfile -S hostname-local.key twpol.txt''' | ||
# twadmin --create-polfile -S hostname-local.key twpol.txt | |||
=== Generate a Report === | === Generate a Report === | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check''' | |||
=== File System Error Messages === | === File System Error Messages === | ||
| Line 19: | Line 18: | ||
Then, update the policy file, delete and re-init the db: | Then, update the policy file, delete and re-init the db: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''rm /var/lib/tripwire/$hostname.twd''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --init''' | |||
Now, run a check, followed by an update. This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update: | Now, run a check, followed by an update. This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check''' | |||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr''' | |||
=== After System Changes === | === After System Changes === | ||
| Line 34: | Line 33: | ||
After you emerge packages or change config files: | After you emerge packages or change config files: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --update --twrfile /var/lib/tripwire/report/a_previous_integrity_report.twr''' | |||
=== Tidying Up === | === Tidying Up === | ||
Revision as of 18:13, 8 December 2006
Setting Up a Tripwire Installation
hostname ~ # emerge tripwire hostname ~ # cd /etc/tripwire hostname ~ # sh ./twinstall.sh #supply site- and local-key 4 times to setup, site-key a fifth time to sign tw.pol hostname ~ # tripwire --init hostname ~ # twadmin --create-polfile twpol.txt hostname ~ # twadmin --create-polfile -S hostname-local.key twpol.txt
Generate a Report
hostname ~ # tripwire --check
File System Error Messages
To get rid of "File system error." messages where the file or folder does not exist, comment out the culprits from /etc/tripwire/twpol.txt
Then, update the policy file, delete and re-init the db:
hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt hostname ~ # rm /var/lib/tripwire/$hostname.twd hostname ~ # tripwire --init
Now, run a check, followed by an update. This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update:
hostname ~ # tripwire --check hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr hostname ~ # tripwire --check hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr
After System Changes
After you emerge packages or change config files:
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/a_previous_integrity_report.twr
Tidying Up
After a while, the /var/log/tripwire/report/ directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old.
Troubleshooting
An error of: Fatal Exception st9exception indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the above steps.