HOWTO Setup Tripwire: Difference between revisions
Line 18: | Line 18: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check''' | ||
The first time you do this, there will be a massive number of files not found. Go through these, one by one, and either find the proper location of the file , or comment them out in the twpol.txt. Many files seem to be re-located from what's in the original twpol.txt - like, a binary moved from /bin/ to /usr/bin/ or maybe from /sbin/ to /usr/sbin/. This first pass through is a huge pain in the butt, often with several hundred files needing review. You '''''can''''' jump-start this by copying over a similar config from another machine, but this runs the risk of incomplete coverage, and isn't recommended. | |||
=== File System Error Messages === | === File System Error Messages === |
Revision as of 17:55, 23 May 2007
Setting Up a Tripwire Installation
hostname ~ # emerge tripwire hostname ~ # cd /etc/tripwire hostname ~ # emacs -nw /etc/tripwire/twpol.txt <check that HOSTNAME= is sane (around line 64 - 70 depending on distribution)> hostname ~ # sh ./twinstall.sh #supply site- and local-key 4 times to setup, site-key a fifth time to sign tw.pol hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key twpol.txt
Change the editor used by logwatch during updating:
hostname ~ # emacs -nw /etc/tripwire/twcfg.txt (change nano to vi) hostname ~ # twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt (creates /etc/tripwire/tw.cfg signed configuration file)
Now initialize everything (creates the database file /var/lib/tripwire/$hostname.twd)
hostname ~ # tripwire --init
Generate a Report
hostname ~ # tripwire --check
The first time you do this, there will be a massive number of files not found. Go through these, one by one, and either find the proper location of the file , or comment them out in the twpol.txt. Many files seem to be re-located from what's in the original twpol.txt - like, a binary moved from /bin/ to /usr/bin/ or maybe from /sbin/ to /usr/sbin/. This first pass through is a huge pain in the butt, often with several hundred files needing review. You can jump-start this by copying over a similar config from another machine, but this runs the risk of incomplete coverage, and isn't recommended.
File System Error Messages
To get rid of "File system error." messages where the file or folder does not exist, comment out the culprits from /etc/tripwire/twpol.txt
hostname ~ # emacs -nw /etc/tripwire/twpol.txt
Then, update the policy file, delete and re-init the db:
hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt hostname ~ # rm /var/lib/tripwire/$hostname.twd hostname ~ # tripwire --init
Now, run a check, followed by an update. This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update:
hostname ~ # tripwire --check hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr hostname ~ # tripwire --check hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr
After System Changes
After you emerge packages or change config files:
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<a_previous_integrity_report>.twr
Tidying Up
After a while, the /var/log/tripwire/report/ directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old.
Troubleshooting
An error of: Fatal Exception st9exception indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the steps under File System Error Messages.