HOWTO Setup Tripwire

From Research
Jump to navigation Jump to search

Setting Up a Tripwire Installation

hostname ~ # emerge tripwire
hostname ~ # cd /etc/tripwire
hostname ~ # emacs -nw /etc/tripwire/twpol.txt
     <check that HOSTNAME= is sane (around line 64 - 70 depending on distribution)>
hostname ~ # sh ./twinstall.sh   #supply site- and local-key 4 times to setup, site-key a fifth time to sign tw.pol
hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key twpol.txt

Change the editor used by logwatch during updating:

hostname ~ # emacs -nw /etc/tripwire/twcfg.txt     (change nano to vi)
hostname ~ # twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt     (creates /etc/tripwire/tw.cfg signed configuration file)

Now initialize everything (creates the database file /var/lib/tripwire/$hostname.twd)

hostname ~ # tripwire --init

Generate a Report

hostname ~ # tripwire --check

The first time you do this, there will be a massive number of files not found. Go through these, one by one, and either find the proper location of the file , or comment them out in the twpol.txt. Many files seem to be re-located from what's in the original twpol.txt - like, a binary moved from /bin/ to /usr/bin/ or maybe from /sbin/ to /usr/sbin/. This first pass through is a huge pain in the butt, often with several hundred files needing review. You can jump-start this by copying over a similar config from another machine, but this runs the risk of incomplete coverage, and isn't recommended.

File System Error Messages

To get rid of "File system error." messages where the file or folder does not exist, first check to see if the file has been re-located (somewhat common when updating packages), or comment out the culprits from /etc/tripwire/twpol.txt if it's truly disappeared.

hostname ~ # emacs -nw /etc/tripwire/twpol.txt

Then, update the policy file, delete and re-init the db:

hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
hostname ~ # rm /var/lib/tripwire/$hostname.twd
hostname ~ # tripwire --init

Now, run a check, followed by an update. This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update:

hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr
hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr

After System Changes

After you emerge packages or change config files:

hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<a_previous_integrity_report>.twr

Tidying Up

After a while, the /var/log/tripwire/report/ directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old.

Troubleshooting

An error of: Fatal Exception st9exception indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the steps under File System Error Messages.