.:An Endless Journey:.
open source and me

User Preference

Edit Menu

  • Immutable Page
  • Info
  • Attachments

Nav. Menu

Tripwire Quick Refresher

File integrity checking tools.

Different Species of Tripwire

Tripwire have different spices:

  • Open Source Tripwire
  • Tripwire for servers (comercial by www.tripware.com)
  • Tripwire for enterprise (comercial by www.tripware.com)

This notes only apply to Open Source Tripwire.

At the moment of this writing, the version of open source tripwire is : 2.4.0.2

Documentation

While there are no official manual for Tripwire, the tripwire package come with a set of man pages.

Installing Open Source Tripwire on Fedora Core 6

Installation is easy, simply:

$ yum install tripwire

Initial Setup

The initialization includes config / policy compilation, create key files (for encryption and signing), initialization scan and update the baseline database.

Adjusting initial policy (Optional, you can skip now and re-tune it later):

$ vim /etc/tripwire/twpol.txt

Create local and site key, used to encrypt/sign config and policy file. You will be prompted to input 'password' both keys. In a testing environment, you can simply use '<EMPTY STRING>':

$ tripwire-setup-keyfiles

Initialize Baseline Database:

$ tripwire --init

Setting for Email Notification

Set the following in twcfg.txt:

EMAILREPORTLEVEL =3
MAILMETHOD       =SMTP
GLOBALEMAIL      =tester@127.0.0.1
SMTPHOST         =127.0.0.1

Adj. the Command Line in Crontab

Tripwire run daily, you can change the commaind-line options:

$ vim /etc/cron.daily/tripwire-check

# Change '/usr/sbin/tripwire --check' to
$ /usr/sbin/tripwire --check -M -t 4

Exec. the Check Manually

You can manaully invoke Tripwire. It will be handy when you are tunning the configuration:

$ tripwire -m c

The Verbosity of Report

Tripwire can print report in various verbosity level. You should provide this prarameter to '''twprint''' and '''tripwire -m c''' command.

The twprint command allow to you print out the report at any time you want:

twprint -m r -t [0|1|2|3|4] -r [path/to/report]

  -m r    Report print (alternatives is 'b' for baseline database dump)
  -t verbosity level

The verbosity value can be 0 ~ 4, the meaning is listed:

====== ==============
Value  Meaning
====== ==============
0      SINGLE_LINE
1      PARSEABLE
2      SUMMARY_ONLY
3      CONCISE_REPORT
4      FULL_REPORT
====== ==============

Commands Commonly Used

You can fine-tune the baseline db using these commands:

# Examine checking result
$ twprint -m r -r /var/lib/tripwire/report/my.full.hostname-date-time.twr


# Update the database with
$ tripwire -m u -r /var/lib/tripwire/report/my.full.hostname-date-time.twr -a -Z low


# Adhoc check
$ tripwire -m c

Routine Admin

Update config file:

$ twadmin --print-cfgfile > /etc/tripwire/twcfg.txt
$ vim /etc/tripwire/twcfg.txt
$ twadmin --create-cfgfile -e /etc/tripwire/twcfg.txt

Update policy:

$ twadmin --print-polfile > /etc/tripwire/twpol.txt
$ vim /etc/tripwire/twpol.txt
$ tripwire -m p -Z low /etc/tripwire/twpol.txt

Configuration for Notification

GLOBALEMAIL::

List of email addresses separated by either a comma ",", or semi-colon ";".

If a report would have normally been sent out, it will also be send to this list of recipients.

Initial value: none

MAILMETHOD::

Specifies the protocol to be used by Tripwire for email notification.

Only accept: SMTP or SENDMAIL

Initial value: SENDMAIL

SMTPHOST::

Specifies the domain name or IP address of the SMTP server used for email notification.

Ignored unless MAILMETHOD is set to SMTP.

Initial value: mail.domain.com

SMTPPORT::

Specifies the port number used with SMTP.

Ignored unless MAILMETHOD is set to SMTP.

Initial value: 25

MAILPROGRAM::

Specifies the program used for email reporting of rule violations if MAILMETHOD is set to SENDMAIL.

Initial value: /usr/lib/sendmail -oi -t

EMAILREPORTLEVEL::

Specifies the default level of report produced by the tripwire --check mode email report. Valid values for this option are 0 to 4.

This option can be overridden with the command-line option (-t or --email-report-level)

Initial value: 3

MAILNOVIOLATIONS::

Controls the way that Tripwire sends email notification if no rule violations are found during an integrity check.

If MAILNOVIOLATIONS is set to false and no violations are found, Tripwire will not send report. With any other value (or removed from config file),

Tripwire will send an email message stating that no violations were found.

TechNotes/SysAdmin/Tripware (last edited 2008-03-15 01:40:39 by )