HOWTO Setup Tripwire: Difference between revisions

Setting Up a Tripwire Installation

# emerge tripwire
# cd /etc/tripwire
# tripwire --init
# twadmin --create-polfile twpol.txt
# twadmin --create-polfile -S hostname-local.key twpol.txt

Generate a Report

 hostname ~ # tripwire --check

File System Error Messages

To get rid of "File system error." messages where the file or folder does not exist, comment out the culprits from /etc/tripwire/twpol.txt
Then, update the policy file, delete and re-init the db:

 hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
 hostname ~ # rm /var/lib/tripwire/$hostname.twd
 hostname ~ # tripwire --init

Now, run a check, followed by an update. This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update:

 hostname ~ # tripwire --check
 hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr
 hostname ~ # tripwire --check
 hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr

After System Changes

After you emerge packages or change config files:

 hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/a_previous_integrity_report.twr

Tidying Up

After a while, the /var/log/tripwire/report/ directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old.