HOWTO Setup Tripwire: Difference between revisions

From Research
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
=== Setting Up a Tripwire Installation ===
=== Setting Up a Tripwire Installation ===


  # emerge tripwire
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge tripwire'''
  # cd /etc/tripwire
  <font color=red>hostname</font> <font color=blue>~ #</font> '''cd /etc/tripwire'''
  sh ./twinstall.sh  ''#supply site- and local-key 4 times to setup, site-key a fifth time to sign tw.pol''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''sh ./twinstall.sh'''   ''#supply site- and local-key 4 times to setup, site-key a fifth time to sign tw.pol''
 
  <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --init'''
  # tripwire --init
  <font color=red>hostname</font> <font color=blue>~ #</font> '''twadmin --create-polfile twpol.txt'''
  # twadmin --create-polfile twpol.txt
  <font color=red>hostname</font> <font color=blue>~ #</font> '''twadmin --create-polfile -S hostname-local.key twpol.txt'''
  # twadmin --create-polfile -S hostname-local.key twpol.txt


=== Generate a Report ===
=== Generate a Report ===


  <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check'''


=== File System Error Messages ===
=== File System Error Messages ===
Line 19: Line 18:
Then, update the policy file, delete and re-init the db:
Then, update the policy file, delete and re-init the db:


  <font color=red>hostname</font> <font color=blue>~ #</font> '''twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''rm /var/lib/tripwire/$hostname.twd'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''rm /var/lib/tripwire/$hostname.twd'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --init'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --init'''


Now, run a check, followed by an update.  This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update:
Now, run a check, followed by an update.  This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update:


  <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --check'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr'''


=== After System Changes ===
=== After System Changes ===
Line 34: Line 33:
After you emerge packages or change config files:
After you emerge packages or change config files:


  <font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --update --twrfile /var/lib/tripwire/report/a_previous_integrity_report.twr'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''tripwire --update --twrfile /var/lib/tripwire/report/a_previous_integrity_report.twr'''


=== Tidying Up ===
=== Tidying Up ===

Revision as of 18:13, 8 December 2006

Setting Up a Tripwire Installation

hostname ~ # emerge tripwire
hostname ~ # cd /etc/tripwire
hostname ~ # sh ./twinstall.sh   #supply site- and local-key 4 times to setup, site-key a fifth time to sign tw.pol
hostname ~ # tripwire --init
hostname ~ # twadmin --create-polfile twpol.txt
hostname ~ # twadmin --create-polfile -S hostname-local.key twpol.txt

Generate a Report

hostname ~ # tripwire --check

File System Error Messages

To get rid of "File system error." messages where the file or folder does not exist, comment out the culprits from /etc/tripwire/twpol.txt
Then, update the policy file, delete and re-init the db:

hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
hostname ~ # rm /var/lib/tripwire/$hostname.twd
hostname ~ # tripwire --init

Now, run a check, followed by an update. This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update:

hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr
hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/hostname_date_time.twr

After System Changes

After you emerge packages or change config files:

hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/a_previous_integrity_report.twr

Tidying Up

After a while, the /var/log/tripwire/report/ directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old.

Troubleshooting

An error of: Fatal Exception st9exception indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the above steps.