HOWTO Setup Tripwire: Difference between revisions

Setting Up a Tripwire Installation

hostname ~ # emerge tripwire
hostname ~ # cd /etc/tripwire
hostname ~ # emacs -nw /etc/tripwire/twpol.txt     (change HOSTNAME= to the proper hostname)
hostname ~ # emacs -nw /etc/tripwire/twcfg.txt     (change /bin/nano to /usr/bin/vi for use during updating, for example)

Create the list of files we want to fingerprint and monitor:

hostname ~ # /usr/local/bin/mktwpol.sh > /etc/tripwire/twpol.txt

(If you don't have this on your system, grab it HERE, name it /usr/local/bin/mktwpol.sh, and make it executable with chmod u+x /usr/local/bin/mktwpol.sh Create the keys, and sign the policy and configuration files:

hostname ~ # sh ./twinstall.sh   (supply site- and local-key multiple times to setup, site-key another couple of times to sign tw.pol and tw.cfg)

Now initialize everything (creates the database file /var/lib/tripwire/$hostname.twd)

hostname ~ # tripwire --init

Generate a Report

hostname ~ # tripwire --check

The first time you do this, there will be a massive number of files not found. Go through these, one by one, and either find the proper location of the file, or comment them out in the twpol.txt. Many files seem to be re-located from what's in the original twpol.txt - like, a binary moved from /bin/ to /usr/bin/ or maybe from /sbin/ to /usr/sbin/. This first pass through is a huge pain in the butt, often with several hundred files needing review. You can jump-start this by copying over a similar config from another machine, but this runs the risk of incomplete coverage, and isn't recommended.

File System Error Messages

To get rid of "File system error." messages where the file or folder does not exist, first check to see if the file has been re-located (somewhat common when updating packages), or comment out the culprits from /etc/tripwire/twpol.txt if it's truly disappeared.

hostname ~ # emacs -nw /etc/tripwire/twpol.txt

Then, update the policy file, delete and re-init the db:

hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
hostname ~ # rm /var/lib/tripwire/$hostname.twd*
hostname ~ # tripwire --init

Now, run a check, followed by an update. This shifts files around (mainly creates /var/lib/tripwire/$hostname.twd.bak) which will be flagged as "changed" on the next run, so re-run the check/update:

hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr
hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr

After System Changes

After you emerge packages or change config files:

hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<a_previous_integrity_report>.twr

Tidying Up

After a while, the /var/lib/tripwire/report/ directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old.

Troubleshooting

An error of: Fatal Exception st9exception indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the steps under File System Error Messages.