HOWTO Setup Tripwire

From Research
Jump to navigation Jump to search

Setting Up a Tripwire Installation

hostname ~ # emerge tripwire
hostname ~ # cd /etc/tripwire

Perform Customizations

Check that HOSTNAME= is sane (around line 64 - 70 depending on distribution

hostname ~ # emacs -nw /etc/tripwire/twpol.txt

Change the editor used by logwatch during updating:

hostname ~ # emacs -nw /etc/tripwire/twcfg.txt     (change /bin/nano to /usr/bin/vi for example)

Create the keys, and sign the policy and configuration files:

hostname ~ # sh ./twinstall.sh   (supply site- and local-key multiple times to setup, site-key another couple of times to sign tw.pol and tw.cfg)

Now initialize everything (creates the database file /var/lib/tripwire/$hostname.twd)

hostname ~ # tripwire --init

Generate a Report

hostname ~ # tripwire --check

The first time you do this, there will be a massive number of files not found. Go through these, one by one, and either find the proper location of the file, or comment them out in the twpol.txt. Many files seem to be re-located from what's in the original twpol.txt - like, a binary moved from /bin/ to /usr/bin/ or maybe from /sbin/ to /usr/sbin/. This first pass through is a huge pain in the butt, often with several hundred files needing review. You can jump-start this by copying over a similar config from another machine, but this runs the risk of incomplete coverage, and isn't recommended.

There are scripts out there (on the 'Net) which try to assist you in performing this first setup. Watch out: some merely comment-out the not-found files, without considering if the file has been re-located. This will result in incomplete coverage :-(

File System Error Messages

To get rid of "File system error." messages where the file or folder does not exist, first check to see if the file has been re-located (somewhat common when updating packages), or comment out the culprits from /etc/tripwire/twpol.txt if it's truly disappeared.

hostname ~ # emacs -nw /etc/tripwire/twpol.txt

Then, update the policy file, delete and re-init the db:

hostname ~ # twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
hostname ~ # rm /var/lib/tripwire/$hostname.twd
hostname ~ # tripwire --init

Now, run a check, followed by an update. This shifts files around, which will be flagged as "changed" on the next run, so re-run the check/update:

hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr
hostname ~ # tripwire --check
hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_time>.twr

After System Changes

After you emerge packages or change config files:

hostname ~ # tripwire --update --twrfile /var/lib/tripwire/report/<a_previous_integrity_report>.twr

Tidying Up

After a while, the /var/log/tripwire/report/ directory becomes quite large. At some point, these historical reports are of no value, so they can be deleted. One guideline might be to blow away anything more than 6 months old.

Troubleshooting

An error of: Fatal Exception st9exception indicates that the tripwire database has become corrupted. Re-initialize (tripwire --init) and follow the steps under File System Error Messages.