Computing/Linux/Tripwire

File locations

 * Config directory:
 * /etc/tripwire


 * Policy files (text and binary):
 * /etc/tripwire/twpol.txt
 * /etc/tripwire/tw.pol


 * Config files (text and binary):
 * /etc/tripwire/twcfg.txt
 * /etc/tripwire/tw.cfg


 * Database file: /var/lib/tripwire/model.mit.edu.twd
 * Report file: /var/lib/tripwire/report/model.mit.edu-20050608-155600.twr

Setup

 * How To Linux - Tripwire
 * Red Hat Linux 9: Red Hat Linux Reference Guide
 * Maintaining Integrity with Tripwire

Setting up tripwire is a multi-step process: /etc/tripwire/twinstall.sh /usr/sbin/tripwire --init same as tripwire -m -i /usr/sbin/tripwire --check same as tripwire -m c /usr/sbin/tripwire --update-policy -Z low /etc/tripwire/twpol.txt same as /usr/sbin/tripwire -m p -Z low /etc/tripwire/twpol.txt /usr/sbin/tripwire --update-policy -Z low /etc/tripwire/twpol.txt same as /usr/sbin/tripwire -m p -Z low /etc/tripwire/twpol.txt and possibly /usr/sbin/tripwire --test --email user@domain.com same as /usr/sbin/tripwire -m t -e user@domain.com
 * Essential Preparation for First Run (choose passwords, edit configuration file)
 * Initial Installation (create passwords, write binary scripts)
 * Database Initialization (compare your file system with the defaults in sample files)
 * Generate a List of Errors
 * Edit Policy File (manually adjust the policy file to correctly reflect the architecture of the files on your computer) - change HOSTNAME
 * Update Policies (creates a binary file to be used by tripwire from the text policy file)
 * Additions, Modifications, Customization (tweak policy and configuration files to your special needs)

Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violation from showing up in future reports. In Database Update mode, the items to be changed are specified in a "ballot box" in the plain text report that is launched in an editor program. The entries to be updated are specified by leaving the "x" next to each policy violation. After the user exits the editor and provides the correct local passphrase, tripwire will update the database. /usr/sbin/tripwire --update may need to specify correct report file with --twrfile or -r: /usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/ .twr is usually 

Tripwire will display the report file using the default text editor specified on the EDITOR line of the Tripwire configuration file. This gives you an opportunity to deselect files you do not wish to update in the Tripwire database.

To reconcile the changes between a specific report and the baseline, run /usr/sbin/tripwire -m u -r /path/to/encrypted/report.twr This gives you a rundown of the differences and allows you to individually add them to the baseline. You can use -a to automatically accept all changes, but should do so with caution.

To exclude subdirs: /var/log -> rule ; !/var/log/cups ; # this directory is excluded