Computing/Linux/Tripwire

From OpenWetWare
Jump to navigationJump to search

File locations

  • Config directory:
/etc/tripwire
  • Policy files (text and binary):
/etc/tripwire/twpol.txt
/etc/tripwire/tw.pol
  • Config files (text and binary):
/etc/tripwire/twcfg.txt
/etc/tripwire/tw.cfg
  • Database file: /var/lib/tripwire/model.mit.edu.twd
  • Report file: /var/lib/tripwire/report/model.mit.edu-20050608-155600.twr

Setup

Setting up tripwire is a multi-step process:

  • Essential Preparation for First Run (choose passwords, edit configuration file)
  • Initial Installation (create passwords, write binary scripts)
/etc/tripwire/twinstall.sh
  • Database Initialization (compare your file system with the defaults in sample files)
/usr/sbin/tripwire --init

same as 

tripwire -m -i
  • Generate a List of Errors
/usr/sbin/tripwire --check

same as 

tripwire -m c
  • Edit Policy File (manually adjust the policy file to correctly reflect the architecture of the files on your computer) - change HOSTNAME
  • Update Policies (creates a binary file to be used by tripwire from the text policy file)
/usr/sbin/tripwire --update-policy -Z low /etc/tripwire/twpol.txt

same as 

/usr/sbin/tripwire -m p -Z low /etc/tripwire/twpol.txt
  • Additions, Modifications, Customization (tweak policy and configuration files to your special needs)
/usr/sbin/tripwire --update-policy -Z low /etc/tripwire/twpol.txt

same as 

/usr/sbin/tripwire -m p -Z low /etc/tripwire/twpol.txt

and possibly 

/usr/sbin/tripwire --test --email user@domain.com

same as 

/usr/sbin/tripwire -m t -e user@domain.com

Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violation from showing up in future reports. In Database Update mode, the items to be changed are specified in a "ballot box" in the plain text report that is launched in an editor program. The entries to be updated are specified by leaving the "x" next to each policy violation. After the user exits the editor and provides the correct local passphrase, tripwire will update the database. 

/usr/sbin/tripwire --update

may need to specify correct report file with --twrfile or -r: 

/usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/<name>.twr

<name> is usually <hostname-date-xxxxxx>

Tripwire will display the report file using the default text editor specified on the EDITOR line of the Tripwire configuration file. This gives you an opportunity to deselect files you do not wish to update in the Tripwire database.

To reconcile the changes between a specific report and the baseline, run 

/usr/sbin/tripwire -m u -r /path/to/encrypted/report.twr

This gives you a rundown of the differences and allows you to individually add them to the baseline. You can use -a to automatically accept all changes, but should do so with caution.

To exclude subdirs: 

/var/log -> rule ;
!/var/log/cups ; # this directory is excluded

Workflow diagram

Retrieved from "https://openwetware.org/mediawiki/index.php?title=Computing/Linux/Tripwire&oldid=140459"