Using Tripwire

Subject: Using Tripwire
From: Mike Barsalou (mbarsalou@aidea.org)
Date: Wed Jan 08 2003 - 13:08:02 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Justin Dieters: "Re: 0 byte files removing"
• Previous message: Greg Madden: "Re: Dammaged DVD Disc"

I just recently installed tripwire on a test box and have been playing with
it for a little while. Although I think the information that is provided
with the application is good, it has a few short comings. This will be a
quick reference to using Tripwire, and should allow you to set it up and use
it.

The first thing to note is after you install the rpm, you need to go to the
/usr/share/doc/tripwire....directory and look at the quickstart document.
This is a good overview of how it works but it fails to tell you EXACTLY how
to do it. For example, when you update the policy file you must issue this
command:

tripwire --update-policy <policy.txt>

whereas the quickstart.txt guide just says:

tripwire --update-policy

The same is true for using the --update switch. Below are the steps that I
got from the quickstart.txt guide and put Tripwire into production for me
using all default values:

 rpm -ivh tripwire-2.3.1.i386.rpm
 cd /etc/tripwire/
 ./twinstall.sh (it will then ask you for passphrases for site and local
keys)

At this point, tripwire is installed. To test it, type:

tripwire --check

On my machine it produced a bunch of file not found errors because the
default policy file was pointing to files that did not exist. I modified
the policy file (not the encrypted one) and re-ran tripwire like this:

tripwire --update-policy /etc/tripwire/twpol.txt (enter appropriate pass
phrases when asked)

After that I had discovered that some files had gotten added in between the
time I ran the initial database and when I ran the check. This caused me to
want to update the database. I did that by typing:

tripwire --update -r /var/lib/tripwire/<tripwire-report-file>.twr (enter
appropriate pass phrases when asked)

This report file is date time stamped, so you will have to look at the
report directory to determine the name of the file. It then brings up vi
and I browse the file and ensure that all files that I would like added to
the tripwire database have an X next to them...you really have to do this
once to understand it fully.

After quitting vi like this:

:wq (That's colon dubya cue)

Tripwire continues on and updates the database. To verify it updated the
database properly, I immediately ran:

tripwire --check

At this point, you will be getting tripwire reports in your e-mail box every
night. The good thing is that each report is saved using a date time stamp
so you can pick and choose which files you want to update, etc. Also, it
could possibly be used as a way to track changes you have made to your
configuration. (CVS is another great way).

Have fun!
Mike

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Justin Dieters: "Re: 0 byte files removing"
• Previous message: Greg Madden: "Re: Dammaged DVD Disc"

This archive was generated by hypermail 2a23 : Wed Jan 08 2003 - 13:08:44 AKST