The Tripwire package contains programs used to verify the integrity of the files on a given system.
Download (HTTP): http://downloads.sourceforge.net/tripwire/tripwire-2.4.0.1-src.tar.bz2?download
Download MD5 sum: b371f79ac23cacc9ad40b1da76b4a0c4
Download size: 1.2 MB
Estimated disk space required: 37 MB
Estimated build time: 1.6 SBU
An MTA
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/tripwire
Compile Tripwire by running the following commands:
ln -s contrib install && patch -Np1 -i ../tripwire-2.4.0.1-gcc4_build_fixes-1.patch && sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg && ./configure --prefix=/usr --sysconfdir=/etc/tripwire && make
The default configuration is to use a local MTA. If you don't have an MTA installed and have no wish to install one, modify install/install.cfg to use an SMTP server instead. Otherwise the install will fail.
Now, as the root user:
make install && cp -v policy/*.txt /usr/share/doc/tripwire
ln -s contrib install: This command creates a symbolic link in the build directory needed for installation.
sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg: This command tells the package to install the program database and reports in /var/lib/tripwire.
make install: This command creates the Tripwire security keys as well as installing the binaries. There are two keys: a site key and a local key which are stored in /etc/tripwire/.
cp -v policy/*.txt /usr/share/doc/tripwire: This command installs the documentation.
Tripwire uses a policy file to determine which files are integrity checked. The default policy file (/etc/tripwire/twpol.txt) is for a default Redhat installation and will need to be updated for your system.
Policy files should be tailored to each individual distribution and/or installation. Some custom policy files can be found below:
http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt
Checks integrity of all files
http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt
Custom policy file for Base LFS 3.0 system
http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt
Custom policy file for SuSE 7.2 system
Download the custom policy file you'd like to try, copy it into /etc/tripwire/, and use it instead of twpol.txt. It is, however, recommended that you make your own policy file. Get ideas from the examples above and read /usr/share/doc/tripwire/policyguide.txt for additional information. twpol.txt is a good policy file for beginners as it will note any changes to the file system and can even be used as an annoying way of keeping track of changes for uninstallation of software.
After your policy file has been transferred to /etc/tripwire/ you may begin the configuration steps (perform as the root):
twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \ /etc/tripwire/twpol.txt && tripwire --init
To use Tripwire after creating a policy file to run a report, use the following command:
tripwire --check > /etc/tripwire/report.txt
View the output to check the integrity of your files. An automatic integrity report can be produced by using a cron facility to schedule the runs.
Please note that after you run an integrity check, you must examine the report (or email) and then modify the Tripwire database to reflect the changed files on your system. This is so that Tripwire will not continually notify you that files you intentionally changed are a security violation. To do this you must first ls -l /var/lib/tripwire/report/ and note the name of the newest file which starts with linux- and ends in .twr. This encrypted file was created during the last report creation and is needed to update the Tripwire database of your system. Then, as the root user, type in the following command making the appropriate substitutions for <?>:
tripwire --update -twrfile \ /var/lib/tripwire/report/linux-<???????>-<??????>.twr
You will be placed into vim with a copy of the report in front of you. If all the changes were good, then just type :x and after entering your local key, the database will be updated. If there are files which you still want to be warned about, remove the 'x' before the filename in the report and type :x.
A good summary of tripwire operations can be found at http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html.
Last updated on 2007-01-15 17:25:53 -0600