Configuration Information
Tripwire uses a policy file to
determine which files are integrity checked. The default policy
file (/etc/tripwire/twpol.txt
) is
for a default installation and will need to be updated for your
system.
Policy files should be tailored to each individual distribution
and/or installation. Some example policy files can be found in
/usr/doc/tripwire/
(Note that
/usr/doc/
is a symbolic link on LFS
systems to /usr/share/doc/
).
If desired, copy the policy file you'd like to try into
/etc/tripwire/
instead of using the
default policy file, twpol.txt
. It
is, however, recommended that you edit your policy file. Get
ideas from the examples above and read /usr/doc/tripwire/policyguide.txt
for
additional information. twpol.txt
is a good policy file for learning about Tripwire as it will note any changes to the
file system and can even be used as an annoying way of keeping
track of changes for uninstallation of software.
After your policy file has been edited to your satisfaction you
may begin the configuration steps (perform as the root
) user:
twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
/etc/tripwire/twpol.txt &&
tripwire --init
Depending on your system and the contents of the policy file, the
initialization phase above can take a relatively long time.
Usage Information
Tripwire will identify file
changes in the critical system files specified in the policy
file. Using Tripwire while
making frequent changes to these directories will flag all these
changes. It is most useful after a system has reached a
configuration that the user considers stable.
To use Tripwire after creating a
policy file to run a report, use the following command:
tripwire --check > /etc/tripwire/report.txt
View the output to check the integrity of your files. An
automatic integrity report can be produced by using a cron
facility to schedule the runs.
Reports are stored in binary and, if desired, encrypted. View
reports, as the root
user, with:
twprint --print-report -r /var/lib/tripwire/report/<report-name.twr>
After you run an integrity check, you should examine the report
(or email) and then modify the Tripwire database to reflect the changed
files on your system. This is so that Tripwire will not continually notify you
that files you intentionally changed are a security violation. To
do this you must first ls -l
/var/lib/tripwire/report/ and note the name of
the newest file which starts with your system name as presented
by the command uname
-n
and ends in .twr
. These files were created during report
creation and the most current one is needed to update the
Tripwire database of your
system. As the root
user, type in
the following command making the appropriate report name:
tripwire --update --twrfile /var/lib/tripwire/report/<report-name.twr>
You will be placed into Vim with
a copy of the report in front of you. If all the changes were
good, then just type :wq and after entering your
local key, the database will be updated. If there are files which
you still want to be warned about, remove the 'x' before the
filename in the report and type :wq.
A good summary of tripwire operations can be found at
http://va-holladays.no-ip.info:2200/tools/security-docs/tripwire-v1.0.pdf.
Changing the Policy File
If you are unhappy with your policy file and would like to modify
it or use a new one, modify the policy file and then execute the
following commands as the root
user:
twadmin --create-polfile /etc/tripwire/twpol.txt &&
tripwire --init