Note: This document has sections that are still in the old non-markup form
Created 1/1/2005
Note: This document has sections that are still in the old non-markup form
Trip wire configuration parameters. This file sets global tripwire(1) options like the mail notification, where the signing keys are and so on.
Todo: Add a preamble for this section and include other sub-sections as well the mailmethod (1.A)
If this value is SMTP, then the variables SMTPUSER and SMTPORT are used. If this value is SENDMAIL, then the value of MAILPROGRAM is used. Note that the mail message generate by tripwire contains a "To:" header with the recipients. Mailers will typically parse this header line to establish who should get the mail.
After the inital tripwire installation, the site keys. local keys, policy file and configuration file must be generated. The initial key-and-configuration-policy creation uses the template files from /etc/tripwire (twpol.txt and twcfg.txt). Optionally edit these to suite the current environment and then run:
bash # /usr/sbin/tripwire-setup-keyfiles
This process will also create a generic version of the policy and configuration files delivered in /etc/tripwire (as twpol.txt and twcfg.txt). These can be modified with tasks #3 (Tripwire configuration) and #4 (Policy File) below. After the initial configuration, the tripwire(1) database should be created as described in #5 (Tripwire DB)
To create the actual tripwire configuration use the twadmin command. This requires that the tripwrire configuration be specified along with the keys generated in the initital setup (see #2 initial setup, above)
bash # twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Tripwire requires a policy file, which it uses to determine allowed activities and trip-events. The policy is created using the twadmin command with the Policy option (-P), which requires a pathname to the Tripwire Policy configuration file (twpol.txt)
bash # twadmin -m P /etc/tripwire/twpol.txt
The Tripwire Database is created using the tripwire command with the --init option or the -m opton with the argument of i (for init).
bash # tripwire -m i # running tripwire --init also creates the inital db
Tripwire can generate activity reports via the integrity check option. A tripwire report is created with the -m c option. Reports both inform the sysadmin of changes to the system and are used as a basis for updating the tripwire db.
An integrity checking report is printed to stdout and is saved in the location specified by the REPORTFILE setting in the Tripwire configuration file, which is /var/lib tripwrire/reports by default. See #3 (Tripwire configuration) for more information on configuration. The following example shows how a report is generated. Note that the -m c option is the same as --check)
bash # tripwire -m c # or tripwire --check
Before updating the database, generate a report in mode check (-m c). The lastest report can then be fed into mode update (-m u), which is the command used to update the Tripwire DB with new policy and allowable activities.
When updating the database, the user can specify "accept all changes" with -a or the user can enter an interactive mode, whereby changes can be selectively applied. The selective approach marks each change (add/delete/modify) with a [x] (e.g., [x] /var/foo), which means "This change will be incorporated into the Tripwire DB". Be sure to clear the box if the change is to be ignored, e.g., [ ] /var/foo
To update the Tripwire DB interactively run mode update (-m u) and specify the the -V option, which requires and editor, such as vim. Tripwire event changes are effected either clearing or checking the tick boxes against the listed updates in the report. Typically, the updates default to ticked, so change [x] to [ ] to skip certain updates. Mode update requires a Tripwire report to operate with, which is specified by the -r report option, where report is an event integrity check report generated in mode check (-m c, see #6 Tripwire reports).
bash # tripwire -m u -V vim -r /var/lib/tripwire/report/joslyn-20050531-201644.twr
To update the Tripwire database accepting all modifications, use the -m u (for mode update) with the accept all (-a) option. The report to update the Tripwrire database is specified with the report option (-r) which requires the full pathname to a tripwrite report generated in mode check (-m c, see #6 Tripwire reports).
bash # tripwire -m u -a -r /var/lib/tripwire/report/joslyn-20050531-201644.twr
To check mail notifications use the twadmin command in mode t (specified by the -m t option).
bash # twadmin -m t user@addr
Stuart Moorfoot © 2005 foo@bund.com.au