205.228.74.13: /* Policy file */

2008-06-12T11:30:56Z

‎Policy file

Admin: 2 revision(s)

2007-11-03T18:03:07Z

2 revision(s)

205.228.74.12: /* Policy file */

2007-02-05T10:53:29Z

‎Policy file

192.168.1.64 at 14:06, 3 February 2007

2007-02-03T14:06:16Z

New page

== Checking for changes ==
This looks at all the files specified in the policyfile, and compares their fingerprints with those in the tripwire database. It also saves a copy of the report in /var/lib/tripwire/reports
<pre>
tripwire --check [--email-report]
</pre>

== Updating after known changes (eg. '''apt-get upgrade''') ==
To use a recently generated report as the basis for the files to update (you can choose to update or not update
fingerprints for any of the files marked as changed on the recent report):
<pre>
tripwire --update --twrfile /var/lib/tripwire/report/recent-report.twr
</pre>

Or to generate a report and then identify desired or undesired changes (this is equivalent to both of the commands in the sections above):
<pre>
tripwire --check --interactive
</pre>

== Changing tripwire configuration ==

=== Policy file ===
This file details the files to be watched for changes, and so is the most common configuration change.
* Create a plaintext version of the policy file
<pre>
twadmin --print-polfile > mypol.txt
</pre>
* Edit '''mypol.txt'''

* Encrypt the policyfile, and update the database to reflect the new policy
<pre>
tripwire --update-policy [-Z low] mypol.txt
rm mypol.txt
</pre>

==== Policy Options ====
<pre>
- Ignore the following properties
+ Record and check the following properties
a Access timestamp
b Number of blocks allocated
c Inode timestamp (create/modify)
d ID of device on which inode resides
g File owner's group ID
i Inode number
l File is increasing in size (a "growing file")
m Modification timestamp
n Number of links (inode reference count)
p Permissions and file mode bits
r ID of device pointed to by inode (valid only for device objects)
s File size
t File type
u File owner's user ID
C CRC-32 hash value
H Haval hash value
M MD5 hash value
S SHA hash value
</pre>

==== Builtin variables ====
;ReadOnly
:ReadOnly is good for files that are widely available but are intended to be read-only. Value: '''+pinugtsdbmCM-rlacSH'''
;Dynamic
:Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior. Value: '''+pinugtd-srlbamcCMSH'''
;Growing
:The Growing variable is intended for files that should only get larger. Value: '''+pinugtdl-srbamcCMSH'''
;Device
:Device is good for devices or other files that Tripwire should not attempt to open. Value: '''+pugsdr-intlbamcCMSH'''
;IgnoreAll
:IgnoreAll tracks a file's presence or absence, but doesn't check any other properties. Value: '''-pinugtsdrlbamcCMSH'''
;IgnoreNone
:IgnoreNone turns on all properties and provides a convenient starting point for defining your own property masks (for example, mymask = $(IgnoreNone) -ar;). Value: '''+pinugtsdrbamcCMSH-l'''

=== Configuration file ===
This file only stores basic settings about the site keys, the location of the various tripwire files etc,
and so shouldn't often need changing.
<pre>
twadmin --print-cfgfile > mycfg.txt
</pre>
Edit '''mycfg.txt'''
<pre>
twadmin --create-polfile mycfg.txt
rm mypol.txt
</pre>

==== Common Options ====
;EMAILNOVIOLATIONS
:Send a report email even if no files were reported changed

;LOOSEDIRECTORYCHECKING
:Only report changes to files, not to contents of directories

== References ==
Intrustion Detection for the Masses: http://www.linuxjournal.com/article/4718
HOWTO - Setting up tripwire: http://www.alwanza.com/howto/linux/tripwire.html

@@ Line 29: / Line 29: @@
 * Encrypt the policyfile, and update the database to reflect the new policy
 <pre>
-tripwire --update-policy [-Z low] mypol.txt
+tripwire --update-policy [--secure-mode low] mypol.txt
 </pre>
 Then, tidy up temporary and backup files, and rerun an update to pick up changed files (as above).

← Older revision	Revision as of 18:03, 3 November 2007
(No difference)

@@ Line 30: / Line 30: @@
 <pre>
 tripwire --update-policy [-Z low] mypol.txt
 </pre>
 ==== Policy Options ====

Tripwire - Revision history

205.228.74.13: /* Policy file */

Admin: 2 revision(s)

205.228.74.12: /* Policy file */

192.168.1.64 at 14:06, 3 February 2007