Context Navigation

source: postlfs/security/tripwire.xml

Visit:

trunk

Last change on this file was 5461893, checked in by Bruce Dubbs <bdubbs@…>, 2 months ago
Tag security chapter and qemu
Property mode set to `100644`
File size: 14.0 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY tripwire-download-http "https://github.com/Tripwire/tripwire-open-source/releases/download/&tripwire-version;/tripwire-open-source-&tripwire-version;.tar.gz">
8	<!ENTITY tripwire-download-ftp " ">
9	<!ENTITY tripwire-md5sum "a5cf1bc2f235f5d8ca458f00548db6ee">
10	<!ENTITY tripwire-size "980 KB">
11	<!ENTITY tripwire-buildsize "29 MB">
12	<!ENTITY tripwire-time "1.6 SBU (scripting install)">
13	]>
14
15	<sect1 id="tripwire" xreflabel="Tripwire-&tripwire-version;">
16	<?dbhtml filename="tripwire.html"?>
17
18
19	<title>Tripwire-&tripwire-version;</title>
20
21	<indexterm zone="tripwire">
22	<primary sortas="a-Tripwire">Tripwire</primary>
23	</indexterm>
24
25	<sect2 role="package">
26	<title>Introduction to Tripwire</title>
27
28	<para>
29	The <application>Tripwire</application> package contains programs
30	used to verify the integrity of the files on a given system.
31	</para>
32
33	&lfs121_checked;
34
35	<bridgehead renderas="sect3">Package Information</bridgehead>
36	<itemizedlist spacing="compact">
37	<listitem>
38	<para>
39	Download (HTTP): <ulink url="&tripwire-download-http;"/>
40	</para>
41	</listitem>
42	<listitem>
43	<para>
44	Download (FTP): <ulink url="&tripwire-download-ftp;"/>
45	</para>
46	</listitem>
47	<listitem>
48	<para>
49	Download MD5 sum: &tripwire-md5sum;
50	</para>
51	</listitem>
52	<listitem>
53	<para>
54	Download size: &tripwire-size;
55	</para>
56	</listitem>
57	<listitem>
58	<para>
59	Estimated disk space required: &tripwire-buildsize;
60	</para>
61	</listitem>
62	<listitem>
63	<para>
64	Estimated build time: &tripwire-time;
65	</para>
66	</listitem>
67	</itemizedlist>
68
69	<bridgehead renderas="sect3">Tripwire Dependencies</bridgehead>
70	<!--
71	<bridgehead renderas="sect4">Recommended</bridgehead>
72	<para role="recommended">
73	<xref linkend="openssl"/>
74	</para>
75	-->
76
77	<bridgehead renderas="sect4">Optional</bridgehead>
78	<para role="optional">
79	An <xref linkend="server-mail"/>
80	</para>
81
82	</sect2>
83
84	<sect2 role="installation">
85	<title>Installation of Tripwire</title>
86
87	<para>
88	Compile <application>Tripwire</application> by running the following
89	commands:
90	</para>
91
92	<screen><userinput>sed -e '/^CLOBBER/s/false/true/' \
93	-e 's\|TWDB="${prefix}\|TWDB="/var\|' \
94	-e '/TWMAN/ s\|${prefix}\|/usr/share\|' \
95	-e '/TWDOCS/s\|${prefix}/doc/tripwire\|/usr/share/doc/tripwire-&tripwire-version;\|' \
96	-i installer/install.cfg &&
97
98	find . -name Makefile.am \| xargs \
99	sed -i 's/^[[:alpha:]_]_HEADERS.=/noinst_HEADERS =/' &&
100
101	sed '/dist/d' -i man/man?/Makefile.am &&
102	autoreconf -fi &&
103
104	./configure --prefix=/usr --sysconfdir=/etc/tripwire &&
105	make CPPFLAGS=-std=c++11</userinput></screen>
106
107	<note>
108	<para>
109	The default configuration is to use a local MTA. If
110	you don't have an MTA installed and have no wish to install
111	one, modify <filename>install/install.cfg</filename> to use an SMTP
112	server instead. Otherwise the install will fail.
113	</para>
114	</note>
115
116	<para>
117	This package does not come with a test suite.
118	</para>
119
120	<para>
121	Now, as the <systemitem class="username">root</systemitem> user:
122	</para>
123
124	<screen role="root"><userinput>make install &&
125	cp -v policy/*.txt /usr/share/doc/tripwire-&tripwire-version;</userinput></screen>
126
127	<note>
128	<para>
129	During <command>make install</command>, several questions
130	are asked, including passwords. If you want to make a script, you have
131	to apply a <application>sed</application> before running
132	<command>make install</command>:
133	</para>
134
135	<screen><userinput>sed -i -e 's@installer/install.sh@& -n -s <replaceable><site-password></replaceable> -l <replaceable><local-password></replaceable>@' Makefile</userinput></screen>
136
137	<para>
138	Of course, you should do this with dummy passwords and change them
139	later.
140	</para>
141
142	<para>
143	Another issue when scripting is that the installer exits when the
144	standard input is not a terminal. You may disable this behavior
145	with the following sed:
146	</para>
147
148	<screen><userinput>sed '/-t 0/,+3d' -i installer/install.sh</userinput></screen>
149
150	</note>
151
152	</sect2>
153
154	<sect2 role="commands">
155	<title>Command Explanations</title>
156
157	<para>
158	<command>sed ... installer/install.cfg</command>: This command tells
159	the package to install the program database and reports in
160	<filename class="directory">/var/lib/tripwire</filename> and sets the
161	proper location for man pages and documentation.
162	</para>
163
164	<para>
165	<command>find ...</command>, <command>sed ...</command>, and
166	<command>autoreconf -fi</command>: The build system is unusable as is, and
167	has to be modified for the build to succeed.
168	</para>
169
170	<para>
171	<parameter>CPPFLAGS=-std=c++11</parameter>: Setting the C++ preprocessor
172	flags to version 11 is necessary to prevent a conflict with the
173	default version which is c++17 in recent version of gcc.
174	</para>
175
176	<para>
177	<command>make install</command>: This command creates the
178	<application>Tripwire</application> security keys as well as installing
179	the binaries. There are two keys: a site key and a local key which are
180	stored in <filename class="directory">/etc/tripwire/</filename>.
181	</para>
182
183	<para>
184	<command>cp -v policy/*.txt /usr/doc/tripwire-&tripwire-version;</command>:
185	This command installs the <application>tripwire</application> sample
186	policy files with the other <application>tripwire</application>
187	documentation.i
188	</para>
189
190	</sect2>
191
192	<sect2 role="configuration">
193	<title>Configuring Tripwire</title>
194
195	<sect3 id="tripwire-config">
196	<title>Config Files</title>
197
198	<para>
199	<filename>/etc/tripwire/*</filename>
200	</para>
201
202	<indexterm zone="tripwire tripwire-config">
203	<primary sortas="e-etc-tripwire">/etc/tripwire/*</primary>
204	</indexterm>
205
206	</sect3>
207
208	<sect3>
209	<title>Configuration Information</title>
210
211	<para>
212	<application>Tripwire</application> uses a policy file to
213	determine which files are integrity checked. The default policy
214	file (<filename>/etc/tripwire/twpol.txt</filename>) is for a
215	default installation and will need to be updated for your
216	system.
217	</para>
218
219	<para>
220	Policy files should be tailored to each individual distribution and/or
221	installation. Some example policy files can be found in <filename
222	class="directory">/usr/share/doc/tripwire/</filename>.
223	</para>
224
225	<para>
226	If desired, copy the policy file you'd like to try into <filename
227	class="directory">/etc/tripwire/</filename> instead of using the
228	default policy file, <filename>twpol.txt</filename>. It is, however,
229	recommended that you edit your policy file. Get ideas from the
230	examples above and read
231	<filename>/usr/share/doc/tripwire/policyguide.txt</filename> for
232	additional information. <filename>twpol.txt</filename> is a good
233	policy file for learning about <application>Tripwire</application>
234	as it will note any changes to the file system and can even be used
235	as an annoying way of keeping track of changes for uninstallation of
236	software.
237	</para>
238
239	<para>
240	After your policy file has been edited to your satisfaction you may
241	begin the configuration steps (perform as the <systemitem
242	class='username'>root</systemitem>) user:
243	</para>
244
245	<screen role="root"><userinput>twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
246	/etc/tripwire/twpol.txt &&
247	tripwire --init</userinput></screen>
248
249	<para>
250	Depending on your system and the contents of the policy file, the
251	initialization phase above can take a relatively long time.
252	</para>
253
254	</sect3>
255
256	<sect3>
257	<title>Usage Information</title>
258
259	<para>
260	<application>Tripwire</application> will identify file changes in
261	the critical system files specified in the policy file. Using
262	<application>Tripwire</application> while making frequent changes to
263	these directories will flag all these changes. It is most useful
264	after a system has reached a configuration that the user considers
265	stable.
266	</para>
267
268	<para>
269	To use <application>Tripwire</application> after creating a policy
270	file to run a report, use the following command:
271	</para>
272
273	<screen role="root"><userinput>tripwire --check > /etc/tripwire/report.txt</userinput></screen>
274
275	<para>
276	View the output to check the integrity of your files. An automatic
277	integrity report can be produced by using a cron facility to schedule
278	the runs.
279	</para>
280
281	<para>
282	Reports are stored in binary and, if desired, encrypted. View reports,
283	as the <systemitem class="username">root</systemitem> user, with:
284	</para>
285
286	<screen role="nodump"><userinput>twprint --print-report -r /var/lib/tripwire/report/<replaceable><report-name.twr></replaceable></userinput></screen>
287
288	<para>
289	After you run an integrity check, you should examine the report (or
290	email) and then modify the <application>Tripwire</application> database
291	to reflect the changed files on your system. This is so that
292	<application>Tripwire</application> will not continually notify you
293	hat files you intentionally changed are a security violation. To do
294	this you must first <command>ls -l /var/lib/tripwire/report/</command>
295	and note the name of the newest file which starts with your system
296	name as presented by the command <userinput>uname -n</userinput> and
297	ends in <filename>.twr</filename>. These files were created during
298	report creation and the most current one is needed to update the
299	<application>Tripwire</application> database of your system. As the
300	<systemitem class='username'>root</systemitem> user, type in the
301	following command making the appropriate report name:
302	</para>
303
304	<screen role="nodump"><userinput>tripwire --update --twrfile /var/lib/tripwire/report/<replaceable><report-name.twr></replaceable></userinput></screen>
305
306	<para>
307	You will be placed into <application>Vim</application> with a copy
308	of the report in front of you. If all the changes were good, then just
309	type <command>:wq</command> and after entering your local key, the
310	database will be updated. If there are files which you still want to
311	be warned about, remove the 'x' before the filename in the report and
312	type <command>:wq</command>.
313	</para>
314
315	</sect3>
316
317	<sect3>
318	<title>Changing the Policy File</title>
319
320	<para>
321	If you are unhappy with your policy file and would like to modify it
322	or use a new one, modify the policy file and then execute the following
323	commands as the <systemitem class='username'>root</systemitem> user:
324	</para>
325
326	<screen role="nodump"><userinput>twadmin --create-polfile /etc/tripwire/twpol.txt &&
327	tripwire --init</userinput></screen>
328
329	</sect3>
330
331	</sect2>
332
333	<sect2 role="content">
334	<title>Contents</title>
335
336	<segmentedlist>
337	<segtitle>Installed Programs</segtitle>
338	<segtitle>Installed Libraries</segtitle>
339	<segtitle>Installed Directories</segtitle>
340
341	<seglistitem>
342	<seg>siggen, tripwire, twadmin, and twprint</seg>
343	<seg>None</seg>
344	<seg>/etc/tripwire, /var/lib/tripwire,
345	and /usr/share/doc/tripwire-&tripwire-version;</seg>
346	</seglistitem>
347	</segmentedlist>
348
349	<variablelist>
350	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
351	<?dbfo list-presentation="list"?>
352	<?dbhtml list-presentation="table"?>
353
354	<varlistentry id="siggen">
355	<term><command>siggen</command></term>
356	<listitem>
357	<para>
358	is a signature gathering utility that displays
359	the hash function values for the specified files
360	</para>
361	<indexterm zone="tripwire siggen">
362	<primary sortas="b-siggen">siggen</primary>
363	</indexterm>
364	</listitem>
365	</varlistentry>
366
367	<varlistentry id="tripwire-program">
368	<term><command>tripwire</command></term>
369	<listitem>
370	<para>
371	is the main file integrity checking program
372	</para>
373	<indexterm zone="tripwire tripwire">
374	<primary sortas="b-tripwire">tripwire</primary>
375	</indexterm>
376	</listitem>
377	</varlistentry>
378
379	<varlistentry id="twadmin">
380	<term><command>twadmin</command></term>
381	<listitem>
382	<para>
383	administrative and utility tool used to perform
384	certain administrative functions related to
385	<application>Tripwire</application> files and configuration
386	options
387	</para>
388	<indexterm zone="tripwire twadmin">
389	<primary sortas="b-twadmin">twadmin</primary>
390	</indexterm>
391	</listitem>
392	</varlistentry>
393
394	<varlistentry id="twprint">
395	<term><command>twprint</command></term>
396	<listitem>
397	<para>
398	prints <application>Tripwire</application>
399	database and report files in clear text format
400	</para>
401	<indexterm zone="tripwire twprint">
402	<primary sortas="b-twprint">twprint</primary>
403	</indexterm>
404	</listitem>
405	</varlistentry>
406
407	</variablelist>
408
409	</sect2>
410
411	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: