source: postlfs/security/tripwire.xml@ 2f00f964

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
   "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY tripwire-download-http "http://prdownloads.sourceforge.net/tripwire/tripwire-&tripwire-version;-src.tar.bz2?download">
  <!ENTITY tripwire-download-ftp  " ">
  <!ENTITY tripwire-md5sum        "b371f79ac23cacc9ad40b1da76b4a0c4">
  <!ENTITY tripwire-size          "1.2 MB">
  <!ENTITY tripwire-buildsize     "37 MB">
  <!ENTITY tripwire-time          "1.6 SBU">
]>

<sect1 id="tripwire" xreflabel="Tripwire-&tripwire-version;">
  <?dbhtml filename="tripwire.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
    <keywordset>
      <keyword role="package">tripwire-&tripwire-version;.tar</keyword>
      <keyword role="ftpdir">tripwire</keyword>
    </keywordset>
  </sect1info>

  <title>Tripwire-&tripwire-version;</title>

  <indexterm zone="tripwire">
    <primary sortas="a-Tripwire">Tripwire</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Tripwire</title>

    <para>The <application>Tripwire</application> package contains programs
    used to verify the integrity of the files on a given system.</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&tripwire-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&tripwire-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &tripwire-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &tripwire-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &tripwire-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &tripwire-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Required patch:
          <ulink url="&patch-root;/tripwire-&tripwire-version;-gcc4_build_fixes-1.patch"/>
        </para>
      </listitem>
    </itemizedlist>
                                                       
    <bridgehead renderas="sect3">Tripwire Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required"><xref linkend="openssl"/></para>
        

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">MTA (See <xref linkend="server-mail"/>)</para>

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/tripwire"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of Tripwire</title>

    <para>Compile <application>Tripwire</application> by running the following
    commands:</para>

<screen><userinput>ln -s contrib install &amp;&amp;
patch -Np1 -i ../tripwire-&tripwire-version;-gcc4_build_fixes-1.patch &amp;&amp;
sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc/tripwire &amp;&amp;
make</userinput></screen>

    <warning><para>The default configuration is to use a local MTA. If
    you don't have an MTA installed and have no wish to install
    one, modify <filename>install/install.cfg</filename> to use an SMTP
    server instead.  Otherwise the install will fail.</para></warning>
 
    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;
cp -v policy/*.txt /usr/share/doc/tripwire</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><command>ln -s contrib install</command>: This command creates 
    a symbolic link in the build directory needed for installation.</para>

    <para><command>sed -i -e 's@TWDB="${prefix}@TWDB="/var@'
    install/install.cfg</command>: This command tells the package to install
    the program database and reports in
    <filename class="directory">/var/lib/tripwire</filename>.</para>

    <para><command>make install</command>: This command creates the
    <application>Tripwire</application> security keys as well as installing
    the binaries. There are two keys: a site key and a local key which are
    stored in <filename class="directory">/etc/tripwire/</filename>.</para>

    <para><command>cp -v policy/*.txt /usr/share/doc/tripwire</command>: This
    command installs the documentation.</para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Tripwire</title>

    <sect3 id="tripwire-config">
      <title>Config Files</title>

      <para><filename>/etc/tripwire/*</filename></para>

      <indexterm zone="tripwire tripwire-config">
        <primary sortas="e-etc-tripwire">/etc/tripwire/*</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para><application>Tripwire</application> uses a policy file to
      determine which files are integrity checked. The default policy
      file (<filename>/etc/tripwire/twpol.txt</filename>) is for a
      default Redhat installation and will need to be updated for your
      system.</para>

      <para>Policy files should be tailored to each individual distribution
      and/or installation. Some custom policy files can be found below:</para>

<literallayout><ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt"/>
Checks integrity of all files
<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt"/>
Custom policy file for Base LFS 3.0 system
<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt"/>
Custom policy file for SuSE 7.2 system</literallayout>

      <para>Download the custom policy file you'd like to try, copy it into
      <filename class="directory">/etc/tripwire/</filename>, and use it instead
      of <filename>twpol.txt</filename>. It is, however, recommended that you
      make your own policy file. Get ideas from the examples above and read
      <filename>/usr/share/doc/tripwire/policyguide.txt</filename> for
      additional information. <filename>twpol.txt</filename> is a good policy
      file for beginners as it will note any changes to the file system and can
      even be used as an annoying way of keeping track of changes for
      uninstallation of software.</para>

      <para>After your policy file has been transferred to
      <filename class="directory">/etc/tripwire/</filename> you may begin
      the configuration steps (perform as the
      <systemitem class='username'>root</systemitem>):</para>

<screen role="root"><userinput>twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
    /etc/tripwire/twpol.txt &amp;&amp;
tripwire --init</userinput></screen>

    </sect3>

    <sect3>
      <title>Usage Information</title>

      <para>To use <application>Tripwire</application> after creating a policy
      file to run a report, use the following command:</para>

<screen role="root"><userinput>tripwire --check &gt; /etc/tripwire/report.txt</userinput></screen>

      <para>View the output to check the integrity of your files. An automatic
      integrity report can be produced by using a cron facility to schedule
      the runs.</para>

      <para>Please note that after you run an integrity check, you must
      examine the report (or email) and then modify the
      <application>Tripwire</application> database to reflect the changed
      files on your system. This is so that <application>Tripwire</application>
      will not continually notify you that files you intentionally changed are
      a security violation. To do this you must first <command>ls -l
      /var/lib/tripwire/report/</command> and note the name of the newest file
      which starts with <filename>linux-</filename> and ends in
      <filename>.twr</filename>. This encrypted file was created during the
      last report creation and is needed to update the
      <application>Tripwire</application> database of your system. Then, as the
      <systemitem class='username'>root</systemitem> user, type
      in the following command making the appropriate substitutions for
      <replaceable>&lt;?&gt;</replaceable>:</para>

<screen role="root"><userinput>tripwire --update -twrfile \
    /var/lib/tripwire/report/linux-<replaceable>&lt;???????&gt;</replaceable>-<replaceable>&lt;??????&gt;</replaceable>.twr</userinput></screen>

      <para>You will be placed into <application>vim</application> with a copy
      of the report in front of you. If all the changes were good, then just
      type <command>:x</command> and after entering your local key, the database
      will be updated. If there are files which you still want to be warned
      about, remove the 'x' before the filename in the report and type
      <command>:x</command>.</para>

      
      <para>A good summary of tripwire operations can be found at       
      <ulink url="http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html"/>.</para>

    </sect3>

    <sect3>
      <title>Changing the Policy File</title>

      <para>If you are unhappy with your policy file and would like to modify
      it or use a new one, modify the policy file and then execute the following
      commands as the <systemitem class='username'>root</systemitem> user:</para>

<screen role="root"><userinput>twadmin --create-polfile /etc/tripwire/twpol.txt &amp;&amp;
tripwire --init</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>siggen, tripwire, twadmin, and twprint.</seg>
        <seg>None</seg>
        <seg>/etc/tripwire, /usr/share/doc/tripwire, and /var/lib/tripwire</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="siggen">
        <term><command>siggen</command></term>
        <listitem>
          <para>is a signature gathering utility that displays
          the hash function values for the specified files.</para>
          <indexterm zone="tripwire siggen">
            <primary sortas="b-siggen">siggen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id='tripwire-program'>
        <term><command>tripwire</command></term>
        <listitem>
          <para>is the main file integrity checking program.</para>
          <indexterm zone="tripwire tripwire">
            <primary sortas="b-tripwire">tripwire</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id='twadmin'>
        <term><command>twadmin</command></term>
        <listitem>
          <para>administrative and utility tool used to perform
          certain administrative functions related to
          <application>Tripwire</application> files and configuration
          options.</para>
          <indexterm zone="tripwire twadmin">
            <primary sortas="b-twadmin">twadmin</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id='twprint'>
        <term><command>twprint</command></term>
        <listitem>
          <para>prints <application>Tripwire</application>
          database and report files in clear text format.</para>
          <indexterm zone="tripwire twprint">
            <primary sortas="b-twprint">twprint</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>