1 | <sect2>
|
---|
2 | <title>Configuring <application>tripwire</application></title>
|
---|
3 |
|
---|
4 | <sect3><title>Config files</title>
|
---|
5 | <para><filename>/etc/tripwire</filename></para>
|
---|
6 | </sect3>
|
---|
7 |
|
---|
8 | <sect3><title>Configuration Information</title>
|
---|
9 |
|
---|
10 | <para><application>Tripwire</application> uses a policy file to determine which
|
---|
11 | files integrity are checked. The default policy file (<filename>twpol.txt
|
---|
12 | </filename> found in <filename>/etc/tripwire/</filename>) is for a default
|
---|
13 | installation of Redhat 7.0 and is woefully outdated.</para>
|
---|
14 |
|
---|
15 | <para>Policy files are also a custom thing and should be tailored to each
|
---|
16 | individual distribution and/or installation. Some custom policy files can be
|
---|
17 | found below: </para>
|
---|
18 | <screen><ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt"/>
|
---|
19 | Checks integrity of all files
|
---|
20 | <ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt"/>
|
---|
21 | Custom policy file for Base LFS 3.0 system
|
---|
22 | <ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt"/>
|
---|
23 | Custom policy file for SuSE 7.2 system</screen>
|
---|
24 |
|
---|
25 | <para>Download the custom policy file you'd like to try, copy it into <filename>
|
---|
26 | /etc/tripwire/</filename>, and use it instead of <filename>twpol.txt
|
---|
27 | </filename>. It is, however, recommended that you make your own policy file.
|
---|
28 | Get ideas from the examples above and read <filename>
|
---|
29 | /usr/share/doc/tripwire/policyguide.txt</filename>. <filename>twpol.txt
|
---|
30 | </filename> is a good policy file for beginners as it will note any changes to
|
---|
31 | the filesystem and can even be used as an annoying way of keeping track of
|
---|
32 | changes for uninstallation of software.</para>
|
---|
33 |
|
---|
34 | <para>After your policy file has been transferred to <filename>/etc/tripwire/
|
---|
35 | </filename> you may begin the configuration steps:</para>
|
---|
36 |
|
---|
37 | <screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &&
|
---|
38 | tripwire -m i</command></userinput></screen>
|
---|
39 |
|
---|
40 | <para>During configuration tripwire will create 2 keys: a site key and
|
---|
41 | a local key which will be stored in <filename class="directory">/etc/tripwire/
|
---|
42 | </filename>.</para>
|
---|
43 |
|
---|
44 | </sect3>
|
---|
45 |
|
---|
46 | <sect3><title>Usage Information</title>
|
---|
47 | <para>To use tripwire after this and run a report, use the following command:
|
---|
48 |
|
---|
49 | <screen><userinput><command>tripwire -m c > /etc/tripwire/report.txt
|
---|
50 | </command></userinput></screen></para>
|
---|
51 |
|
---|
52 | <para>View the output to check the integrity of your files. An automatic
|
---|
53 | integrity report can be produced by using a cron facility to schedule
|
---|
54 | the runs. </para>
|
---|
55 |
|
---|
56 | <para>Please note that after you run an integrity check, you must check
|
---|
57 | the report or email and then modify the tripwire database of the files
|
---|
58 | on your system so that tripwire will not continually notify you that
|
---|
59 | files you intentionally changed are a security violation. To do this you
|
---|
60 | must first <command>ls /var/lib/tripwire/report/</command> and note
|
---|
61 | the name of the newest file which starts with <filename>linux-</filename> and
|
---|
62 | ends in <filename>.twr</filename>. This encrypted file was created during the
|
---|
63 | last report creation and is needed to update the tripwire database of your
|
---|
64 | system. Then, type in the following command making the appropriate
|
---|
65 | substitutions for '?':
|
---|
66 | <screen><userinput><command>tripwire -m u -r /var/lib/tripwire/report/linux-???????-??????.twr </command></userinput></screen></para>
|
---|
67 |
|
---|
68 | <para>You will be placed into vim with a copy of the report in front of you. If
|
---|
69 | all the changes were good, then just type <command>:x</command> and after
|
---|
70 | entering your local key, the database will be updated. If there are files which
|
---|
71 | you still want to be warned about, please remove the x before the filename in
|
---|
72 | the report and type <command>:x</command>. </para>
|
---|
73 |
|
---|
74 | </sect3>
|
---|
75 |
|
---|
76 | <sect3><title>Changing the Policy File</title>
|
---|
77 |
|
---|
78 | <para>If you are unhappy with your policy file and would like to modify it or
|
---|
79 | use a new one, modify the policy file and then execute the following commands:
|
---|
80 | <screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &&
|
---|
81 | tripwire -m i</command></userinput></screen></para>
|
---|
82 |
|
---|
83 | </sect3>
|
---|
84 |
|
---|
85 | </sect2>
|
---|
86 |
|
---|