glfs/postlfs/security/tripwire.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY tripwire-download-http "http://prdownloads.sourceforge.net/tripwire/tripwire-&tripwire-version;.tar.gz">
  <!ENTITY tripwire-download-ftp  "ftp://ftp.fu-berlin.de/unix/security/tripwire/tripwire-&tripwire-version;.tar.gz">
  <!ENTITY tripwire-size          "1.4 MB">
  <!ENTITY tripwire-buildsize     "63 MB">
  <!ENTITY tripwire-time          "2.35 SBU">
]>

<sect1 id="tripwire" xreflabel="Tripwire-&tripwire-version;">
<?dbhtml filename="tripwire.html"?>
<title>Tripwire-&tripwire-version;</title>

<sect2>
<title>Introduction to <application>Tripwire</application></title>

<para>The <application>Tripwire</application> package contains the programs 
used by <application>Tripwire</application> to verify the integrity of the 
files on a given system.</para>

<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&tripwire-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&tripwire-download-ftp;"/></para></listitem>
<listitem><para>Download size: &tripwire-size;</para></listitem>
<listitem><para>Estimated Disk space required:
&tripwire-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&tripwire-time;</para></listitem></itemizedlist>
</sect3>

<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required patch to fix multiple build issues (see patch for more information):
<ulink url="&patch-root;/tripwire-&tripwire-version;-gcc3_build_fixes-1.patch"/></para></listitem>
</itemizedlist>
</sect3>

<sect3><title><application>Tripwire</application> dependencies</title>
<sect4><title>Optional</title>
<para>MTA (See <xref linkend="server-mail"/>)</para></sect4>
</sect3>

</sect2>

<sect2>
<title>Installation of <application>Tripwire</application></title>

<para>Compile <application>Tripwire</application> by running the following 
commands:</para>

<screen><userinput><command>patch -Np1 -i ../tripwire-&tripwire-version;-gcc3_build_fixes-1.patch &amp;&amp;
make -C src release &amp;&amp;
cp install/install.{sh,cfg} .</command></userinput></screen>

<para>The default configuration is to use a local MTA. If you don't have
an MTA installed and have no wish to install one, modify 
<filename>install.cfg</filename> to use an SMTP server instead.
Install <application>Tripwire</application> by running the following 
commands:</para>

<screen><userinput><command>./install.sh &amp;&amp;
cp /etc/tripwire/tw.cfg /usr/sbin &amp;&amp;
cp policy/*.txt /usr/share/doc/tripwire</command></userinput></screen>

</sect2>

<sect2>
<title>Command explanations</title>

<para><command>make release</command>: This command creates the
<application>Tripwire</application> binaries.</para>

<para><command>cp install.{sh,cfg} .</command>: These files are copied to 
the main <application>Tripwire</application> directory so that the script 
can be used to install the package.</para>

<para><command>cp policy/*.txt /usr/share/doc/tripwire</command>: This command 
installs the documentation.</para>

</sect2>

<sect2>
<title>Configuring <application>Tripwire</application></title>

<sect3><title>Config files</title>
<para><filename class="directory">/etc/tripwire</filename></para>
</sect3>

<sect3><title>Configuration Information</title>

<para><application>Tripwire</application> uses a policy file to determine which 
files are integrity checked. The default policy file (<filename>twpol.txt
</filename> found in <filename class="directory">/etc/tripwire/</filename>) is for a default 
installation of Redhat 7.0 and is woefully outdated.</para>

<para>Policy files are also a custom thing and should be tailored to each 
individual distribution and/or installation. Some custom policy files can be 
found below: </para>
<screen><ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt</ulink>
Checks integrity of all files
<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt</ulink>
Custom policy file for Base LFS 3.0 system
<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt</ulink>
Custom policy file for SuSE 7.2 system</screen>

<para>Download the custom policy file you'd like to try, copy it into
<filename class="directory">/etc/tripwire/</filename>, and use it instead of 
<filename>twpol.txt</filename>. It is, however, recommended that you make 
your own policy file. Get ideas from the examples above and read 
<filename> /usr/share/doc/tripwire/policyguide.txt</filename>. 
<filename>twpol.txt</filename> is a good policy file for beginners as it 
will note any changes to the file system and can even be used as an annoying 
way of keeping track of changes for uninstallation of software.</para>

<para>After your policy file has been transferred to <filename
class="directory">/etc/tripwire/</filename> you may begin the configuration 
steps:</para>

<screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &amp;&amp;
tripwire -m i</command></userinput></screen>

<para>During installation <application>Tripwire</application> will create two
(2) keys: a site key and a local key which will be stored in <filename
class="directory">/etc/tripwire/</filename>.</para>

</sect3>

<sect3><title>Usage Information</title>
<para>To use <application>Tripwire</application> after this and run a report, 
use the following command:</para>

<screen><userinput><command>tripwire -m c &gt; /etc/tripwire/report.txt</command></userinput></screen>

<para>View the output to check the integrity of your files. An automatic
integrity report can be produced by using a cron facility to schedule
the runs. </para>

<para>Please note that after you run an integrity check, you must examine
the report (or email) and then modify the <application>Tripwire</application> 
database to reflect the changed files on your system. This is so that 
<application>Tripwire</application> will not continually notify you that
files you intentionally changed are a security violation. To do this you
must first <command>ls -l /var/lib/tripwire/report/</command> and note
the name of the newest file which starts with <filename>linux-</filename> and 
ends in <filename>.twr</filename>. This encrypted file was created during the 
last report creation and is needed to update the
<application>Tripwire</application> database of your 
system. Then, type in the following command making the appropriate 
substitutions for '?':</para>
<screen><userinput><command>tripwire -m u -r /var/lib/tripwire/report/linux-???????-??????.twr </command></userinput></screen>

<para>You will be placed into vim with a copy of the report in front of you. If 
all the changes were good, then just type <command>:x</command> and after 
entering your local key, the database will be updated. If there are files which 
you still want to be warned about, remove the x before the filename in 
the report and type <command>:x</command>.</para>

</sect3>

<sect3><title>Changing the Policy File</title>

<para>If you are unhappy with your policy file and would like to modify it or 
use a new one, modify the policy file and then execute the following
commands:</para>
<screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &amp;&amp;
tripwire -m i</command></userinput></screen>

</sect3>

</sect2>

<sect2>
<title>Contents</title>

<para>The <application>Tripwire</application> package contains 
<command>siggen</command>, <command>tripwire</command>, 
<command>twadmin</command> and <command>twprint</command>.</para>

</sect2>

</sect1>