Here is my version of a Tripwire Cheat Sheet. I originally wrote this about a year ago, but it is still pretty much the same. It will help you to get Tripwire up-and-going quickly, if only to learn how it all comes together. There are some additional caveats to run it in production, but hey – I can’t give it *all* away for free, can I? \ud83d\ude09<\/p>\n
Of course, many things in this document are taken for granted; like that the Tripwire binaries are in your path, and required config files are where they normally are, etc… If not, just use your brain and substitute where necessary.<\/p>\n
Just for reference, this was all done on a Opensuse 10 machine, which was before they called it “Opensuse” (but I can’t remember what they called it), and before they removed Tripwire from the standard distribution. Now isn’t that a kick in the pants. Now they include “AIDE”, which I will offer a Cheat Sheet for later… in the meantime, enjoy…<\/p>\n
INITIAL SETUP<\/em><\/p>\n Genetate new host key (optional):<\/p>\n To build the configuration file, find a sample of the plain-text configuration file and edit to taste. Then encode and sign the plain-text file and install it as the new configuration file:<\/p>\n To encode and install a policy file for your system, find a sample of the plain-text policy file and edit to taste, then create the policy with your changes:<\/p>\n Consider using a tool like this to create a policy file:<\/p>\n Tripwire Policy File Generator<\/span><\/a> [update: It looks like the link to the Generator tool is lost and I cannot find it on the ‘net anymore. So, I’m up-loading my versions — that I downloaded in 2006 — to this blog for your convenience. Note also, that these files appear to have been created in 2001. Just use the filename\/links below. Use at your own risk!]<\/p>\n (download the files, run the policy generator, then update policy as below)<\/p>\n To initialize the database file:<\/p>\n …examine results, tweak policy file to taste…<\/p>\n To tweak the policy file, open the plain-text policy file and edit to taste. Then update your existing policy file and database file with your changes:<\/p>\n Run an initial integrity check:<\/p>\n To configure email settings, add:<\/p>\n …to each section after the “rulename” line…<\/p>\n Testing E-mail Settings:<\/p>\n Update the Tripwire policy file with the edited text file:<\/p>\n Run another integrity check:<\/p>\n Update the Tripwire policy file with the edited text file:<\/p>\n Create cron job (for example):<\/p>\n …or…<\/p>\n To update the database file immediately after an integrity check:<\/p>\n …it is considered good security form to delete all leftover TXT files (leave the key, pol, and cfg files in place!) at this point. You may have to do another interactive check if you delete the TXT files and are tracking that directory. Congratulations, you should be finished!<\/p>\n ONGOING MAINTENANCE<\/em><\/p>\n To edit the configuration file, create a plain-text copy of the configuration file:<\/p>\n …edit and save… To edit the policy file, create a plain-text copy of the policy file:<\/p>\n …edit and save… Since the above changes are likely to be detected, you will need to update the database file:<\/p>\ntwadmin -m G -S \/etc\/tripwire\/site.key\r\ntwadmin -m G -L \/etc\/tripwire\/<hostname>-local.key<\/font><\/pre>\n
twadmin
--<\/code>create-cfgfile --<\/code>site-keyfile \/etc\/tripwire\/site.key twcfg.txt<\/font><\/pre>\ntwadmin
--<\/code>create-polfile twpol.txt<\/font><\/pre>\nmktrippol.pl<\/a> rockadm.pl<\/a> rockbasepolicy.txt<\/a> twinit.sh<\/a> twsite.pl<\/a><\/font><\/pre>\n
tripwire --<\/code>init<\/font><\/code><\/pre>\ntripwire
--<\/code>update-policy --<\/code>secure-mode low twpol.txt<\/font><\/pre>\ntripwire
--<\/code>check --<\/code>interactive<\/font><\/pre>\nemailto = \"root\",<\/font><\/pre>\n
tripwire
--<\/code>test --<\/code>email user@example.com<\/font><\/pre>\ntripwire
--<\/code>update-policy --<\/code>secure-mode low twpol.txt<\/font><\/pre>\ntripwire
--<\/code>check --<\/code>interactive<\/font><\/pre>\ntripwire
--<\/code>update-policy --<\/code>secure-mode low twpol.txt<\/font><\/pre>\n0 *\/1 * * * <TFS_root>\/bin\/tripwire
--<\/code>check -M<\/font><\/pre>\n0 *\/1 * * * <TFS_root>\/tripwire
--<\/code>check --<\/code>email-report --<\/code>email-report-level 1<\/font><\/pre>\ntripwire
--<\/code>check --<\/code>interactive<\/font><\/pre>\ntwadmin
--<\/code>print-cfgfile > twcfgupdate.txt<\/font><\/pre>\n
\nEncode and sign the plain-text file and install it as the new configuration file:<\/p>\ntwadmin
--<\/code>create-cfgfile --<\/code>site-keyfile \/etc\/tripwire\/site.key twcfgupdate.txt<\/font><\/pre>\ntwadmin
--<\/code>print-polfile > policy.txt<\/font><\/pre>\n
\nUpdate your existing policy file and database file with your changes:<\/p>\ntripwire
--<\/code>update-policy --<\/code>secure-mode low policy.txt<\/font><\/pre>\ntripwire
--<\/code>check --<\/code>interactive<\/font><\/pre>\n","protected":false},"excerpt":{"rendered":"