Download location (HTTP): http://telia.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz Download location (FTP): Version used: 2.3.1-2 Package size: 1.5 MB Estimated Disk space required: 63 MB |
The tripwire package contains the tripwire programs used by tripwire to verify the integrity of the files on a given system.
tripwire depends on: gcc-2.95.3 |
Download the patch for tripwire config from http://downloads.linuxfromscratch.org/blfs-patches.
Install tripwire by running the following commands:
export PATH_HOLD=$PATH &&
export PATH=/opt/gcc2/bin:$PATH &&
ln -s make /usr/bin/gmake &&
cd src &&
gmake release &&
cd .. &&
cp install/install.{sh,cfg} . &&
patch -Np0 -i ../tripwire-cfg.patch &&
./install.sh &&
cp /etc/tripwire/tw.cfg /usr/sbin &&
cp policy/*.txt /usr/share/doc/tripwire |
Reverse the modifications made above:
rm /usr/bin/gmake && export PATH=$PATH_HOLD |
ln -s make /usr/bin/gmake : The reason we create the gmake symlink is that tripwire will only install if the symlink is present. It may be safely removed after installation.
gmake release : This command creates the tripwire binaries.
cp install.{sh,cfg} . : These are copied to the main tripwire directory so that the script can be used to install the package.
cp policy/*.txt /usr/share/doc/tripwire : This command installs the documentation.
/etc/tripwire
Tripwire uses a policy file to determine which files integrity are checked. The default policy file (twpol.txt found in /etc/tripwire/) is for a default installation of Redhat 7.0 and is woefully outdated.
Policy files are also a custom thing and should be tailored to each individual distro and/or installation. Some custom policy files can be found below:
http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt Checks integrity of all files http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt Custom policy file for Base LFS 3.0 system http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt Custom policy file for SuSE 7.2 system |
Download the custom policy file you'd like to try, copy it into /etc/tripwire/, and use it instead of twpol.txt. It is, however, recommended that you make your own policy file. Get ideas from the examples above and read /usr/share/doc/tripwire/policyguide.txt. twpol.txt is a good policy file for beginners as it will note any changes to the filesystem and can even be used as an annoying way of keeping track of changes for uninstallation of software.
After your policy file has been transferred to /etc/tripwire/ you may begin the configuration steps:
twadmin -m P /etc/tripwire/twpol.txt && tripwire -m i |
During configuration tripwire will create 2 keys: a site key and a local key which will be stored in /etc/tripwire/.
To use tripwire after this and run a report using the following command:
tripwire -m c > /etc/tripwire/report.txt |
View the output to check the integrity of your files. An automatic integrity report can be produced by using fcron.
Please note that after you run an integrity check, you must check the report or email and then modify the tripwire database of the files on your system so that tripwire will not continually notify you that files you intentionally changed are a security violation. To do this you must first ls /var/lib/tripwire/report/ and note the name of the newest file which starts with linux- and ends in .twr. This encrypted file was created during the last report creation and is needed to update the tripwire database of your system. Then, type in the following command making the appropriate substitutions for '?':
tripwire -m u -r /var/lib/tripwire/report/linux-???????-??????.twr |
You will be placed into vim with a copy of the report in front of you. If all the changes were good, then just type :x and after entering your local key, the database will be updated. If there are files which you still want to be warned about, please remove the x before the filename in the report and type :x.
If you are unhappy with your policy file and would like to modify it or use a new one, modify the policy file and then execute the following commands:
twadmin -m P /etc/tripwire/twpol.txt && tripwire -m i |
The tripwire package contains siggen, tripwire, twadmin and twprint.