Hello all,
Here is the third and final part of this tutorial. I would like to thank you all for your feedback which motivated me to acomplish the work. All comments/suggestions are welcomed.

So lets go to the tutorial:

***BOF ***

----- cut here -------------------------------------------------------------------------------------------


Copyright (C) 2003 Gigabite All rights reserved.

You may distribute this tutorial freely, as long as no changes are made to the document. The copyright, disclaimer and the signature MUST be included with the document.


Although I have taken every precaution in the preparation of this tutorial, I will assume no responsibility for errors or omissions. Neither is any liability assumed for the information contained herein.



NOTE: I assume that you have gone through the part 1 & part 2 of this tutorial.

Using Tripwire

-Once the configuration and policy files have been created, you can create the database of signatures for your monitored files and programs by invoking Tripwire with the --init option. You will initially be prompted to enter your local passphrase, which you specified when you ran twinstall.sh:

tripwire --init

The tripwire database is kept in /var/lib/tripwire and given the name of the host with the extension .twd.

-Now that your database is created, you can use ripwire to periodically check the integrity of your system. You can do this manually with the --check option. You could also setup Tripwire --check commands as cron job to be run automatically at specified times. For example a Tripwire --check command will be placed in the /etc/cron.daily file and will run Tripwire daily:

tripwire --check

-Tripwire will check all the files listed in your policy file and generate a report. Tripwire reports are placed in files which are named according to the hostname, date and time of the report, with the extension .twr. For example, the report generated on November 6, 2003 at 10:29:31 will have the name 20031106-102931.twr. These files are kept in the /var/lib/tripwire/report directory. The report will list any violations, noting severity level and indicating whether files were added, removed or modified. To view reports, you use the twprint command with the --print-report option, and you will have to specify the file with the -r option as well. You can redirect it to a file to save it, or pipe it to the More or less commands to view it screen by screen. For example:

twprint--print-report -r
/var/lib/tripwire/report/20031106-102931.twr | more

-You can also use twprint to query the database for information about particular files. use --print-dbfile option and the file name as follows:

twprint --print-dbfile /etc/passwd

As your system changes with files being modified, your tripwire database can become outdated. You can update the Tripwire database to incorporate those reported violations as correct entries by using the --update option. You will have to specify the particular report file that holds the error reports for the valid data

tripwire --update -r /var/lib/tripwire/report/20031106-102931.twr

-Tripwire will first open the file in an editor, with the violations selected as updates to be incorporated having an [x] in frnt of their entries. unselected violations will have empty []. If you noice any valid violation that are marked for update, you can deselect them by removing the preceding x. When you are finished, save and quit the file. You are then prompted to enter a local passphrase for your local key.

Changing Policies

-As your system changes over time, you may want to add or remove files that you want to have monitored by Tripwire. The situation become aggravated as you install and remove software, adding files not covered by Tripwire and removing those that no longer exist. As we know Tripwire will report any removed files as violations. As I mentioned earlier you do not edit the Tripwire policy file directly. Instead you edi the text version, /etc/tripwire/twpol.txt.

-Once you have made your changes you issue the following command to generate a new signed tw.pol policy file that Tripwire will actually use. Be sure to specify the text version you are using:

twadmin --create-polfile /etc/tripwire/twpol.txt

You will then be prompted to enter the site key. A new tw.pol file is then generated. You will have to generate a new version of the Tripwire database. First remove the old one, and then initialize a new one:

rm /var/lib/tripwire/me.gigabite.com.twd
tripwire --init

Alternatively, you can combine the process by using the tripwire command with the
--update-policy option to create your policy and update your database:

tripwire --update-policy /etc/tripwire/twpol.txt


----- cut here -------------------------------------------------------------------------------------------


Hope that the tutorial was helpfull and you all enjoyed reading it.