Tripwire is a file integrity checker for *NIX systems. Upon its first usage it creates a database of file states, and then periodically checks the files for modifications. The attributes of a file that are used for checking include modification timestamps, file size, permissions, MD5 hash vlues etc.
Most of the popular linux distributions like Mandrake, Fedora Core and SuSe include the Tripwire package in their installation CD's. However, if for some reason you are not able to find it, you can download it from http://sourceforge.net/projects/tripwire/.
In the directory /etc/tripwire, you will find two files named tw.cfg and tw.pol which are the configuration and the policy file respectively. Also you will find a plain-text version of tw.cfg called twcfg.txt which should have contents similar to,
POLFILE = /etc/tripwire/tw.pol
DBFILE = /var/lib/tripwire/$HOSTNAME.twd
REPORTFILE = /var/lib/tripwire/report/$HOSTNAME-$DATE.twr
SITEKEYFILE = /etc/tripwire/site.key
LOCALKEYFILE = /etc/tripwire/$HOSTNAME-local.key
EDITOR =/bin/vi
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
MAILPROGRAM =/usr/sbin/sendmail
Now the value of $HOSTNAME must match with the value of HOSTNAME in the file twpol.txt.
- POLFILE : location of the policy file
- DBFILE : location of the Database file
- REPORTFILE : location of the report file ( generated whenever Tripwire does an intergrity check )
- SITEKEYFILE : used for signing files to be used on multiple systems. Example, policy files.
- LOCALKEYFILE : used for signing system specific files. Example, database files.
- EDITOR : location of the default editor used. Example, vi or emacs.
- MAILNOVIOLATIONS : whenever a violation occurs, this variable can be set to automatically send a mail to the system administrator.
- EMAILREPORTLEVEL, REPORTLEVEL : values may range from 0-4 with default being 3. It specifies the amount of detail to be included in the reports.
- MAILMETHOD, MAILPROGRAM : Used to specify the mailing method like SMTP, SENDMAIL etc.
A policy file is a set of rules associated with files to verify whether a violation has occured or not. To configure the rules you have to read the plain-text version of the policy file, and comment out rules which do not apply to your system or you think are useless.
Hope this article provided you with a good overview of Tripwire configuration. As always, for more information refer to the manual pages ( using the 'man' command ). I will cover 'Using Tripwire' in my next article.
Written by Elastic Reality (23 November 2004)
Former member of CAU Knowledge-Bank Tutorial Writers
On 23 November 2004, one of our cherished members, Elastic Reality, passed away in a successful effort to save the life of his ex-girlfriend. Though CAU is greatly pained by the loss, we are proud of the work he accomplished here and the life he appears to have lived. Rest in peace Elastic Reality, and our heartfelt condolences to your family and friends. For more information, please visit this related post by his brother.
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|