webcp.hostinghacks.net/slackware | tripwire
Tripwire is Security, Intrusion Detection, Damage Assessment, Recovery and Forensics software which creates a cryptographically-secured database of files and their characteristics based on the specifications of your configurable policy file.
PREREQUISITES: gcc version 2.95.2 or better. gcc3+ requires a tripwire patch.
The installation commands can be run from a Putty window in a "cut-and-paste" style layout or copied to a script. Notes on Putty best practices can be found here.
cd /usr/src/ wget http://belnet.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz wget http://www.linuxfromscratch.org/patches/blfs/5.0/tripwire-2.3.1-2-gcc3-build-fixes.patch # wget http://www.hostinghacks.net/dist/tripwire-2.3.1-2.tar.gz # wget http://www.hostinghacks.net/dist/tripwire-2.3.1-2-gcc3-build-fixes.patch tar -zxf tripwire-2.3.1-2.tar.gz cd /usr/src/tripwire-2.3.1-2 patch -Np1 -i ../tripwire-2.3.1-2-gcc3-build-fixes.patch make -C src release
copy the binaries:
cp /usr/src/tripwire-2.3.1-2/bin/i686-pc-linux_r/siggen /usr/sbin cp /usr/src/tripwire-2.3.1-2/bin/i686-pc-linux_r/tripwire /usr/sbin cp /usr/src/tripwire-2.3.1-2/bin/i686-pc-linux_r/twadmin /usr/sbin cp /usr/src/tripwire-2.3.1-2/bin/i686-pc-linux_r/twprint /usr/sbin
prepare the tripwire policy:
mkdir -p /etc/tripwire chmod 755 /etc/tripwire mkdir -p /var/lib/tripwire chmod 755 /var/lib/tripwire mkdir -p /var/lib/tripwire/report chmod 755 /var/lib/tripwire/report twadmin --generate-keys --site-passphrase pa55Phrase1 --site-keyfile /etc/tripwire/site.key chmod 640 /etc/tripwire/site.key twadmin --generate-keys --local-passphrase pa55Phrase2 --local-keyfile /etc/tripwire/local.key chmod 640 /etc/tripwire/local.key
create and sign the configuration file:
# this will write a signed binary configuration file to: /etc/tripwire/tw.cfg
cat > /etc/tripwire/twcfg.txt << "EOF"
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/devel.twd
REPORTFILE =/var/lib/tripwire/report/serv1-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/local.key
EDITOR =/usr/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =true
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
EOF
twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key \
--site-passphrase pa55Phrase1 /etc/tripwire/twcfg.txt
chmod 640 /etc/tripwire/tw.cfg
create the policy file:
cat > /etc/tripwire/twpol.txt << "EOF"
# best run with LOOSEDIRECTORYCHECKING=TRUE
@@section GLOBAL
TWDOCS="/usr/doc/tripwire";
TWBIN="/usr/sbin";
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=serv1.fatpenguinhosting.com;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that change infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files of significant security impact
SIG_HI = 100 ; # Critical files that are points of vulnerability
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWLKEY)/local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/etc -> $(SEC_INVARIANT) (recurse = 0) ;
}
(
rulename = "File System and Disk Administraton Programs",
severity = $(SIG_HI)
)
{
/sbin/badblocks -> $(SEC_CRIT) ;
/sbin/dosfsck -> $(SEC_CRIT) ;
/sbin/e2fsck -> $(SEC_CRIT) ;
/sbin/debugfs -> $(SEC_CRIT) ;
/sbin/dumpe2fs -> $(SEC_CRIT) ;
/sbin/e2label -> $(SEC_CRIT) ;
/sbin/fdisk -> $(SEC_CRIT) ;
/sbin/fsck -> $(SEC_CRIT) ;
/sbin/fsck.umsdos -> $(SEC_CRIT) ;
/sbin/fsck.ext2 -> $(SEC_CRIT) ;
/sbin/fsck.ext3 -> $(SEC_CRIT) ;
/sbin/fsck.minix -> $(SEC_CRIT) ;
/sbin/fsck.msdos -> $(SEC_CRIT) ;
/sbin/fsck.hpfs -> $(SEC_CRIT) ;
/sbin/fsck.reiserfs -> $(SEC_CRIT) ;
/usr/sbin/hdparm -> $(SEC_CRIT) ;
/sbin/mkdosfs -> $(SEC_CRIT) ;
/sbin/mke2fs -> $(SEC_CRIT) ;
/sbin/mkfs -> $(SEC_CRIT) ;
/sbin/mkfs.ext2 -> $(SEC_CRIT) ;
/sbin/mkfs.minix -> $(SEC_CRIT) ;
/sbin/mkfs.msdos -> $(SEC_CRIT) ;
/sbin/mkswap -> $(SEC_CRIT) ;
/sbin/resize2fs -> $(SEC_CRIT) ;
/usr/sbin/sfdisk -> $(SEC_CRIT) ;
/sbin/tune2fs -> $(SEC_CRIT) ;
/sbin/update -> $(SEC_CRIT) ;
/bin/mount -> $(SEC_CRIT) ;
/bin/umount -> $(SEC_CRIT) ;
/bin/touch -> $(SEC_CRIT) ;
/bin/mkdir -> $(SEC_CRIT) ;
/bin/mknod -> $(SEC_CRIT) ;
/usr/bin/mktemp -> $(SEC_CRIT) ;
/bin/rm -> $(SEC_CRIT) ;
/bin/rmdir -> $(SEC_CRIT) ;
/bin/chgrp -> $(SEC_CRIT) ;
/bin/chmod -> $(SEC_CRIT) ;
/bin/chown -> $(SEC_CRIT) ;
/bin/cp -> $(SEC_CRIT) ;
}
(
rulename = "Kernel Administration Programs",
severity = $(SIG_HI)
)
{
/sbin/depmod -> $(SEC_CRIT) ;
/usr/sbin/ctrlaltdel -> $(SEC_CRIT) ;
/sbin/insmod -> $(SEC_CRIT) ;
/sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ;
/usr/sbin/klogd -> $(SEC_CRIT) ;
/sbin/ldconfig -> $(SEC_CRIT) ;
/sbin/modinfo -> $(SEC_CRIT) ;
}
(
rulename = "Networking Programs",
severity = $(SIG_HI)
)
{
/sbin/arp -> $(SEC_CRIT) ;
/sbin/ifconfig -> $(SEC_CRIT) ;
/sbin/ipmaddr -> $(SEC_CRIT) ;
/sbin/iptunnel -> $(SEC_CRIT) ;
/sbin/plipconfig -> $(SEC_CRIT) ;
/sbin/rpc.portmap -> $(SEC_CRIT) ;
/sbin/rarp -> $(SEC_CRIT) ;
/sbin/route -> $(SEC_CRIT) ;
/usr/sbin/slattach -> $(SEC_CRIT) ;
/bin/ping -> $(SEC_CRIT) ;
}
(
rulename = "System Administration Programs",
severity = $(SIG_HI)
)
{
/usr/sbin/atd -> $(SEC_CRIT) ;
/usr/sbin/crond -> $(SEC_CRIT) ;
/usr/bin/crontab -> $(SEC_CRIT) ;
/usr/bin/fuser -> $(SEC_CRIT) ;
/sbin/halt -> $(SEC_CRIT) ;
/sbin/init -> $(SEC_CRIT) ;
/bin/killall -> $(SEC_CRIT) ;
/sbin/killall5 -> $(SEC_CRIT) ;
/sbin/rmt -> $(SEC_CRIT) ;
/sbin/shutdown -> $(SEC_CRIT) ;
/bin/sulogin -> $(SEC_CRIT) ;
/sbin/sulogin -> $(SEC_CRIT) ;
/sbin/swapon -> $(SEC_CRIT) ;
/usr/sbin/syslogd -> $(SEC_CRIT) ;
/bin/pwd -> $(SEC_CRIT) ;
/usr/bin/pwd -> $(SEC_CRIT) ;
/bin/uname -> $(SEC_CRIT) ;
/usr/bin/uname -> $(SEC_CRIT) ;
}
(
rulename = "Hardware and Device Control Programs",
severity = $(SIG_HI)
)
{
/sbin/hwclock -> $(SEC_CRIT) ;
/sbin/losetup -> $(SEC_CRIT) ;
}
(
rulename = "System Information Programs",
severity = $(SIG_HI)
)
{
/sbin/kernelversion -> $(SEC_CRIT) ;
/sbin/runlevel -> $(SEC_CRIT) ;
}
(
rulename = "Application Information Programs",
severity = $(SIG_HI)
)
{
/sbin/genksyms -> $(SEC_CRIT) ;
/bin/sln -> $(SEC_CRIT) ;
}
(
rulename = "Operating System Utilities",
severity = $(SIG_HI)
)
{
/bin/cat -> $(SEC_CRIT) ;
/bin/date -> $(SEC_CRIT) ;
/bin/dd -> $(SEC_CRIT) ;
/bin/df -> $(SEC_CRIT) ;
/bin/echo -> $(SEC_CRIT) ;
/bin/egrep -> $(SEC_CRIT) ;
/usr/bin/elvis -> $(SEC_CRIT) ;
/usr/bin/egrep -> $(SEC_CRIT) ;
/bin/false -> $(SEC_CRIT) ;
/usr/bin/false -> $(SEC_CRIT) ;
/bin/fgrep -> $(SEC_CRIT) ;
/usr/bin/fgrep -> $(SEC_CRIT) ;
/usr/bin/gawk -> $(SEC_CRIT) ;
/usr/bin/igawk -> $(SEC_CRIT) ;
/bin/grep -> $(SEC_CRIT) ;
/usr/bin/grep -> $(SEC_CRIT) ;
/bin/true -> $(SEC_CRIT) ;
/usr/bin/true -> $(SEC_CRIT) ;
/bin/arch -> $(SEC_CRIT) ;
/usr/bin/basename -> $(SEC_CRIT) ;
/bin/dmesg -> $(SEC_CRIT) ;
/bin/ed -> $(SEC_CRIT) ;
/bin/gunzip -> $(SEC_CRIT) ;
/usr/bin/gunzip -> $(SEC_CRIT) ;
/bin/gzip -> $(SEC_CRIT) ;
/bin/hostname -> $(SEC_CRIT) ;
/bin/kill -> $(SEC_CRIT) ;
/bin/ln -> $(SEC_CRIT) ;
/bin/login -> $(SEC_CRIT) ;
/bin/ls -> $(SEC_CRIT) ;
/bin/more -> $(SEC_CRIT) ;
/usr/bin/more -> $(SEC_CRIT) ;
/bin/mv -> $(SEC_CRIT) ;
/bin/netstat -> $(SEC_CRIT) ;
/usr/bin/nice -> $(SEC_CRIT) ;
/bin/ps -> $(SEC_CRIT) ;
/usr/bin/sed -> $(SEC_CRIT) ;
/sbin/setserial -> $(SEC_CRIT) ;
/bin/sleep -> $(SEC_CRIT) ;
/usr/bin/sleep -> $(SEC_CRIT) ;
/usr/bin/sort -> $(SEC_CRIT) ;
/usr/bin/tsort -> $(SEC_CRIT) ;
/bin/stty -> $(SEC_CRIT) ;
/usr/bin/stty -> $(SEC_CRIT) ;
/bin/su -> $(SEC_CRIT) ;
/bin/sync -> $(SEC_CRIT) ;
/bin/tar -> $(SEC_CRIT) ;
/usr/bin/vi -> $(SEC_CRIT) ;
/bin/zcat -> $(SEC_CRIT) ;
/usr/bin/zcat -> $(SEC_CRIT) ;
}
(
rulename = "Critical Utility Sym-Links",
severity = $(SIG_HI)
)
{
/sbin/clock -> $(SEC_CRIT) ;
/sbin/kallsyms -> $(SEC_CRIT) ;
/sbin/ksyms -> $(SEC_CRIT) ;
/sbin/lsmod -> $(SEC_CRIT) ;
/sbin/modprobe -> $(SEC_CRIT) ;
/sbin/netconfig -> $(SEC_CRIT) ;
/sbin/pidof -> $(SEC_CRIT) ;
/sbin/poweroff -> $(SEC_CRIT) ;
/sbin/swapoff -> $(SEC_CRIT) ;
/sbin/reboot -> $(SEC_CRIT) ;
/sbin/rmmod -> $(SEC_CRIT) ;
/sbin/telinit -> $(SEC_CRIT) ;
/usr/bin/awk -> $(SEC_CRIT) ;
/bin/dnsdomainname -> $(SEC_CRIT) ;
/bin/domainname -> $(SEC_CRIT) ;
/usr/bin/ex -> $(SEC_CRIT) ;
/bin/nisdomainname -> $(SEC_CRIT) ;
/bin/red -> $(SEC_CRIT) ;
/bin/ypdomainname -> $(SEC_CRIT) ;
}
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
}
(
rulename = "User binaries",
severity = $(SIG_MED)
)
{
/sbin -> $(SEC_BIN) (recurse = 1) ;
/usr/sbin -> $(SEC_BIN) (recurse = 1) ;
/usr/bin -> $(SEC_BIN) (recurse = 1) ;
}
(
rulename = "Shell Binaries",
severity = $(SIG_HI)
)
{
/bin/sh -> $(SEC_BIN) ;
/bin/bash -> $(SEC_BIN) ;
/usr/bin/bash -> $(SEC_BIN) ;
}
(
rulename = "Security Control",
severity = $(SIG_HI)
)
{
/etc/group -> $(SEC_CRIT) ;
}
(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/rc.d/rc.6 -> $(SEC_CONFIG) ;
/etc/rc.d/rc.K -> $(SEC_CONFIG) ;
/etc/rc.d/rc.modules -> $(SEC_CONFIG) ;
/etc/rc.d/rc.M -> $(SEC_CONFIG) ;
/etc/rc.d/rc.S -> $(SEC_CONFIG) ;
/etc/rc.d/rc.4 -> $(SEC_CONFIG) ;
/etc/rc.d/rc.0 -> $(SEC_CONFIG) ;
/etc/rc.d/rc.sshd -> $(SEC_CONFIG) ;
/etc/rc.d/rc.inet1 -> $(SEC_CONFIG) ;
/etc/rc.d/rc.inet2 -> $(SEC_CONFIG) ;
}
(
rulename = "Login Scripts",
severity = $(SIG_HI)
)
{
/etc/profile -> $(SEC_CONFIG) ;
}
(
rulename = "Libraries",
severity = $(SIG_MED)
)
{
/usr/lib -> $(SEC_BIN) ;
/usr/local/lib -> $(SEC_BIN) ;
}
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
/sbin/lilo -> $(SEC_CRIT) ;
!/boot/System.map ;
!/boot/module-info ;
}
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
!/var/run/ftp.pids-all ; # Comes and goes on reboot.
!/root/.enlightenment ;
/dev/log -> $(SEC_CONFIG) ;
/dev/cua0 -> $(SEC_CONFIG) ;
/dev/console -> $(SEC_CONFIG) -u ; #ID may change .
/dev/tty2 -> $(SEC_CONFIG) ; # tty devices
/dev/tty3 -> $(SEC_CONFIG) ; # are extremely
/dev/tty4 -> $(SEC_CONFIG) ; # variable
/dev/tty5 -> $(SEC_CONFIG) ;
/dev/tty6 -> $(SEC_CONFIG) ;
/dev/random -> $(SEC_CONFIG) ;
/dev/urandom -> $(SEC_CONFIG) ;
/dev/initctl -> $(SEC_CONFIG) ;
# /var/lock/syslog -> $(SEC_CONFIG) ;
# /var/lock/subsys/inet -> $(SEC_CONFIG) ; #Uncomment when this file exists
# /var/lock/subsys/named -> $(SEC_CONFIG) ; #Uncomment when this file exists
# /var/run -> $(SEC_CONFIG) ; # daemon PIDs
# /var/log -> $(SEC_CONFIG) ;
#/var/run -> $(SEC_INVARIANT) ; # daemon PIDs
#/var/log -> $(SEC_INVARIANT) ; # Log rotating changes inodes for a given filename
/etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes
/etc/ioctl.save -> $(SEC_CONFIG) ;
/etc/issue -> $(SEC_CONFIG) ;
/etc/.pwd.lock -> $(SEC_CONFIG) ;
/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on mount/unmount
/lib/modules -> $(SEC_CONFIG) ;
}
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
}
(
rulename = "Critical configuration files",
severity = $(SIG_HI)
)
{
/var/spool/cron/crontabs -> $(SEC_BIN) ;
/etc/cron.hourly -> $(SEC_BIN) ;
/etc/cron.daily -> $(SEC_BIN) ;
/etc/cron.weekly -> $(SEC_BIN) ;
/etc/cron.monthly -> $(SEC_BIN) ;
/etc/default -> $(SEC_BIN) ;
/etc/fstab -> $(SEC_BIN) ;
/etc/group- -> $(SEC_BIN) ; # changes should be infrequent
/etc/host.conf -> $(SEC_BIN) ;
/etc/hosts.allow -> $(SEC_BIN) ;
/etc/hosts.deny -> $(SEC_BIN) ;
/etc/protocols -> $(SEC_BIN) ;
/etc/services -> $(SEC_BIN) ;
/etc/rc.d -> $(SEC_BIN) ;
/etc/motd -> $(SEC_BIN) ;
/etc/passwd -> $(SEC_CONFIG) ;
/etc/passwd- -> $(SEC_CONFIG) ;
/etc/profile.d -> $(SEC_BIN) ;
/etc/rpc -> $(SEC_BIN) ;
/etc/gettydefs -> $(SEC_BIN) ;
/etc/nsswitch.conf -> $(SEC_BIN) ;
/etc/hosts -> $(SEC_CONFIG) ;
/etc/inetd.conf -> $(SEC_CONFIG) ;
/etc/inittab -> $(SEC_CONFIG) ;
/etc/resolv.conf -> $(SEC_CONFIG) ;
/etc/syslog.conf -> $(SEC_CONFIG) ;
}
(
rulename = "Critical devices",
severity = $(SIG_HI),
recurse = false
)
{
/dev/kmem -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/pci -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/ksyms -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/version -> $(Device) ;
/proc/mdstat -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/cmdline -> $(Device) ;
/proc/misc -> $(Device) ;
}
(
rulename = "OS executables and libraries",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/lib -> $(SEC_BIN) ;
}
EOF
sign the policy file to /etc/tripwire/tw.pol:
twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key \ --site-passphrase pa55Phrase1 /etc/tripwire/twpol.txt chmod 0640 /etc/tripwire/tw.pol
initialize the database:
tripwire -m i -c /etc/tripwire/tw.cfg --local-passphrase pa55Phrase2
perform an integrity check:
tripwire -m c -c /etc/tripwire/tw.cfg
Leave /etc/tripwire/twpol.txt in place and continue building your server
until you finish installing all of the necessary software. Then return to update
/etc/tripwire/twpol.txt
and apply changes to the tripwire database with:
tripwire -m u -c /etc/tripwire/tw.cfg -d /var/lib/tripwire/devel.twd
twpol.txt
and twcfg.txt laying around. Consider removing them as a safety precaution.cat > /etc/cron.daily/watch.tripwire << "EOF" #!/bin/sh /usr/sbin/tripwire --check | mail -s "serv1 tripwire check" servadmin@localhost EOF chmod +x /etc/cron.daily/watch.tripwire /etc/cron.daily/watch.tripwire
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that change infrequently but accessed often SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ;
| CHR |
Attribute to check |
____ |
CHR |
Attribute to check |
| a |
Access timestamp | p | Permissions and file mode bits | |
| b |
Number of blocks allocated | r | ID of device pointed to by inode (valid only for device objects) |
|
| c |
Inode timestamp (create/modify) | s | File size | |
| d |
ID of device on which inode resides | t | File type | |
| g |
File owner's group ID | u | File owner's user ID | |
| i |
Inode number | C | CRC-32 hash value | |
| l |
File is increasing in size (a "growing file") | H | Haval hash value | |
| m |
Modification timestamp | M | MD5 hash value | |
| n |
Number of links (inode reference count) | S | SHA hash value |
| Variable |
Property Mask |
Description |
| $( ReadOnly) |
+pinugtsdbmCM-rlacSH | ReadOnly is good for files that are widely available but are intended to be read-only. |
| $(Dynamic) | +pinugtd-srlbamcCMSH | Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior. |
| $(Growing) | +pinugtdl-srbamcCMSH | The Growing variable is intended for files that should only get larger. |
| $(Device) | +pugsdr-intlbamcCMSH | Device is good for devices or other files that Tripwire should not attempt to open. |
| $(IgnoreAll) | -pinugtsdrlbamcCMS | IgnoreAll tracks a file's presence or absence, but doesn't check any other properties. |
| $(IgnoreNone) |
+pinugtsdrbamcCMSH-l | IgnoreNone turns on all properties and provides a convenient starting point for defining your own property masks. (For example, mymask = $(IgnoreNone) -ar;). Note that the l property (growing file) is not tracked by $(IgnoreNone). |
| Directive |
Purpose |
| @@section |
Designates a section of the policy file. |
| @@ifhost |
Allow conditional interpretation. |
| @@else |
@@ifhost alternative evaluation. |
| @@endif |
Ends an @@ifhost. |
| @@print |
Print a message to standard output. |
| @@error |
Print a message to standard output and then exit. |
| @@end |
Marks the logical end-of-file. |
twadmin --print-polfile | less
twadmin --print-polfile > mypolicy.txt
twpol.txt
and twcfg.txt use:
twadmin -m P > /etc/tripwire/twpol.txt
twprint -m r -r /var/lib/tripwire/report/reportname -c /etc/tripwire/tw.cfg
Adding programs to the tripwire database: first generate the policy in human readable format:
twadmin -m P > /etc/tripwire/twpol.txtThen add the programs that should be protected by tripwire:
echo "/bin/ls --> $(SEC-BIN);" >> /etc/tripwire/twpol.txt echo "/etc --> $(SEC-BIN);" >> /etc/tripwire/twpol.txt echo "/etc --> $(SEC-BIN); (recurse-0)" >> /etc/tripwire/twpol.txt echo "/etc --> $(SEC-BIN); (recurse-1)" >> /etc/tripwire/twpol.txt echo "/etc --> $(SEC-BIN); (recurse-2)" >> /etc/tripwire/twpol.txtSEC_BIN is a predefined global variable designating a binary file that should not be changed.
man twintro man twadmin man twprint man siggen man twconfig man twpolicy man twfiles