Tripwire

This guide assumes that you plan to secure configuration, policy, and database files by putting them on a floppy disk and (after starting) flip the read-only switch to prevent tampering. The same can be be achieved by using a CD-R, a USB drive or a remote backup location (somewhere with another shell account?).

Edit twcfg.txt

 * This file houses the main parameters: basically all of the runtime switches
 * For the remote floppy method described above, modify the config file as follows:


 * You may need to customise this to your needs (e.g. different Mail Transfer Agent [MTA])
 * The EDITOR line modification isn't strictly necessary, but you'll be happier if you follow suit.

Edit /etc/tripwire/twpol.txt

 * This is the meat and potatoes of integrity checking: a list of files/directories, and the consequences if they are found to be modified.

The version of twpol.txt that ships with the tripwire package is adapted from a Redhat system. A Gentoo-oriented twpol.txt file can be found at http://bugs.gentoo.org/34662

A bash script that creates a tripwire policy text file is posted there, and updated versions of the bash script can be found at a later bug report. http://bugs.gentoo.org/344577

Because the tripwire policy generator checks for file presence as it creates the policy file, tripwire will not report any "File Not Found" errors when it processes the twcfg.txt and twpol.txt (or other named text policy file) files into the encrypted/signed form of tw.pol. When the tripwire policy generator is used, there is no need for later pruning of the policy text file; no `perl -pi -e` action; no "~/stufftoprune" or "~/filestoprune" files.

Generate keys
The most efficient way to prune out bad entries in twpol.txt is to run an initialization, and pipe the File not found output messages for later perl -pi -e action. So, on to key generation:


 * 1) run /etc/tripwire/twinstall.sh
 * 2) Input strong passphrases for the following keyfiles:
 * 3) * site keyfile: with multiple hosts, used on the server actually performing the analysis
 * 4) * local keyfile: with multiple hosts, unique keyfile per host
 * 5) Sign the initial tw.cfg and tw.pol files

Initial database generation
After these steps have been completed, a first database initialization may proceed: Code: run tripwire init command

Prune initial twpol.txt file
The following is the command I used to trim the output of the stufftoprune file redirected from the database initialization step above: Code: get file list

Executing the following command, which should comment out files not present in your system: Code: comment out policy file entries

Look at the diff to make sure there aren't any problems, and copy it back into wherever you are working. Regenerate signed tw.pol file

The signed file needs to be reconstituted before your changes will be recognized. Code: sign policy manually

Note: Be mindful of locations of files; you may need to manually specify certain files if you have already moved them from default locations (e.g., site key file)

Re-run database initialization
Since the first initialization was merely executed to grab the errors, this next initialization will be what is used for checking, until the next update. Code: rerun database initialization

Move files to floppy
If you really want your system to remain secure, you should offload all the files we've been dealing with to some kind of read-only media. I choose a floppy because it has a physical read-only switch, but can be updated indefinitely (for some value of indefinitely). Any time you update your system you will have to run a database regeneration, so this last characteristic is valuable.

Similar results are achieved with a removable USB drive (flash drive/thumb stick), or another location over a network (altough this is not the most secure option).