150
Chapter 11. Tripwire
an initial integrity check. This check should be done prior to connecting the computer to the network,
and putting it into production. For instructions on doing this see Section 11.5.
Once Tripwire is configured to your satisfaction, you are free to place the system into production.
11.5. Running an Integrity Check
By default the Tripwire RPM adds a shell script called
tripwire check
to the
/etc/cron.daily/
directory. This will automatically run an integrity check once per day.
You can, however, run a Tripwire integrity check at any time by typing the following command:
/usr/sbin/tripwire check
During an integrity check, Tripwire compares the current state of file system objects with the proper
ties recorded in its database. Violations are printed to the screen and an encrypted copy of the report
is created in
/var/lib/tripwire/report/
. You can view the report using the
twprint
command
as outlined in Section 11.6.1.
If you would like to receive an email when certain types of integrity violations occur, you can config
ure this in the policy file. See Section 11.8.1 for instructions on how to set up and test this feature.
11.6. Examining Tripwire Reports
The
/usr/sbin/twprint
command is used to view encrypted Tripwire reports and databases.
11.6.1. Viewing Tripwire Reports
The
twprint m r
command will display the contents of a Tripwire report in clear text. You must,
however, tell
twprint
which report file to display.
A
twprint
command for printing Tripwire reports looks similar to the following:
/usr/sbin/twprint m r twrfile /var/lib/tripwire/report/ name .twr
P
Q
The
m r
option in the command directs
twprint
to decode a Tripwire report. The
twrfile
option directs
twprint
to use a specific Tripwire report file.
The name of the Tripwire report that you want to see includes the name of the host that Tripwire
checked to generate the report, plus the creation date and time. You can review previously saved
reports at any time. Simply type
ls /var/lib/tripwire/report
to see a list of Tripwire reports.
Tripwire reports can be rather lengthy, depending upon the number of violations found or errors
generated. A sample report starts off like this:
Tripwire(R) 2.3.0 Integrity Check Report
Report generated by:
root
Report created on:
Fri Jan 12 04:04:42 2001
Database last updated on:
Tue Jan
9 16:19:34 2001
=======================================================================
Report Summary:
=======================================================================
Host name:
some.host.com
Host IP address:
10.0.0.1
Host ID:
None
Policy file used:
/etc/tripwire/tw.pol
Configuration file used:
/etc/tripwire/tw.cfg
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved