Who's Got Root? Installing and Configuring Tripwire - Page 2

By  Carla Schroder | Dec 31, 2002
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Rulesets
At last we come to the heart of Tripwire: the rulesets that go in the policy file. twpol.txt and policyguide.txt are good models to study. The basic syntax is:

objectname -> property mask;

Objectname is a file or directory name. If a directory is specified, everything in the directory will be scanned and the property mask applied to everything. If it's a file, then the rule will apply only to that file. Tripwire provides rules and tools to create as many variations on these basic themes as needed. For a complete reference, download the User's Guide from the Tripwire Project page (see Resources); look for 2.3.0-docs-pdf, or 2.3.0-docs-src.

Here are some samples:

/usr/sbin -> $(ReadOnly) ; # defines everything in /usr/bin
!/usr/bin/dictd            # do not scan this file
/var/log/tuxracer_scores -> $(Growing)            # this file should grow
/dev -> $(Device)          # devices and other files whose attributes, not contents, should be scanned
/. -> $(IgnoreAll)         # check only if this file exists

These are canned property mask variables are supplied to handle common needs. Finer tuning can be done with more precise attributes. These are preceded with + (to turn on a property) or - (to turn it off). The equivalent of ReadOnly is +pinugtsdbmCM-rlacSH. +pinug is commonly used, it means file permissions, inode number, inode reference count, user ID, and group ID.

Property masks can be user-defined:

mask1 = +pinug ; 

What to do if a scan reports violations? It undoubtedly will, most likely the result of overstrict rules. There are several options for running an integrity check. This command runs a basic integrity check; results are displayed on the screen, and a binary copy of the report saved to the file location specified in tw.cfg

#tripwire --check 

Run an integrity check, and specify the report file destination:

#tripwire --check --twrfile /filename 

Run an integrity check, and email reports to recipients as specified in tw.pol:

#tripwire --check --email-report

This does a live check, and each violation is listed as it's found, with a checkbox. All are checked by default. Uncheck the items you do not want future alarms for. When you're finished, close the file; Tripwire will ask for your password, and automatically update the database. Use:

# tripwire --twrfile /var/lib/report/reportname.twr

to use a report that has already been generated.

Conclusion
Give yourself a test machine and a couple of weeks to get up to speed. Tripwire is very flexible and powerful. It takes a little experimentation to get a handle on its abilities and to become familiar with the command options. It's an essential utility, the tool of choice to watch the watchers.

Resources
Tripwire, Inc.
Tripwire.org
Filesystem Hierarchy Standard
 Tripwire project page


» See All Articles by Columnist Carla Shroder


cschroder@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >