Who's Got Root? Installing and Configuring Tripwire - Page 2
At last we come to the heart of Tripwire: the rulesets that go in the policy file. twpol.txt and policyguide.txt are good models to study. The basic syntax is:
objectname -> property mask;
Objectname is a file or directory name. If a directory is specified, everything in the directory will be scanned and the property mask applied to everything. If it's a file, then the rule will apply only to that file. Tripwire provides rules and tools to create as many variations on these basic themes as needed. For a complete reference, download the User's Guide from the Tripwire Project page (see Resources); look for 2.3.0-docs-pdf, or 2.3.0-docs-src.
Here are some samples:
!/usr/bin/dictd # do not scan this file
/var/log/tuxracer_scores -> $(Growing) # this file should grow
/dev -> $(Device) # devices and other files whose attributes, not contents, should be scanned
/. -> $(IgnoreAll) # check only if this file exists
These are canned property mask variables are supplied to handle common needs. Finer tuning can be done with more precise attributes. These are preceded with + (to turn on a property) or - (to turn it off). The equivalent of ReadOnly is +pinugtsdbmCM-rlacSH. +pinug is commonly used, it means file permissions, inode number, inode reference count, user ID, and group ID.
Property masks can be user-defined:
mask1 = +pinug ;
What to do if a scan reports violations? It undoubtedly will, most likely the result of overstrict rules. There are several options for running an integrity check. This command runs a basic integrity check; results are displayed on the screen, and a binary copy of the report saved to the file location specified in tw.cfg:
Run an integrity check, and specify the report file destination:
#tripwire --check --twrfile /filename
Run an integrity check, and email reports to recipients as specified in tw.pol:
#tripwire --check --email-report
This does a live check, and each violation is listed as it's found, with a checkbox. All are checked by default. Uncheck the items you do not want future alarms for. When you're finished, close the file; Tripwire will ask for your password, and automatically update the database. Use:
# tripwire --twrfile /var/lib/report/reportname.twr
to use a report that has already been generated.
Give yourself a test machine and a couple of weeks to get up to speed. Tripwire is very flexible and powerful. It takes a little experimentation to get a handle on its abilities and to become familiar with the command options. It's an essential utility, the tool of choice to watch the watchers.