Securing Tripwire for Linux

Security Issue
It is important to make sure that the integrity of the system you are running has not been already compromised. For maximum confidence in your baseline database, you should generate operating system and application files from a clean installation and original media.
Also, it is recommended that you delete the plain text copy of the Tripwire configuration file named “twcfg.txt” located under the 7usr/bin” directory to hide the location of Tripwire’s files and prevent anyone from creating a second, or alternate, configuration file.
To delete the plain text copy of the tripwire configuration file, use the following command: [root@deep /]# rm -f /usr/bin/twcfg.txt
Further documentation
For more details, there are several man pages you can read:
$ siggen (8)    - signature gathering routine for Tripwire
$ tripwire (8)    - a file integrity checker for UNIX systems
$ twadmin (8)    - Tripwire administrative and utility tool
$ twconfig (4)    - Tripwire configuration file reference
$ twfiles (5)    - overview of files used by Tripwire and file backup process
$ twintro (8)    - introduction to Tripwire software
$ twpolicy (4)    - Tripwire policy file reference
$ twprint (8)    - Tripwire database and report printer
Commands
The commands listed below are some that we use often in our regular use, but many more exist. Check the man page for more details.
Creating the database for the first time
Once your policy file has been installed, it is time to build and initialize your database of file system objects, based on the rules from your policy file. This database will serve as the baseline for later integrity checks.
The syntax for Database Initialization mode is: [root@deep /]# tripwire {-init}
•    To initialize your database file, use the following command: [root@deep /]# tripwire -init Please enter your local passphrase: Parsing policy file: /usr/TSS/policy/tw.pol Generating the database… *** Processing Unix File System *** Wrote database file: /usr/TSS/db/deep.openna.com.twd The database was successfully generated.
NOTE: When this command has executed, the database is ready and you can check system integrity and review the report file.
Running the Integrity or Interactive Check Mode
Tripwire has a feature called “Integrity Check Mode”. Now that our database has been built, we can run this feature to compare the current file system objects with their properties as recorded in the Tripwire database. All violations of files will be printed to stdout; the report-generated file will be saved and can later be accessed by the twprint utility.
The syntax for integrity check mode is: [root@deep /]# tripwire { -check}
•    To run the integrity check mode, use the command: [root@deep /]# tripwire -check
Tripwire can also be run in “Interactive Check Mode”. In this mode you can automatically update your changes via the terminal.
•    To run in interactive check mode, use the command: [root@deep /]# tripwire –check -interactive
An email option exists with Tripwire and allows you to send email. This option will specify that reports be emailed to the recipients designated in the policy file.
•    To run in integrity check mode and send email to the recipient, use the command: [root@deep /]# tripwire -check -email-report
Updating the database after an integrity check
If you have decided to use the “Integrity Check Mode” of Tripwire instead of the “Interactive Check Mode”, you must update the Tripwire database with the “Database Update Mode” feature. This update process allows you to save time by updating the database without having to regenerate it, and it also enables selective updating, which cannot be done through regeneration.

Страниц: 1 2