diff options
author | José María Alonso <nimiux@gentoo.org> | 2013-09-25 08:45:54 +0000 |
---|---|---|
committer | José María Alonso <nimiux@gentoo.org> | 2013-09-25 08:45:54 +0000 |
commit | ba1e2a75a681dd269a5114a5f07db25c80a6ee33 (patch) | |
tree | eebad5dcf2a437a81a2df469b1a58b58d8418ceb /app-admin/tripwire/files/tripwire.txt | |
parent | Version bump (diff) | |
download | gentoo-2-ba1e2a75a681dd269a5114a5f07db25c80a6ee33.tar.gz gentoo-2-ba1e2a75a681dd269a5114a5f07db25c80a6ee33.tar.bz2 gentoo-2-ba1e2a75a681dd269a5114a5f07db25c80a6ee33.zip |
Revision bump
(Portage version: 2.2.1/cvs/Linux x86_64, signed Manifest commit with key D628E536)
Diffstat (limited to 'app-admin/tripwire/files/tripwire.txt')
-rw-r--r-- | app-admin/tripwire/files/tripwire.txt | 290 |
1 files changed, 240 insertions, 50 deletions
diff --git a/app-admin/tripwire/files/tripwire.txt b/app-admin/tripwire/files/tripwire.txt index b29aa7ec21d9..4f47f8bd8196 100644 --- a/app-admin/tripwire/files/tripwire.txt +++ b/app-admin/tripwire/files/tripwire.txt @@ -1,82 +1,272 @@ -Introduction -Tripwire v2.3 software ensures the integrity of critical system files and directories by identifying all changes made to specified system files and directories. Configure Tripwire software to monitor your system in the way that is best for you. +tripwire.txt v. 11 Sept 2013 -Tripwire software works by comparing files and directories against a baseline. It generates the baseline by taking a "snapshot" of specified files and directories in a known secure state. Tripwire software then compares the current system against the baseline and reports any modifications, additions, or deletions. Use Tripwire software for system security, intrusion detection, damage assessment, and recovery forensics. +Introduction to Tripwire, with Gentoo-specific installation information -To install Tripwire v2.3 -1. Locate the RPM directory on the CD. -2. Locate the Tripwire RPM. -3. Type rpm -i "name" -4. After installing the Tripwire binary RPM, follow these Post-Installation instructions. -5. We recommend you read the Release Notes and README file. +Tripwire software can monitor the integrity of critical system files and +directories by identifying specified changes made to selected system +files and directories. Configure Tripwire software to monitor your +system in the way that is best for you. -Post-Installation Instructions -The Tripwire binary RPM installs the basic program files needed to run the software. However, this installation does not complete custom configurations that Tripwire 2.3 needs to perform correctly. After you unpack the RPM, you must: -1. Run the configuration script: /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files. -Note: Once encoded and signed, the configuration file should not be renamed or moved. -2. Initialize the Tripwire database file. (/usr/sbin/tripwire--init) -3. Run the first integrity check. (/usr/sbin/tripwire--check) -4. Edit the configuration file (twcfg.txt) with a text editor, if desired. -5. Edit the policy file (twpol.txt) with a text editor, if desired. +Tripwire software works by comparing files and directories against a +defined baseline, stored in a tripwire-created database. Tripwire +generates the baseline by taking a "snapshot" of specified files and +directories. Tripwire software then compares the current system against +the baseline and reports modifications, additions, or deletions. Use +Tripwire software for system security, intrusion detection, damage +assessment, and recovery forensics. -Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file. + +To set-up Tripwire Configuration + +The Tripwire tarball installs the basic program files needed to run the +software. However, this installation does not prepare the configuration +files that Tripwire needs to perform correctly. After you install the +tripwire executable files and example configuration, you must: + +1. Review and perhaps edit the plain-text tripwire configuration file + (/etc/tripwire/twcfg.txt) with a text editor, if desired. + +2. Either run a configuration script (twsetup.sh from Gentoo's mktwpol + package, or tripwire-setup-keyfiles from Red Hat, or deprecated + twinstall.sh, also from Red Hat), or run the program `twadmin` with + the correct command line switches to make key files and encrypt/sign + the tripwire configuration file. + + Make site key file + ------------------ + `twadmin --generate-keys -S /etc/tripwire/site.key` + + Make local key file + ------------------- + `twadmin --generate-keys -L /etc/tripwire/$HOSTNAME-local.key` + + Make mandatory signed tripwire configuration file (tw.cfg) + ---------------------------------------------------------- + `twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt` + +Note: Once encrypted/signed, the configuration file, tw.cfg, must not be +renamed or moved. The plain-text tripwire configuration file (twcfg.txt) +should be deleted. It can be recreated with `twadmin --print-cfgfile` + +3. Make a plain-text policy file. The use of the name twpol.txt is + common, but the name of this file is not defined or used by Tripwire, + other than preparation of the encrypted/signed policy file. + + To make the plain-text policy file, either run a policy file generator + (for example, mktwpol.sh from Gentoo's mktwpol package), or edit the + plain-text policy file (twpol-GENERIC.txt, or twpol.txt, or similar) + with a text editor. The plain-text policy file should not refer to + any non-existent file or directory. + + If you edit twpol-GENERIC.txt to act as your plain-text policy file, + provide your system's HOSTNAME at line 61. If you don't provide + the correct HOSTNAME, a tripwire inspection of the target computer's + filesystem will fail to check the tripwire database file for changes. + + TWDB=/var/lib/tripwire/YOUR_HOSTNAME.twd; + +4. Convert the plain-text policy file into the encrypted/signed form + that tripwire will refer to as it examines the files on the target + computer's filesystem. The default filename for the encrypted/signed + policy file is defined in the tripwire configuration file (tw.cfg) + and is usually tw.pol. The encryption/signing of plain-text twpol.txt + is done with yet another `twadmin` command line. + + Make mandatory encrypted/signed system inspection policy file + -------------------------------------------------------------- + `twadmin -m P -c /etc/tripwire/tw.cfg /etc/tripwire/twpol.txt` + +Note: If you modify the plain-text policy file after running the +configuration script, you must re-sign the plain-text policy file before +initializing the database file. Tripwire baseline database creation and +inspections refer to the encrypted/signed policy file, not to the +plain-text policy file. + +Note: The plain-text tripwire policy file (twpol.txt) should be deleted. +It can be recreated with `twadmin --print-polfile` + +5. Initialize the Tripwire database file. + + Record current file attributes in the tripwire database + ------------------------------------------------------- + `tripwire --init -c /etc/tripwire/tw.cfg` + +Note: Tripwire might issue some "Warning: File system error" errors, +and appear to hang. But as long as it follows with "### Continuing...", +it is still working. + +6. Run the first integrity check. + + `tripwire --check -c /etc/tripwire/tw.cfg` + +Note: The use of "-c /etc/tripwire/tw.cfg" is not required if Tripwire +uses the default tripwire configuration directory and file names. If +you defer to tripwire default filenames, then updating a text policy +file into a tripwire database, and running an integrity check, can be +done with these commands: + + `twadmin --create-polfile /etc/tripwire/twpol.txt` + `tripwire --init` + `tripwire --check` Modifying the Policy File -You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system. -Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language. +How Tripwire software checks your system is specified in the Tripwire +plain-text policy file (twpol.txt). A default policy file is included in +the Tripwire software installation. This policy file should be tailored +to fit your particular system. Tailoring the policy file is necessary +to take advantage of Tripwire software's ability to monitor changes on +your system. + +The plain-text policy file is usually located at /etc/tripwire/twpol.txt. +An example policy file (located at /etc/tripwire/twpol-GENERIC.txt, or +at /usr/share/doc/tripwire-VER#-REL#/policyguide.txt) is included to +help you learn the policy language. Read the sample policy files and +the comments in the sample policy file to learn the policy language. + +After you modify the plain-text policy file, don't forget! + + encrypt/sign using `twadmin --create-polfile /etc/tripwire/twpol.txt` -After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software. Selecting Passphrases -Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply: -Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters. -Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also. +Tripwire files are encrypted/signed using site or local keys. These keys +are protected by passphrases. When selecting passphrases, the following +recommendations apply: + +Use at least eight alphanumeric and symbolic characters for each +passphrase. The maximum length of a passphrase is 1023 characters. +Quotes should not be used as passphrase characters. -Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database. +Assign a unique passphrase for the site key. The site key passphrase +protects the site key, which is used to sign Tripwire software +configuration and policy files. Assign a unique passphrase for the local +key. The local key signs the Tripwire baseline database file. The local +key may sign the Tripwire report files also. + +Store the passphrases in a secure location. There is no way to remove +encryption from a signed file if you forget your passphrase and lost the +key files. If you forget the passphrases, the files are unusable. In +that case you must create new key files and the baseline database. + + +Initializing the Database + +In Database Initialization mode, Tripwire software builds a database of +filesystem objects based on the rules in the policy file. This database +serves as the baseline for integrity checks. The syntax for Database +Initialization mode is: + + `tripwire --init -c /etc/tripwire/tw.cfg` -Initializing the Database -In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is: -tripwire --init Running an Integrity Check -The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is: -tripwire --check + +The Integrity Check mode compares the current file system objects with +their properties recorded in the Tripwire database. Violations are +printed to stdout. The report file is saved and can later be accessed by +twprint. An email option enables you to send email. The syntax for +Integrity Check mode is: + + `tripwire --check -c /etc/tripwire/tw.cfg` + Printing Reports - twprint Print Report Mode -The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used. -Example: On a machine named LIGHTHOUSE, the command would be: -./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr + +The twprint --print-report mode prints the contents of a Tripwire +report. If you do not specify a report with the --twrfile or -r +command-line argument, the default report file specified by the +configuration file REPORTFILE variable is used. + +Example: On a machine named LIGHTHOUSE, the command could be: + + `twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr` + Updating the Database after an Integrity Check -Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is: -tripwire --update + +Database Update mode enables you to update the Tripwire database after +an integrity check if you determine that the violations discovered are +valid. This update process saves time by enabling you to update the +database without having to re-initialize it. It also enables selective +updating, which cannot be done through re-initialization. The syntax for +Database Update mode is: + + `tripwire --update` + Updating the Policy File -Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is: -tripwire --update-policy + +Change the way that Tripwire software scans the system by changing the +rules in the policy file. You can then update the database without a +complete re-initialization. This saves a significant amount of time and +preserves security by keeping the policy file synchronized with the +database it uses. The syntax for Policy Update mode is: + + `tripwire --update-policy` + Testing email functions -Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is: -tripwire --test + +Test mode tests the software's email notification system, using the +settings currently specified in the configuration file. The syntax for +Email Test Reporting mode is: + + `tripwire --test` + Tripwire Components -The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore. -System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file. +The policy file begins as a text file containing comments, rules, +directives, and variables. These dictate the way Tripwire software +checks your system. Each rule in the policy file specifies a system +object to be monitored. Rules also describe which changes to the object +to report, and which to ignore. -The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check. +System objects are the files and directories you wish to monitor. Each +object is identified by an object name. A property refers to a single +characteristic of an object that Tripwire software can monitor. +Directives control conditional processing of sets of rules in a policy +file. During installation, the text policy file is encrypted/signed and +renamed, and becomes the active policy file. -When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail. +The database file is an important component of Tripwire software. When +first installed, Tripwire software uses the policy file rules to create +the database file. The database file is a baseline "snapshot" of the +system in a known secure state. Tripwire software compares this baseline +against the current system to determine what changes have occurred. This +is an integrity check. + +When you perform an integrity check, Tripwire software produces report +files. Report files summarize any changes that violated the policy file +rules during the integrity check. You can view the report file in a +variety of formats, at varying levels of detail. + +The Tripwire configuration file stores system-specific information, such +as the location of Tripwire data files. Tripwire software generates some +of the configuration file information during installation. The system +administrator can change parameters in the configuration file at any +time. The configuration file variables POLFILE, DBFILE, REPORTFILE, +SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database +file, report files, and site and local key files reside. These variables +must be defined or the configuration file is invalid. If any of these +variables are undefined, an error occurs on execution of Tripwire +software and the program exits. -The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits. Tripwire Help -All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile --? Display usage and version information ---help Display all command modes ---help all Display help for all command modes ---help [mode] Display help for current command mode ---version Display version information +All Tripwire commands support the help arguments. + +Example: To get help with Create Configuration File mode, type: + + `twadmin --help --create-cfgfile` + + -? Display usage and version information + --help Display all command modes + --help all Display help for all command modes + --help [mode] Display help for current command mode + --version Display version information + +We recommend you read the Tripwire Release Notes and README file. |