Differences

This shows you the differences between two versions of the page.

--- tripwire:verify_the_tripwire_configuration [2016/11/27 17:09] – peter
+++ tripwire:verify_the_tripwire_configuration [2019/12/04 21:55] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Tripwire - Verify the Tripwire Configuration ======
-Check to see what the tripwire report looks like and if there are truly no warnings:
-The basic syntax for a check is:
-<code bash>
-sudo tripwire --check
-</code>
-You should see a report output to your screen specifying that there were no errors or changes found on your system.
-shows
-<code>
-Parsing policy file: /etc/tripwire/tw.pol
-*** Processing Unix File System ***
-Performing integrity check...
-The object: "/dev/hugepages" is on a different file system...ignoring.
-The object: "/dev/mqueue" is on a different file system...ignoring.
-The object: "/dev/shm" is on a different file system...ignoring.
-The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.
-Wrote report file: /var/lib/tripwire/report/server1.sharewiz.net-20161126-110710.twr
-Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
-Report generated by:          root
-Report created on:            Sat 26 Nov 2016 11:07:10 GMT
-Database last updated on:     Never
-===============================================================================
-Report Summary:
-===============================================================================
-Host name:                    server1.sharewiz.net
-Host IP address:              192.168.1.2
-Host ID:                      None
-Policy file used:             /etc/tripwire/tw.pol
-Configuration file used:      /etc/tripwire/tw.cfg
-Database file used:           /var/lib/tripwire/server1.sharewiz.net.twd
-Command line used:            tripwire --check
-===============================================================================
-Rule Summary:
-===============================================================================
--------------------------------------------------------------------------------
-  Section: Unix File System
--------------------------------------------------------------------------------
-  Rule Name                       Severity Level    Added    Removed  Modified
-  ---------                       --------------    -----    -------  --------
-  Other binaries                  66                0        0        0
-  Tripwire Binaries               100               0        0        0
-  Other libraries                 66                0        0        0
-  Root file-system executables    100               0        0        0
-  Tripwire Data Files             100               0        0        0
-* System boot changes             100               16       0        3
-  (/var/log)
-  Root file-system libraries      100               0        0        0
-  (/lib)
-  Critical system boot files      100               0        0        0
-  Other configuration files       66                0        0        0
-  (/etc)
-  Boot Scripts                    100               0        0        0
-  Security Control                66                0        0        0
-  Root config files               100               0        0        0
-  Devices & Kernel information    100               0        0        0
-  Invariant Directories           66                0        0        0
-Total objects scanned:  121417
-Total violations found:  19
-===============================================================================
-Object Summary:
-===============================================================================
--------------------------------------------------------------------------------
-# Section: Unix File System
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-Rule Name: System boot changes (/var/log)
-Severity Level: 100
--------------------------------------------------------------------------------
-Added:
-"/var/log/psad/59.27.80.177"
-"/var/log/psad/59.27.80.177/danger_level"
-"/var/log/psad/59.27.80.177/192.168.1.2_email_alert"
-"/var/log/psad/59.27.80.177/192.168.1.2_signatures"
-"/var/log/psad/59.27.80.177/192.168.1.2_start_time"
-"/var/log/psad/59.27.80.177/192.168.1.2_packet_ctr"
-"/var/log/psad/59.27.80.177/email_ctr"
-"/var/log/psad/59.27.80.177/59.27.80.177_whois"
-"/var/log/psad/220.164.163.75"
-"/var/log/psad/220.164.163.75/danger_level"
-"/var/log/psad/220.164.163.75/192.168.1.2_email_alert"
-"/var/log/psad/220.164.163.75/192.168.1.2_signatures"
-"/var/log/psad/220.164.163.75/192.168.1.2_start_time"
-"/var/log/psad/220.164.163.75/192.168.1.2_packet_ctr"
-"/var/log/psad/220.164.163.75/email_ctr"
-"/var/log/psad/220.164.163.75/220.164.163.75_whois"
-Modified:
-"/var/log/psad"
-"/var/log/psad/top_ports"
-"/var/log/psad/top_sigs"
-===============================================================================
-Error Report:
-===============================================================================
-No Errors
--------------------------------------------------------------------------------
-*** End of report ***
-Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
-trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
-for details use --version. This is free software which may be redistributed
-or modified only under certain conditions; see COPYING for details.
-All rights reserved.
-Integrity check complete.
-</code>
-Notice the following lines near the top of the report.  These indicate that tripwire is not monitoring these, so it would be best to update the Tripwire configuration by including these missing objects. See [[Tripwire:Configure Tripwire|Configure Tripwire]].
-<code>
-The object: "/dev/hugepages" is on a different file system...ignoring.
-The object: "/dev/mqueue" is on a different file system...ignoring.
-The object: "/dev/shm" is on a different file system...ignoring.
-The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.
-</code>
-===== Do an interactive check =====
-<code bash>
-sudo tripwire --check --interactive
-</code>
-This will run the same tests as normal, but at the end, instead of outputting the report to the screen, it is copied into a text file and opened with the default editor.
-This report goes into quite a lot of detail about each file that changed. In fact, on my machine, the report generated was 2,275 lines long. This amount of information is extremely helpful in the event of a real security problem, but in our case, it's generally probably not too interesting for the most part.
-The important part is near the top.  After some introductory information, you should see some lines with check boxes for each of the added or modified files:
-<code>
-Rule Name: Other binaries (/usr/sbin)
-Severity Level: 66
--------------------------------------------------------------------------------
-Remove the "x" from the adjacent box to prevent updating the database
-with the new values for this object.
-Added:
-[x] "/usr/sbin/maidag"
-Modified:
-[x] "/usr/sbin"
-. . .
-</code>
-These check boxes indicate that you want to update the database to allow these changes.  You should search for every box that has an "x" in it and verify that those are changes that you made or are okay with.
-If you are not okay with a change, you can remove the "x" from the box and that file will not be updated in the database.  This will cause this file to still flag tripwire on the next run.
-After you have decided on which file changes are okay, you can save and close the file.
-At this point, it will ask for your local passphrase so that tripwire can update its database files.
-===== Do an interactive check =====
-<code bash>
-sudo tripwire --check --interactive
-</code>
-This will run the same tests as normal, but at the end, instead of outputting the report to the screen, it is copied into a text file and opened with the default editor.
-This report goes into quite a lot of detail about each file that changed. In fact, on my machine, the report generated was 2,275 lines long. This amount of information is extremely helpful in the event of a real security problem, but in our case, it's generally probably not too interesting for the most part.
-The important part is near the top.  After some introductory information, you should see some lines with check boxes for each of the added or modified files:
-Rule Name: Other binaries (/usr/sbin)
-Severity Level: 66
--------------------------------------------------------------------------------
-Remove the "x" from the adjacent box to prevent updating the database
-with the new values for this object.
-Added:
-[x] "/usr/sbin/maidag"
-Modified:
-[x] "/usr/sbin"
-. . .
-</code>
-These check boxes indicate that you want to update the database to allow these changes. You should search for every box that has an "x" in it and verify that those are changes that you made or are okay with.
-If you are not okay with a change, you can remove the "x" from the box and that file will not be updated in the database. This will cause this file to still flag tripwire on the next run.
-After you have decided on which file changes are okay, you can save and close the file.
-At this point, it will ask for your local passphrase so that tripwire can update its database files.
-If we accepted all of the changes, and if we re-run this command, the report should be much shorter now and list no changes.