tripwire:verify_the_tripwire_configuration
This is an old revision of the document!
Tripwire - Verify the Tripwire Configuration
Check to see what the tripwire report looks like and if there are truly no warnings:
The basic syntax for a check is:
sudo tripwire --check
You should see a report output to your screen specifying that there were no errors or changes found on your system. shows
Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... The object: "/dev/hugepages" is on a different file system...ignoring. The object: "/dev/mqueue" is on a different file system...ignoring. The object: "/dev/shm" is on a different file system...ignoring. The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring. Wrote report file: /var/lib/tripwire/report/server1.sharewiz.net-20161126-110710.twr Open Source Tripwire(R) 2.4.2.2 Integrity Check Report Report generated by: root Report created on: Sat 26 Nov 2016 11:07:10 GMT Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: server1.sharewiz.net Host IP address: 192.168.1.2 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/server1.sharewiz.net.twd Command line used: tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Other binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Other libraries 66 0 0 0 Root file-system executables 100 0 0 0 Tripwire Data Files 100 0 0 0 * System boot changes 100 16 0 3 (/var/log) Root file-system libraries 100 0 0 0 (/lib) Critical system boot files 100 0 0 0 Other configuration files 66 0 0 0 (/etc) Boot Scripts 100 0 0 0 Security Control 66 0 0 0 Root config files 100 0 0 0 Devices & Kernel information 100 0 0 0 Invariant Directories 66 0 0 0 Total objects scanned: 121417 Total violations found: 19 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: System boot changes (/var/log) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/log/psad/59.27.80.177" "/var/log/psad/59.27.80.177/danger_level" "/var/log/psad/59.27.80.177/192.168.1.2_email_alert" "/var/log/psad/59.27.80.177/192.168.1.2_signatures" "/var/log/psad/59.27.80.177/192.168.1.2_start_time" "/var/log/psad/59.27.80.177/192.168.1.2_packet_ctr" "/var/log/psad/59.27.80.177/email_ctr" "/var/log/psad/59.27.80.177/59.27.80.177_whois" "/var/log/psad/220.164.163.75" "/var/log/psad/220.164.163.75/danger_level" "/var/log/psad/220.164.163.75/192.168.1.2_email_alert" "/var/log/psad/220.164.163.75/192.168.1.2_signatures" "/var/log/psad/220.164.163.75/192.168.1.2_start_time" "/var/log/psad/220.164.163.75/192.168.1.2_packet_ctr" "/var/log/psad/220.164.163.75/email_ctr" "/var/log/psad/220.164.163.75/220.164.163.75_whois" Modified: "/var/log/psad" "/var/log/psad/top_ports" "/var/log/psad/top_sigs" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete.
Notice the following lines near the top of the report. These indicate that tripwire is not monitoring these, so it would be best to update the Tripwire configuration by including these missing objects.
The object: "/dev/hugepages" is on a different file system...ignoring. The object: "/dev/mqueue" is on a different file system...ignoring. The object: "/dev/shm" is on a different file system...ignoring. The object: "/proc/sys/fs/binfmt_misc" is on a different file system...ignoring.
tripwire/verify_the_tripwire_configuration.1480160267.txt.gz · Last modified: 2020/07/15 09:30 (external edit)