Examining Tripwire Reports

Previous page
Table of content
Next page


The /usr/sbin/twprint command is used to view encrypted Tripwire reports and databases.

Viewing Tripwire Reports

The twprint -m r command will display the contents of a Tripwire report in clear text. You must, however, tell twprint which report file to display. A twprint command for printing Tripwire reports looks similar to the following:

/usr/sbin/twprint -m r --twrfile /var/lib/tripwire/report/name.twr

The -m r option in the command directs twprint to decode a Tripwire report. The --twrfile option directs twprint to use a specific Tripwire report file. The name of the Tripwire report that you want to see includes the name of the host that Tripwire checked to generate the report, plus the creation date and time. You can review previously saved reports at any time. Simply type ls /var/lib/tripwire/report to see a list of Tripwire reports. Tripwire reports can be rather lengthy, depending upon the number of violations found or errors generated. A sample report starts off like this:

Tripwire(R) 2.3.0 Integrity Check Report Report generated by:            root Report created on:              Fri Jan 12 04:04:42 2001 Database last updated on:       Tue Jan       9 16:19:34 2001 ============================================================= Report Summary: ============================================================= Host name:                            some.host.com Host IP address:                      10.0.0.1 Host ID:                              None Policy file used:                     /etc/tripwire/tw.pol Configuration file used:              /etc/tripwire/tw.cfg Database file used:       /var/lib/tripwire/some.host.com.twd Command line used:                 /usr/sbin/tripwire -–check ============================================================= Rule Summary: ============================================================= ------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------- Rule Name            Severity Level  Added  Removed  Modified ---------            --------------  -----  -------  -------- Invariant Directories      69          0       0        0 Temporary directories      33          0       0        0 * Tripwire Data Files     100          1       0        0 Critical devices          100          0       0        0 User binaries              69          0       0        0 Tripwire Binaries         100          0       0        0

Viewing Tripwire Databases

You can also use twprint to view the entire database or information about selected files in the Tripwire database. This is useful for seeing just how much information Tripwire is tracking on your system. To view the entire Tripwire database, type:

/usr/sbin/twprint -m d --print-dbfile | less

This command will generate a large amount of output, with the first few lines appearing similar to this:

Tripwire(R) 2.3.0 Database Database generated by:                      root Database generated on:                      Tue Jan     9 13:56:42 2001 Database last updated on:                   Tue Jan     9 16:19:34 2001 ================================================================ Database Summary: ================================================================ Host name:                              some.host.com Host IP address:                        10.0.0.1 Host ID:                                None Policy file used:                       /etc/tripwire/tw.pol Configuration file used:                /etc/tripwire/tw.cfg Database file used:                     /var/lib/tripwire/some.host.com.twd Command line used:                      /usr/sbin/tripwire –init ================================================================ Object Summary:  ================================================================ ---------------------------------------------------------------- # Section: Unix File System ----------------------------------------------------------------                       Mode        UID      Size          Modify Time                      ------     -------   ------      ---------------  /                drwxr-xr-x    root (0)    XXX        XXXXXXXXXXXXXXXXX  /bin             drwxr-xr-x    root (0)   4096    Mon Jan 8 08:20:45 2001  /bin/arch        -rwxr-xr-x    root (0)   2844   Tue Dec 12 05:51:35 2000  /bin/ash         -rwxr-xr-x    root (0)  64860   Thu Dec  7 22:35:05 2000  /bin/ash.static  -rwxr-xr-x    root (0) 405576   Thu Dec  7 22:35:05 2000

To see information about a particular file that Tripwire is tracking, such as /etc/hosts, use the following command:

/usr/sbin/twprint -m d --print-dbfile /etc/hosts

The result will look similar to this:

Object name:      /etc/hosts Property:                       Value: -------------                   ----------- Object Type                     Regular File Device Number                   773 Inode Number                    216991 Mode                            -rw-r--r-- Num Links                       1 UID                             root (0) GID                             root (0)

See the twprint man page for more options.


Previous page
Table of content
Next page
Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc
BUY ON AMAZON
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Competency-Based Human Resource Management
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
InDesign Type: Professional Typography with Adobe InDesign CS2
.NET-A Complete Development Cycle
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy