Customizing Tripwire

Previous page
Table of content
Next page


After you have installed the Tripwire RPM, you need to complete the following steps to initialize the software.

Edit /etc/tripwire/twcfg.txt

Although you are not required to edit this sample Tripwire configuration file, you may find it necessary for your situation. For instance, you may want to alter the location of Tripwire files, customize email settings, or customize the level of detail for reports. Below is a list of required user-configurable variables in the /etc/tripwire/twcfg.txt file:

  • POLFILE — Specifies the location of the policy file; /etc/tripwire/tw.pol is the default value.

  • DBFILE — Specifies the location of the database file; /var/lib/tripwire/$(HOSTNAME).twd is the default value.

  • REPORTFILE — Specifies the location of the report files. By default this value is set to /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr.

  • SITEKEYFILE — Specifies the location of the site key file; /etc/tripwire/site.key is the default value.

  • LOCALKEYFILE — Specifies the location of the local key file; /etc/tripwire/$(HOSTNAME)-local.key is the default value.

    Note

    If you edit the configuration file and leave any of the above variables undefined, the configuration file will be invalid. If this occurs, when you execute the tripwire command it will report an error and exit.

The rest of the configurable variables in the sample /etc/tripwire/twcfg.txt file are optional. These include the following:

  • EDITOR — Specifies the text editor called by Tripwire. The default value is /bin/vi.

  • LATEPROMPTING — If set to true, this variable configures Tripwire to wait as long as possible before prompting the user for a password, thereby minimizing the amount of time the password is in memory. The default value is false.

  • LOOSEDIRECTORYCHECKING — If set to true, this variable configures Tripwire to report if a file within a watched directory changes and not to report the change for the directory itself. That is, any changes to the directory file will not be reported, though changes to directory contents will be reported. This limits redundancy in Tripwire reports. The default value is false.

  • SYSLOGREPORTING — If set to true, this variable configures Tripwire to report information to the syslog daemon via the user facility. The log level is set to notice. See the syslogd man page for more information. The default value is false.

  • MAILNOVIOLATIONS — If set to true, this variable configures Tripwire to email a report at a regular interval regardless of whether or not any violations have occurred. The default value is true.

  • EMAILREPORTLEVEL — Specifies the level of detail for emailed reports. Valid values for this variable are 0 through 4. The default value is 3.

  • REPORTLEVEL — Specifies the level of detail for reports generated by the twprint command. This value can be overridden on the command line and is set to 3 by default.

  • MAILMETHOD — Specifies which mail protocol Tripwire should use. Valid values are SMTP and SENDMAIL. The default value is SENDMAIL.

  • MAILPROGRAM — Specifies which mail program Tripwire should use. The default value is /usr/sbin/sendmail -oi -t.

After editing the sample configuration file, you will need to configure the sample policy file.

Warning

For security purposes, you should either delete or store in a secure location any copies of the plaintext /etc/tripwire/twcfg.txt file after running the installation script or regenerating a signed configuration file. Alternatively, you can change the permissions so that it is not world-readable.

Edit /etc/tripwire/twpol.txt

Although it is not required, you should edit this heavily commented sample Tripwire policy file to take into account the specific applications, files, and directories on your system. Relying on the unaltered sample configuration from the RPM may not adequately protect your system. Modifying the policy file also increases the usefulness of Tripwire reports by minimizing false alerts for files and programs you are not using and by adding functionality, such as email notification.

Note

Notification via email is not configured by default. See the section “Tripwire and Email” for more on configuring this feature.

If you modify the sample policy file after running the configuration script, see the section “Updating the Tripwire Policy File” for instructions on regenerating a signed policy file.

Warning

For security purposes, you should either delete or store in a secure location any copies of the plaintext /etc/tripwire/twpol.txt file after running the installation script or regenerating a signed configuration file. Alternatively, you can change the permissions so that it is not world-readable.

Run the twinstall.sh Script

As the root user, type /etc/tripwire/twinstall.sh at the shell prompt to run the configuration script. The twinstall.sh script will ask you for site and local passwords. These passwords are used to generate cryptographic keys for protecting Tripwire files. The script then creates and signs these files. When selecting the site and local passwords, consider the following guidelines:

  • Use at least eight alphanumeric and symbolic characters, but for each password do not exceed 1,023.

  • Do not use quotes in a password.

  • Make the Tripwire passwords completely different from the root password or any other password for the system.

  • Use unique passwords for both the site key and the local key.

The site key password protects the Tripwire configuration and policy files. The local key password protects the Tripwire database and report files.

Warning

There is no way to decrypt a signed file if you forget your passwords. If you forget the passwords, the files are unusable and you will have to run the configuration script again.

By encrypting its configuration, policy, database, and report files, Tripwire protects them from being viewed by anyone who does not know the site and local passwords. This means that, even if intruders obtain root access to your system, they will not be able to alter the Tripwire files to hide their tracks. Once encrypted and signed, the configuration and policy files generated by running the twinstall.sh script should not be renamed or moved.


Previous page
Table of content
Next page
Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc
BUY ON AMAZON
Documenting Software Architectures: Views and Beyond
Java for RPG Programmers, 2nd Edition
C++ GUI Programming with Qt 3
An Introduction to Design Patterns in C++ with Qt 4
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy