Intrusion Detection Systems: Part II - Installing Tripwire
After you modify the policy file, follow the post-installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software
Selecting Passphrases
Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply:
1. Use at least eight alphanumeric and symbolic characters for each passphrase.
2. The maximum length of a passphrase is 1023 characters.
3. Quotes should not be used as passphrase characters.
4. Assign a unique passphrase for the site key.
The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also.
Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case, you must reinitialize the baseline database.
Initializing the database
In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is:
bash# tripwire --init
Running an Integrity Check
This is what you have been waiting for. Having initialized the database and having signed it with your passphrase, you can now check the system for file consistency checks. Under normal circumstances, you would do this daily and especially when you are in doubt that the security checks you have in place have been compromised. The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to standard output. The report file is saved and can later be accessed by the Tripwire utility " twprint. An email option enables you to send email. The syntax for Integrity Check mode is:
bash# tripwire --check
The Tripwire RPM adds a file to the /etc/cron.daily directory that will automatically run an integrity check once every day.
Printing Reports - twprint Print Report Mode
- « first
- ‹ previous
- of 5
- next ›
- last »