Paul Greene wrote: > Any tripwire gurus out there? > > I have two tripwire related questions that I hope are easy enough to > answer. > > I recently installed tripwire on a Redhat 7.0 webserver using an RPM > file, and ran the twinstall.sh script. Then I ran the following > commands to initialize the database and update the database. > > tripwire -m i > tripwire -m u > > Why is it then, when I run ......... > > tripwire -m c > > It still flags as missing a bunch of files that don't, and never did, > exist on the system. The "tw.pol" file and "localhost.localdomain.twd" > appear to be binary files and not editable. How do you stop tripwire > from trying to scan for files that don't exist on the system? > > Also, what is the best way to protect the tripwire files themselves in > case the system were to ever be compromised? i.e. copy the important > files to a secure server and replace them on the original server when > you want to run tripwire? or copy them to a floppy disk? or ? > > And which files would need to have copies made of them? I would guess > the tw.pol file and the *.twd files; is there any others? > > Thanks in advance > > PG
You need to go through the process of making the policy file match your system. There are scripts that can help you do this but still you need to address the policy file by looking at it and deciding what you want to do. I have so many systems that run tw that I change the hostname to match the real host name, so my db is like: <FQDN>.twd rather than the localhost localdomain thing. So to answer your question, a script (search list archives, or wait for a response with one) works great at removing non-existing files, but you still should spend the time creating an accurate twpol file. I just got done doing a RH80 install and I ran a quick script to comment out those pesky files. Then I spent about a half hour going over each section and adding and deleting to match what my system really is and/or the way I want it reporting. Once you get your policy file they way you want it you can re-institute the new twpol with "-m p <twpol.newname>". Then move all text versions of twpol and twcfg files off the system. This leaves only encrypted files in its place. I back up my twd files once a week and have used these when a corruption has taken place. Once you get the tw thing working you will feel naked and exposed without it on a system. by the way your process, while I don't advocate not spending time creating a accurate policy file, is flawed: -m i -m c -m u This is because -m u works off an existing report that is created by -m c! However, again this will not accurately show you your system and files still will appear. Spend the time on the policy. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
