From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- app-admin/tripwire/files/tripwire | 10 ++ app-admin/tripwire/files/tripwire.txt | 272 ++++++++++++++++++++++++++++++++++ app-admin/tripwire/files/twcfg.txt | 15 ++ 3 files changed, 297 insertions(+) create mode 100644 app-admin/tripwire/files/tripwire create mode 100644 app-admin/tripwire/files/tripwire.txt create mode 100644 app-admin/tripwire/files/twcfg.txt (limited to 'app-admin/tripwire/files') diff --git a/app-admin/tripwire/files/tripwire b/app-admin/tripwire/files/tripwire new file mode 100644 index 000000000000..8f0f23f3e2d5 --- /dev/null +++ b/app-admin/tripwire/files/tripwire @@ -0,0 +1,10 @@ +#!/bin/sh +HOST_NAME=`uname -n` +if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then + echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****" + echo "**** Check tripwire.txt file for instructions or install ****" + echo "**** app-admin/mktwpol package (if you used the \"tools\" ****" + echo "**** USE flag, this has been done for you already. ****" +else + test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check --quiet +fi diff --git a/app-admin/tripwire/files/tripwire.txt b/app-admin/tripwire/files/tripwire.txt new file mode 100644 index 000000000000..4f47f8bd8196 --- /dev/null +++ b/app-admin/tripwire/files/tripwire.txt @@ -0,0 +1,272 @@ +tripwire.txt v. 11 Sept 2013 + +Introduction to Tripwire, with Gentoo-specific installation information + +Tripwire software can monitor the integrity of critical system files and +directories by identifying specified changes made to selected system +files and directories. Configure Tripwire software to monitor your +system in the way that is best for you. + +Tripwire software works by comparing files and directories against a +defined baseline, stored in a tripwire-created database. Tripwire +generates the baseline by taking a "snapshot" of specified files and +directories. Tripwire software then compares the current system against +the baseline and reports modifications, additions, or deletions. Use +Tripwire software for system security, intrusion detection, damage +assessment, and recovery forensics. + + +To set-up Tripwire Configuration + +The Tripwire tarball installs the basic program files needed to run the +software. However, this installation does not prepare the configuration +files that Tripwire needs to perform correctly. After you install the +tripwire executable files and example configuration, you must: + +1. Review and perhaps edit the plain-text tripwire configuration file + (/etc/tripwire/twcfg.txt) with a text editor, if desired. + +2. Either run a configuration script (twsetup.sh from Gentoo's mktwpol + package, or tripwire-setup-keyfiles from Red Hat, or deprecated + twinstall.sh, also from Red Hat), or run the program `twadmin` with + the correct command line switches to make key files and encrypt/sign + the tripwire configuration file. + + Make site key file + ------------------ + `twadmin --generate-keys -S /etc/tripwire/site.key` + + Make local key file + ------------------- + `twadmin --generate-keys -L /etc/tripwire/$HOSTNAME-local.key` + + Make mandatory signed tripwire configuration file (tw.cfg) + ---------------------------------------------------------- + `twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt` + +Note: Once encrypted/signed, the configuration file, tw.cfg, must not be +renamed or moved. The plain-text tripwire configuration file (twcfg.txt) +should be deleted. It can be recreated with `twadmin --print-cfgfile` + +3. Make a plain-text policy file. The use of the name twpol.txt is + common, but the name of this file is not defined or used by Tripwire, + other than preparation of the encrypted/signed policy file. + + To make the plain-text policy file, either run a policy file generator + (for example, mktwpol.sh from Gentoo's mktwpol package), or edit the + plain-text policy file (twpol-GENERIC.txt, or twpol.txt, or similar) + with a text editor. The plain-text policy file should not refer to + any non-existent file or directory. + + If you edit twpol-GENERIC.txt to act as your plain-text policy file, + provide your system's HOSTNAME at line 61. If you don't provide + the correct HOSTNAME, a tripwire inspection of the target computer's + filesystem will fail to check the tripwire database file for changes. + + TWDB=/var/lib/tripwire/YOUR_HOSTNAME.twd; + +4. Convert the plain-text policy file into the encrypted/signed form + that tripwire will refer to as it examines the files on the target + computer's filesystem. The default filename for the encrypted/signed + policy file is defined in the tripwire configuration file (tw.cfg) + and is usually tw.pol. The encryption/signing of plain-text twpol.txt + is done with yet another `twadmin` command line. + + Make mandatory encrypted/signed system inspection policy file + -------------------------------------------------------------- + `twadmin -m P -c /etc/tripwire/tw.cfg /etc/tripwire/twpol.txt` + +Note: If you modify the plain-text policy file after running the +configuration script, you must re-sign the plain-text policy file before +initializing the database file. Tripwire baseline database creation and +inspections refer to the encrypted/signed policy file, not to the +plain-text policy file. + +Note: The plain-text tripwire policy file (twpol.txt) should be deleted. +It can be recreated with `twadmin --print-polfile` + +5. Initialize the Tripwire database file. + + Record current file attributes in the tripwire database + ------------------------------------------------------- + `tripwire --init -c /etc/tripwire/tw.cfg` + +Note: Tripwire might issue some "Warning: File system error" errors, +and appear to hang. But as long as it follows with "### Continuing...", +it is still working. + +6. Run the first integrity check. + + `tripwire --check -c /etc/tripwire/tw.cfg` + +Note: The use of "-c /etc/tripwire/tw.cfg" is not required if Tripwire +uses the default tripwire configuration directory and file names. If +you defer to tripwire default filenames, then updating a text policy +file into a tripwire database, and running an integrity check, can be +done with these commands: + + `twadmin --create-polfile /etc/tripwire/twpol.txt` + `tripwire --init` + `tripwire --check` + +Modifying the Policy File + +How Tripwire software checks your system is specified in the Tripwire +plain-text policy file (twpol.txt). A default policy file is included in +the Tripwire software installation. This policy file should be tailored +to fit your particular system. Tailoring the policy file is necessary +to take advantage of Tripwire software's ability to monitor changes on +your system. + +The plain-text policy file is usually located at /etc/tripwire/twpol.txt. +An example policy file (located at /etc/tripwire/twpol-GENERIC.txt, or +at /usr/share/doc/tripwire-VER#-REL#/policyguide.txt) is included to +help you learn the policy language. Read the sample policy files and +the comments in the sample policy file to learn the policy language. + +After you modify the plain-text policy file, don't forget! + + encrypt/sign using `twadmin --create-polfile /etc/tripwire/twpol.txt` + + +Selecting Passphrases + +Tripwire files are encrypted/signed using site or local keys. These keys +are protected by passphrases. When selecting passphrases, the following +recommendations apply: + +Use at least eight alphanumeric and symbolic characters for each +passphrase. The maximum length of a passphrase is 1023 characters. +Quotes should not be used as passphrase characters. + +Assign a unique passphrase for the site key. The site key passphrase +protects the site key, which is used to sign Tripwire software +configuration and policy files. Assign a unique passphrase for the local +key. The local key signs the Tripwire baseline database file. The local +key may sign the Tripwire report files also. + +Store the passphrases in a secure location. There is no way to remove +encryption from a signed file if you forget your passphrase and lost the +key files. If you forget the passphrases, the files are unusable. In +that case you must create new key files and the baseline database. + + +Initializing the Database + +In Database Initialization mode, Tripwire software builds a database of +filesystem objects based on the rules in the policy file. This database +serves as the baseline for integrity checks. The syntax for Database +Initialization mode is: + + `tripwire --init -c /etc/tripwire/tw.cfg` + + +Running an Integrity Check + +The Integrity Check mode compares the current file system objects with +their properties recorded in the Tripwire database. Violations are +printed to stdout. The report file is saved and can later be accessed by +twprint. An email option enables you to send email. The syntax for +Integrity Check mode is: + + `tripwire --check -c /etc/tripwire/tw.cfg` + + +Printing Reports - twprint Print Report Mode + +The twprint --print-report mode prints the contents of a Tripwire +report. If you do not specify a report with the --twrfile or -r +command-line argument, the default report file specified by the +configuration file REPORTFILE variable is used. + +Example: On a machine named LIGHTHOUSE, the command could be: + + `twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr` + + +Updating the Database after an Integrity Check + +Database Update mode enables you to update the Tripwire database after +an integrity check if you determine that the violations discovered are +valid. This update process saves time by enabling you to update the +database without having to re-initialize it. It also enables selective +updating, which cannot be done through re-initialization. The syntax for +Database Update mode is: + + `tripwire --update` + + +Updating the Policy File + +Change the way that Tripwire software scans the system by changing the +rules in the policy file. You can then update the database without a +complete re-initialization. This saves a significant amount of time and +preserves security by keeping the policy file synchronized with the +database it uses. The syntax for Policy Update mode is: + + `tripwire --update-policy` + + +Testing email functions + +Test mode tests the software's email notification system, using the +settings currently specified in the configuration file. The syntax for +Email Test Reporting mode is: + + `tripwire --test` + + +Tripwire Components + +The policy file begins as a text file containing comments, rules, +directives, and variables. These dictate the way Tripwire software +checks your system. Each rule in the policy file specifies a system +object to be monitored. Rules also describe which changes to the object +to report, and which to ignore. + +System objects are the files and directories you wish to monitor. Each +object is identified by an object name. A property refers to a single +characteristic of an object that Tripwire software can monitor. +Directives control conditional processing of sets of rules in a policy +file. During installation, the text policy file is encrypted/signed and +renamed, and becomes the active policy file. + +The database file is an important component of Tripwire software. When +first installed, Tripwire software uses the policy file rules to create +the database file. The database file is a baseline "snapshot" of the +system in a known secure state. Tripwire software compares this baseline +against the current system to determine what changes have occurred. This +is an integrity check. + +When you perform an integrity check, Tripwire software produces report +files. Report files summarize any changes that violated the policy file +rules during the integrity check. You can view the report file in a +variety of formats, at varying levels of detail. + +The Tripwire configuration file stores system-specific information, such +as the location of Tripwire data files. Tripwire software generates some +of the configuration file information during installation. The system +administrator can change parameters in the configuration file at any +time. The configuration file variables POLFILE, DBFILE, REPORTFILE, +SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database +file, report files, and site and local key files reside. These variables +must be defined or the configuration file is invalid. If any of these +variables are undefined, an error occurs on execution of Tripwire +software and the program exits. + + +Tripwire Help + +All Tripwire commands support the help arguments. + +Example: To get help with Create Configuration File mode, type: + + `twadmin --help --create-cfgfile` + + -? Display usage and version information + --help Display all command modes + --help all Display help for all command modes + --help [mode] Display help for current command mode + --version Display version information + +We recommend you read the Tripwire Release Notes and README file. diff --git a/app-admin/tripwire/files/twcfg.txt b/app-admin/tripwire/files/twcfg.txt new file mode 100644 index 000000000000..9cf39bcc01e4 --- /dev/null +++ b/app-admin/tripwire/files/twcfg.txt @@ -0,0 +1,15 @@ +ROOT =/usr/sbin +POLFILE =/etc/tripwire/tw.pol +DBFILE =/var/lib/tripwire/$(HOSTNAME).twd +REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr +SITEKEYFILE =/etc/tripwire/site.key +LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key +EDITOR =/bin/nano +LATEPROMPTING =false +LOOSEDIRECTORYCHECKING =false +MAILNOVIOLATIONS =true +EMAILREPORTLEVEL =3 +REPORTLEVEL =3 +MAILMETHOD =SENDMAIL +SYSLOGREPORTING =false +MAILPROGRAM =/usr/lib/sendmail -oi -t -- cgit v1.2.3