Chapter 4. Area51 FAQ

4.1. How do I change the email addresses that receive the daily Tripwire report?
4.2. The MD5 Sums for My Policy/Config/Tripwire Executable Files at Installation are different than what my Latest Report tells me. How could this happen?
4.3. Is tripwire compiled statically?
4.4. What version of Tripwire is Used.
4.5. How do I find out more about Tripwire and how it works?
4.6. I've checked all the problems that my Tripwire Report has flagged. How do I clear these for the next report?
4.7. What is the password for the database so that I can selectively update Tripwire entries?
4.8. How do I setup Tripwire so that I can selectively update entries?
4.9. How do I add Files/Directories for Tripwire to Check?
4.10. How should rolls add files for Tripwire to watch?

4.1. How do I change the email addresses that receive the daily Tripwire report?

To have tripwire email its report to a different email address. Simply run the /opt/tripwire/etc/tw-email-to -set address1 [address2]. For example, say you want to email the tripwire reports to go to wopr@wargames.org and root.

/opt/tripwire/etc/tw-email-to -set wopr@wargames.org root@`hostname`

To view the set of addresses for the Tripwire Daily Report

/opt/tripwire/etc/tw-email-to

4.2. The MD5 Sums for My Policy/Config/Tripwire Executable Files at Installation are different than what my Latest Report tells me. How could this happen?

Rocks calculates MD5s Policy, Config, and Tripwire files after it initializes. If you have knowingly changed any of these, then the difference is OK. These might have changed if you reinitialized Tripwire interactively or in batch mode after initial installation. If you have NOT knowingly changed any of these items, then your computer may be at risk. Be very suspect of the Tripwire executable whose MD5 Sum has changed.

4.3. Is tripwire compiled statically?

Yes. Ideally the tripwire executable should be on a physically read-only file system. This is not very practical. Compiling statically guards against changed shared libraries.

4.4. What version of Tripwire is Used.

Rocks uses the open source Tripwire for Linux Version 2.3.1-2 with community supplied patches to enable it to compile on the most recent version of kernel/c-libraries. Currently only and x86 version is compiled.

4.5. How do I find out more about Tripwire and how it works?

Sourceforge Tripwire Homepage is a good starting point.

4.6. I've checked all the problems that my Tripwire Report has flagged. How do I clear these for the next report?

As root, you need to re-initialize the Tripwire database. The Tripwire database is signed with a randomly generated key and the MD5 sum of this signature is reported each time the report runs. These MD5 sums should not change unless you re-initialize. To clear the flagged problems do

# cd /opt/tripwire/etc
# make initialize-batch

4.7. What is the password for the database so that I can selectively update Tripwire entries?

The default setup generates a random password for signing and then throws it away. Selective update requires an interactive initializion.

4.8. How do I setup Tripwire so that I can selectively update entries?

As root, you need to re-initialize the Tripwire database interactively with your self-selected site and local passphrases. You will first need to delete your site key and host keys then create a new one. Do the following and follow the on-screen directions.

# cd /opt/tripwire/etc
# /bin/rm *.key
# make initialize-interactive
# make check

Once you have initialized the database. Future Tripwire warnings can be addressed interactively with the following

# cd /opt/tripwire/etc
# make update 

4.9. How do I add Files/Directories for Tripwire to Check?

The Tripwire Policy file (/opt/tripwire/etc/twpol.txt) is a monolithic text file that defines the files/directories to be Checked. Rocks builds this file in pieces from component files located in the directory /opt/tripwire/etc/twpol-parts. The Area51 roll creates files in the subdirectory /opt/tripwire/etc/twpol-parts/base. The /opt/tripwire/etc/twpol-parts/addon is where you should put new rules using the identical names of files in the base directory. You should the files in the base directory as a guide. Once you have added the files to watch you need to rebuild the tripwire database.

If you are using that basic setup provided by Rocks, then

# cd /opt/tripwire/etc
# make initialize-batch

If you have interactively setup Tripwire. Then

# cd /opt/tripwire/etc
# make updatedb

4.10. How should rolls add files for Tripwire to watch?

Rolls to should append to files in /opt/tripwire/etc/twpol-parts/addon using the files in /opt/tripwire/etc/twpol-parts/base as a template. For example, if an application Roll creates the directory /opt/myapp then it would be appropriate to add the following to /opt/tripwire/etc/twpol-parts/base/appinfo in post configuration section for your roll.
<post>
<file name="/opt/tripwire/etc/twpol-parts/base/appinfo" mode="append">
/opt/myapp  -> $(SEC_CRIT) (recurse = 1) ;
</file>
</post>

Caution

Tripwire requires pathnames to be absolute pathnames