The following performs an integrity check to discover what files have been added, deleted or modified and the results are recorded.
FN Site Search
FN Blog Login
# /usr/sbin/tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
### Warning: File system error.
### Filename: /root/.esd_auth
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /root/.gnome_private
### No such file or directory
### Continuing...
...
...
...
### Warning: File system error.
### Filename: /bin/ksh
### No such file or directory
### Continuing...
Wrote report file: /var/lib/tripwire/report/leonardo-20040214-130530.twr
Tripwire(R) 2.3.0 Integrity Check Report
Report generated by: root
Report created on: Sat 14 Feb 2004 01:05:30 PM EST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: yourmachinename
Host IP address: 192.168.0.3
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/yourmachinename.twd
Command line used: /usr/sbin/tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Critical devices 100 0 0 0
Temporary directories 33 0 0 0
Tripwire Data Files 100 0 0 0
Root config files 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Total objects scanned: 34645
Total violations found: 0
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
1. File system error.
Filename: /root/.esd_auth
No such file or directory
2. File system error.
Filename: /root/.gnome_private
No such file or directory
...
...
...
106. File system error.
Filename: /bin/ksh
No such file or directory
-------------------------------------------------------------------------------
*** End of report ***
Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
We can check the report of the tripwire --check command. Each tripwire --check command writes a .twr file with a specific timestamp. So in the following command, substitute appropriate timestamp.
# /usr/sbin/twprint -m r --twrfile /var/lib/tripwire/report/yourmachinename-date-time.twr | lessIf any violation reported is due to normal system activities, you should examine the policy file, twpol.txt, and make the appropriate changes. However there may be violations due user activities. To fix these kind of violations, you have to run an update. The following command updates the database so that all files will have updated values. Subsequent use of tripwire --check won't report those files as violations.
# /usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/yourmachinename-date-time.twr
You can change the way that Tripwire software scans the system by changing the rules in the policy file and then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. To do this,
# /usr/sbin/tripwire --update-policy /etc/tripwire/twpol.txt