4.1. The MD5 Sums for My Policy/Config/Tripwire Executable Files at Installation are different than what my Latest Report tells me. How could this happen?
Rocks calculates MD5s Policy, Config, and Tripwire files after it initializes. If you have knowingly changed any of these, then the difference is OK. These might have changed if you reinitialized Tripwire interactively or in batch mode after initial installation. If you have NOT knowingly changed any of these items, then your computer may be at risk. Be very suspect of the Tripwire executable whose MD5 Sum has changed.
Newer versions of Enterprise Linux run a utility called prelink. Prelink is an optimization that modifies ELF binaries and shared libraries to speed up loading. Prelink is usually run as a cron job by the system. The Rocks Tripwire configuration runs this cron job before is creates its database. However, prelink may decide to relink already prelinked libraries. It is reasonable to use rpm to reverify all installed RPMS
# rpm -qa --verify |
Yes. Ideally the tripwire executable should be on a physically read-only file system. This is not very practical. Compiling statically guards against changed shared libraries.
Rocks uses the open source Tripwire for Linux Version 2.3.1-2 with community supplied patches to enable it to compile on the most recent version of kernel/c-libraries. Currently only and x86 version is compiled. This version will run properly on x86_64 hosts also.
Sourceforge Tripwire Homepage is a good starting point.
4.6. I've checked all the problems that my Tripwire Report has flagged. How do I clear these for the next report?
As root, you need to re-initialize the Tripwire database. The Tripwire database is signed with a randomly generated key and the MD5 sum of this signature is reported each time the report runs. These MD5 sums should not change unless you re-initialize. To clear the flagged problems do
# cd /opt/tripwire/etc # make initialize-batch |
The default setup generates a random password for signing and then throws it away. Selective update requires an interactive initializion.
As root, you need to re-initialize the Tripwire database interactively with your self-selected site and local passphrases. You will first need to delete your site key and host keys then create a new one. Do the following and follow the on-screen directions.
# cd /opt/tripwire/etc # /bin/rm *.key # make initialize-interactive # make check |
Once you have initialized the database. Future Tripwire warnings can be addressed interactively with the following
# cd /opt/tripwire/etc # make update |
The Tripwire Policy file (/opt/tripwire/etc/twpol.txt) is a monolithic text file that defines the files/directories to be Checked. Rocks builds this file in pieces from component files located in the directory /opt/tripwire/etc/twpol-parts. The Area51 roll creates files in the subdirectory /opt/tripwire/etc/twpol-parts/base. The /opt/tripwire/etc/twpol-parts/addon is where you should put new rules using the identical names of files in the base directory. You should the files in the base directory as a guide. Once you have added the files to watch you need to rebuild the tripwire database.
If you are using that basic setup provided by Rocks, then
# cd /opt/tripwire/etc # make initialize-batch |
If you have interactively setup Tripwire. Then
# cd /opt/tripwire/etc # make updatedb |
Rolls to should append to files in /opt/tripwire/etc/twpol-parts/addon using the files in /opt/tripwire/etc/twpol-parts/base as a template. For example, if an application Roll creates the directory /opt/myapp then it would be appropriate to add the following to /opt/tripwire/etc/twpol-parts/base/appinfo in post configuration section for your roll.
<post> <file name="/opt/tripwire/etc/twpol-parts/base/appinfo" mode="append"> /opt/myapp -> $(SEC_CRIT) (recurse = 1) ; </file> </post> |
Tripwire requires pathnames to be absolute pathnames |