rpm packages for tripwire are common, so tripwire is easily installed. Of course, if you want to to this some other way, feel free.
tripwire doesn't try to prevent an intrusion, but it does try to provide information that can be used to detect an intrusion quickly and to restore the system to its pristine state. It does this by comparing system files to a baseline database and report changes, additions or deletions.
When tripwire is installed, you get three executables:
| tripwire | the tripwire integrity checker | |
| twadmin | the tripwire administration utility | |
| twprint | the tripwire data and report printer | |
| siggen | the tripwire signature generator |
and two files that need to be created.
| twconfig | the tripwire configuration file | |
| twpolicy | the tripwire policy file |
You also get an excellent set of man pages for documentation, including twintro to get you started and twfiles, twconfig and twpolicy to describe various parts of the system in greater detail.
Key Files
The first thing you need to do is create the key files. Typically, you would do this with a series of commands or with a single command containing all the options as shown below. Remember that tripwire typically has several ways of representing each option.
or with one command and using the shorter option tags:
twadmin --generate-keys -L /etc/tripwire/$(HOSTNAME)-local.key
-S /etc/tripwire/site.key -P TheseAreTheTimes -Q ThatTryMensSouls
With this done, you are ready to perform the other operations that depend on the keys.
One thing worth noting is that tripwire is very consistent in its use of command options. For all commands where appropriate, the following options are valid:
| Option | Meaning | |
|---|---|---|
| -c cfgfile, --cfgfile cfgfile | The configuration file | |
| -c polfile, --polfile polfile | The policy file | |
| -d database, --dbfile database | The database file | |
| -r report, --twrfile report | The report file | |
| -S skfile, --site-keyfile skfile | The site key file | |
| -L lkfile, --local-keyfile lkfile | The local key file | |
| -P passphrase, --local-passphrase passphrase | The local password phrase | |
| -Q passphrase, --site-passphrase passphrase | The site password phrase | |
| -M, --email-report | Reports are to be emailed | |
| -v, --verbose | Verbose mode | |
| -Z {low | high}, --secure-mode {low | high} | Specifies security level. |
Configuration File
Next you need to create a configuration file. Normally, /etc/tripwire should install a file named twcfg.txt by default. This is a default configuration file in text form that you can use, or modify. The actual configuration file is compressed and possibly encrypted and cannot be edited directly. You should not leave the text version of the configuration file for others to look at. Encrypt the file with crypt or delete it.
Creating /etc/tripwire/tw.cfg is done with twadmin like this:
twadmin --create-cfgfile -e twcfg.txt
for a compressed but not signed or encrypted version, or like this:
twadmin --create-cfgfile -S /etc/tripwire/site.key -Q HowNowBrownCow twcfg.txt
for an encoded and signed version, which is more secure. If you want to create a different configuration file, use the -c option.
Policy File
The default policy file, tw.pol, is created from twpol.txt without encryption like this:
twadmin --create-polfile -e twpol.txt
As before, don't leave the text policy file available for others to see.
To create the file with encryption (recommended), use the following form:
twadmin --create-polfile -S /etc/tripwire/site.key -Q HowNowBrownCow twcfg.txt
Printing Files
In order to print a configuration file, use the following command:
twadmin --print-cfgfile -c filename
where filename is the name of the configuration file. To print a policy file,
twadmin --print-polfile -p polfile [-c cfgfile -S site-key-file]
where polfile is the policy file, cfgfile is the configuration file and site-key-file is the file name for the site key file.
Manipulating Files
If you need to determine the encryption status of a file, you can use the following command:
twadmin --examine [-c cfgfile -L local-key-file -S site-key-file] file1 file2 ...
If you need to encrypt or unencrypt a file, use the appropriate commands:
twadmin --encrypt [-c cfgfile -L local-key-file -S site-key-file
-P passphrase -Q passphrase] file1 file2 ...
twadmin --remove-encryption [-c cfgfile -L local-key-file -S site-key-file
-P passphrase -Q passphrase] file1 file2 ...
ROOT =/usr/sbin POLFILE =/etc/tripwire/tw.pol DBFILE =/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site.key LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t GLOBALMAIL =root,admin,bozo@bigtop.clowns.org
This is not an exhaustive list, but indicates the type of information that you might expect to see. Some of these variables are required - POLFILE, DBFILE, REPORTFILE, SITEKEYFILE and LOCALKEYFILE.
Some of these have an obvious meaning, and others are less so:
| Variable | Meaning | |
|---|---|---|
| GLOBALMAIL | A list of recipients for mail messages. | |
| LOOSEDIRECTORYCHECKING | Don't report changes in directories caused by changes in files in the directories. | |
| REPORTLEVEL | The default level of report to produce from twprint; the values are 0-4. | |
| EMAILREPORTLEVEL | The default level of report for email notification; the values are 0-4. |
Policy files can contain:
Objects names can be any valid pathname, such as /etc/passwd.
Property Masks consist of letters that represent a specific file property and either a plus sign (+) to indicate that a property should be checked, or a minus sign (-) to indicate that a property should be ignored. If no sign is given, plus is assumed, or if a series of properties are given without spaces, the last of either plus or minus is assumed. The properties are:
| Key | Property | |
|---|---|---|
| a | Access timestamp | |
| b | Number of blocks allocated | |
| c | Inode timestamp (create/modify) | |
| d | ID of device on which inode resides | |
| g | File owner's group ID | |
| i | Inode number | |
| l | File is increasing in size (a "growing file") | |
| m | Modification timestamp | |
| n | Number of links (inode reference count) | |
| p | Permissions and file mode bits | |
| r | ID of device pointed to by inode | |
| s | File size | |
| t | File type | |
| u | File owner's user ID | |
| C | CRC-32 hash value | |
| H | Haval hash value | |
| M | MD5 hash value | |
| S | SHA hash value |
Tripwire has several predefined variables the represent typical properties. They are named for the types of files with which they would normally be associated.
| Variable | Properties | Meaning | ||
|---|---|---|---|---|
| ReadOnly | +pinugtsdbmCM-rlacSH | File widely available but read-only. | ||
| Dynamic | +pinugtd-srlbancCMSH | Directories that change often. | ||
| Growing | +pinugtdl-srbamcCMSH | For files that get larger with time. | ||
| Device | +pubsdr-intlbamcCMSH | For device files that shouldn't be opened. | ||
| IgnoreAll | -pinugtsdrlbamcCMSH | Check nothing | ||
| IgnoreNone | +pinugtsdrlbamcCMSH-l | Check everything except the "growing" property. |
For example,
| Rule | Meaning | |
|---|---|---|
| /etc/passwd -> +a+p+s | Check the password for for access time, permissions and file size | |
| /var/log/messages -> +lc -a-m | Check the messages for continuous growth and location, but ignore access and modification times. | |
| /etc/rc.d -> $(Dynamic) | Check /etc/rc for the Dynamic properties. | |
| ! /etc/rc.d/rc.local -> $(Dynamic) | But ignore /etc/rc.d/rc.local | |
| /home/ -> $(IgnoreAll) | Don't check users | |
| /etc/sysconfig/ -> $(IgnoreNone)-ar | Check just about everything |
Finally, rules have attributes specified in the form:
object-name -> property-mask (rule-attribute=value,rule-attribute=value,...);
or for a group of rules:
(attribute-list)
{
rule-list;
}
The attributes are:
| Rule | Example | |
|---|---|---|
| rulename | (rulename="Special Files") | |
| emailto | (emailto="admin@a.b.c;master@d.b.c") | |
| severity | (severity=50) | |
| recurse | (recurse=2) |
severity can be any value from 0 to 1,000,000, but typically 0-100 are used. recurse can be true or false or any value from -1 to 1,000,000. If true or -1, a directory tree is recursively scanned to the bottom of the tree, otherwise, it is scanned to the number of levels specified.
An example of a tripwire policy file is the default policy file installed with tripwire. The following is a series of excerpts from that file to demonstrate the types of files that would be protected and the properties scanned. In some cases, there are very long lists of files, so they are condensed.
# tripwire policy file
@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=localhost;
# Define variables for policy classifications
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability@@section FS
# Protect tripwire itself. The binaries and config files should not normally
# change. The database is read often but seldom changes. The inode
# is removed because backup files are created.
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0);
# Directories that shouldn't change.
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/etc -> $(SEC_INVARIANT) (recurse = 0) ;
}
# Programs that normally wouldn't change.
(
rulename = "File System and Disk Administraton Programs",
severity = $(SIG_HI)
)
{
/sbin/accton -> $(SEC_CRIT) ;
/sbin/badblocks -> $(SEC_CRIT) ;
/sbin/dosfsck -> $(SEC_CRIT) ;
/sbin/debugfs -> $(SEC_CRIT) ;
/sbin/debugreiserfs -> $(SEC_CRIT) ;
/sbin/dumpe2fs -> $(SEC_CRIT) ;
.
.
/bin/mktemp -> $(SEC_CRIT) ;
/bin/rm -> $(SEC_CRIT) ;
/bin/rmdir -> $(SEC_CRIT) ;
(
rulename = "Kernel Administration Programs",
severity = $(SIG_HI)
)
{
/sbin/adjtimex -> $(SEC_CRIT) ;
/sbin/ctrlaltdel -> $(SEC_CRIT) ;
/sbin/depmod -> $(SEC_CRIT) ;
.
.
/sbin/modinfo -> $(SEC_CRIT) ;
/sbin/sysctl -> $(SEC_CRIT) ;
}
(
rulename = "Networking Programs",
severity = $(SIG_HI)
)
{
/etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ;
.
.
/sbin/ypbind -> $(SEC_CRIT) ;
/bin/ping -> $(SEC_CRIT) ;
}
(
rulename = "System Administration Programs",
severity = $(SIG_HI)
)
{
/sbin/chkconfig -> $(SEC_CRIT) ;
/sbin/fuser -> $(SEC_CRIT) ;
.
.
/bin/pwd -> $(SEC_CRIT) ;
/bin/uname -> $(SEC_CRIT) ;
}
(
rulename = "Operating System Utilities",
severity = $(SIG_HI)
)
{
/bin/arch -> $(SEC_CRIT) ;
/bin/ash -> $(SEC_CRIT) ;
.
.
/bin/cut -> $(SEC_CRIT) ;
/bin/date -> $(SEC_CRIT) ;
}
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
}
(
rulename = "User binaries",
severity = $(SIG_MED)
)
{
/sbin -> $(SEC_BIN) (recurse = 1) ;
/usr/local/bin -> $(SEC_BIN) (recurse = 1) ;
/usr/sbin -> $(SEC_BIN) (recurse = 1) ;
/usr/bin -> $(SEC_BIN) (recurse = 1) ;
}
(
rulename = "Shell Binaries",
severity = $(SIG_HI)
)
{
/bin/ksh -> $(SEC_BIN) ;
/bin/sh -> $(SEC_BIN) ;
/bin/bash -> $(SEC_BIN) ;
/bin/tcsh -> $(SEC_BIN) ;
}
# Control files directly related to security
(
rulename = "Security Control",
severity = $(SIG_HI)
)
{
/etc/group -> $(SEC_CRIT) ;
/etc/security -> $(SEC_CRIT) ;
}
# Insure that the basic login scripts don't change.
(
rulename = "Login Scripts",
severity = $(SIG_HI)
)
{
/etc/csh.cshrc -> $(SEC_CONFIG) ;
/etc/csh.login -> $(SEC_CONFIG) ;
# /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists
/etc/profile -> $(SEC_CONFIG) ;
}
# Libraries
(
rulename = "Libraries",
severity = $(SIG_MED)
)
{
/usr/lib -> $(SEC_BIN) ;
/usr/local/lib -> $(SEC_BIN) ;
}
# Watch for changes in the boot files.
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
/sbin/devfsd -> $(SEC_CRIT) ;
/sbin/installkernel -> $(SEC_CRIT) ;
/sbin/lilo -> $(SEC_CRIT) ;
!/boot/System.map ;
!/boot/module-info ;
# other boot files may exist. Look for:
#/ufsboot -> $(SEC_CRIT) ;
}
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
!/var/run/ftp.pids-all ; # Comes and goes on reboot.
!/root/.enlightenment ;
/dev/log -> $(SEC_CONFIG) ;
/dev/cua0 -> $(SEC_CONFIG) ;
/dev/tty1 -> $(SEC_CONFIG) ; # tty devices
/dev/tty2 -> $(SEC_CONFIG) ; # tty devices
/dev/tty6 -> $(SEC_CONFIG) ;
.
.
/var/lock/subsys/smb -> $(SEC_CONFIG) ;
/var/lock/subsys/snmpd -> $(SEC_CONFIG) ;
/var/lock/subsys/sound -> $(SEC_CONFIG) ;
/var/lock/subsys/squid -> $(SEC_CONFIG) ;
}
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Additions to /root
/root/mail -> $(SEC_CONFIG) ;
/root/Mail -> $(SEC_CONFIG) ;
/root/.xsession-errors -> $(SEC_CONFIG) ;
/root/.xauth -> $(SEC_CONFIG) ;
.
.
/root/.ICEauthority -> $(SEC_CONFIG) ;
}
(
rulename = "Critical configuration files",
severity = $(SIG_HI)
)
{
/etc/conf.linuxconf -> $(SEC_BIN) ;
/etc/crontab -> $(SEC_BIN) ;
/etc/cron.hourly -> $(SEC_BIN) ;
/etc/cron.daily -> $(SEC_BIN) ;
/etc/cron.weekly -> $(SEC_BIN) ;
/etc/cron.monthly -> $(SEC_BIN) ;
/etc/default -> $(SEC_BIN) ;
/etc/fstab -> $(SEC_BIN) ;
/etc/exports -> $(SEC_BIN) ;
/etc/group- -> $(SEC_BIN) ; # changes should be infrequent
/etc/host.conf -> $(SEC_BIN) ;
/etc/hosts.allow -> $(SEC_BIN) ;
/etc/hosts.deny -> $(SEC_BIN) ;
/etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent
/etc/protocols -> $(SEC_BIN) ;
/etc/services -> $(SEC_BIN) ;
/etc/rc.d/init.d -> $(SEC_BIN) ;
/etc/rc.d -> $(SEC_BIN) ;
/etc/mail.rc -> $(SEC_BIN) ;
/etc/modules.conf -> $(SEC_BIN) ;
/etc/motd -> $(SEC_BIN) ;
/etc/named.conf -> $(SEC_BIN) ;
/etc/passwd -> $(SEC_CONFIG) ;
/etc/passwd- -> $(SEC_CONFIG) ;
/etc/profile.d -> $(SEC_BIN) ;
/var/lib/nfs/rmtab -> $(SEC_BIN) ;
/usr/sbin/fixrmtab -> $(SEC_BIN) ;
/etc/rpc -> $(SEC_BIN) ;
/etc/sysconfig -> $(SEC_BIN) ;
/etc/samba/smb.conf -> $(SEC_CONFIG) ;
/etc/gettydefs -> $(SEC_BIN) ;
/etc/nsswitch.conf -> $(SEC_BIN) ;
/etc/yp.conf -> $(SEC_BIN) ;
/etc/hosts -> $(SEC_CONFIG) ;
/etc/xinetd.conf -> $(SEC_CONFIG) ;
/etc/inittab -> $(SEC_CONFIG) ;
/etc/resolv.conf -> $(SEC_CONFIG) ;
/etc/syslog.conf -> $(SEC_CONFIG) ;
}
(
rulename = "Critical devices",
severity = $(SIG_HI),
recurse = false
)
{
/dev/kmem -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
.
.
/proc/cmdline -> $(Device) ;
/proc/misc -> $(Device) ;
}
(
rulename = "OS executables and libraries",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/lib -> $(SEC_BIN) ;
}
To this, you would add files that are specific to your own system.
After getting tripwire configured, you start the process of intrusion detection by running tripwire in database initialization mode.
This creates an encrypted database. To get a non-encrypted database, give the -e option. You can also specify the various files if they are non-standard.
Once the baseline database is created, you will likely run tripwire primarily in integrity checking mode:
This produces a report of the files tested and the results with regard to the rule specifications in the policy file. To view the report,
Note: Report is not encrypted.
Tripwire(R) 2.3.0 Integrity Check Report
Report generated by: root
Report created on: Tue 20 Nov 2001 10:28:06 AM MST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: malt.cs.montana.edu
Host IP address: 153.90.199.77
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/malt.cs.montana.edu.twd
Command line used: tripwire --check --interactive
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
* Tripwire Data Files 100 1 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Critical system boot files 100 0 0 0
* System boot changes 100 2 3 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Operating System Utilities 100 0 0 0
Shell Binaries 100 0 0 0
Root config files 100 0 0 0
Total objects scanned: 38666
Total violations found: 6
===============================================================================
Object Detail:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Added Objects: 1
----------------------------------------
Added object name: /var/lib/tripwire/malt.cs.montana.edu.twd
-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/log)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Added Objects: 2
----------------------------------------
Added object name: /var/log/sa/sa20
Added object name: /var/log/sa/sar19
----------------------------------------
Removed Objects: 3
Removed object name: /var/log/sa/sa11
Removed object name: /var/log/sa/sar10
Removed object name: /var/log/sa/sar11
===============================================================================
Error Report:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
1. File system error.
Filename: /sbin/e2fsadm
No such file or directory
2. File system error.
Filename: /sbin/lvchange
No such file or directory
-------------------------------------------------------------------------------
*** End of report ***
In this case, only a few discrepencies were found, as indicated by the asterisks in column 1 in the upper part of the report. In the lower part of the report, the errors are described in more detail, showing the files and what changed - something added, something removed or something modified. In this case, some of these errors indicate that the policies may need to be modified to prevent trivial errors.
Following the report, it is common to update the database to reflect the new values. For example, if you look at the report and decide that all the errors found are reasonable, you would update the database so that you wouldn't continue to get the same errors. This can be done with:
You can also print the actual database which contains the information currently stored by tripwire. The report is usually very large and shows the file modification time and the file properties.
twprint --print-dbfile | more
Tripwire(R) 2.3.0 Database
Database generated by: root
Database generated on: Mon 19 Nov 2001 04:55:20 PM MST
Database last updated on: Tue 20 Nov 2001 10:28:06 AM MST
=========================================================== Database Summary:
===========================================================
Host name: bozo.clowns.org
Host IP address: 192.168.1.14
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/bozo.clowns.org.twd
Command line used: tripwire --init
============================================================ Object Summary:
============================================================
--------------------------------------------------------------
# Section: Unix File System
--------------------------------------------------------------
Mode UID Size Modify Time
------ ---------- ---------- ----------
/
drwxr-xr-x root (0) XXX XXXXXXXXXXXXXXXXX
/bin
drwxr-xr-x root (0) 4096 Fri 27 Jul 2001 07:52:24 AM MDT
/bin/arch
-rwxr-xr-x root (0) 2832 Thu 12 Jul 2001 04:22:16 PM MDT
/bin/ash
-rwxr-xr-x root (0) 94748 Mon 08 Jan 2001 02:20:59 PM MST
/bin/ash.static
-rwxr-xr-x root (0) 446728 Mon 08 Jan 2001 02:20:59 PM MST
/bin/aumix-minimal
-rwxr-xr-x root (0) 10460 Fri 23 Feb 2001 01:54:21 PM MST
/bin/awk
lrwxrwxrwx root (0) 4 Mon 21 May 2001 04:21:42 AM MDT
/bin/basename
-rwxr-xr-x root (0) 5748 Tue 16 Jan 2001 07:50:02 AM MST
/bin/bash
-rwxr-xr-x root (0) 512668 Wed 28 Feb 2001 12:01:03 AM MST
.
.
.
=============================================================================== Object Detail:
===============================================================================
------------------------------------------------------------------------------- # Section: Unix File System
-------------------------------------------------------------------------------
Object name: /
Property: Value:
------------- -----------
Object Type Directory
Mode drwxr-xr-x
UID root (0)
GID root (0)
Object name: /bin
Property: Value:
------------- -----------
Object Type Directory
Device Number 769
Inode Number 96580
Mode drwxr-xr-x
Num Links 2
UID root (0)
GID root (0)
Size 4096
Modify Time Fri 27 Jul 2001 07:52:24 AM MDT
Blocks 8
Object name: /bin/arch
Property: Value:
------------- -----------
Object Type Regular File
Device Number 769
File Device Number 0
Inode Number 102022
Mode -rwxr-xr-x
Num Links 1
UID root (0)
GID root (0)
Size 2832
Modify Time Thu 12 Jul 2001 04:22:16 PM MDT
Change Time Fri 27 Jul 2001 07:52:24 AM MDT
Blocks 8
CRC32 BeYptX
MD5 AWujK1mKSH/l9lqKuOMSTl
.
.
.
There are a few integrity checking options that are worthy of discussion.
Interactive Mode (-I, --interactive)
Interactive mode opens the report file in the editor specified in the configuration file and allows the user to indicate which of the discovered inconsistencies should be updated in the database. Finally, it updates the database so that it doesn't have to be done manually.
The severity level indicates which rules should be checked based on their given severity levels, defined as Low=33, Medium=66 and High=100.
The rule option allows a given rule to be tested, which is a great way to debug your policies:
And the email option allows the reports to be directly emailed to the addresses given in the policy file:
And the email option allows the reports to be directly emailed:
If the email system is working, the designated user will receive a tripwire email message.