/Snapshots with Tripwire

Snapshots with Tripwire

Description
“Open Source Tripwire® software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.”
That is the sourceforge description
simply stores a snapshot of your files ,compare the system files against the snapshot that taken to discover the differences ,any changes in their size, inode number, permissions, or other attributes
How it works?
it’s divided into 2 components
1- The policy
lists all files and directories that Tripwire should snapshot
Ex)  catch any change in /root, /boot, and /lib
2- The database
contains the snapshot that makes by the rules (policy)
 then compare file systems against the snapshot at any time, and Tripwire will report any discrepancies
– installing
you can download the source http://sourceforge.net/projects/tripwire/
in fedora i686[“sudo yum install tripwire.i686”]
 if the system have a problems in installing ,you can use the manual steps
Helpful variables:
#DIR=/etc/tripwire
#SITE_KEY=$DIR/site.key
#LOCAL_KEY=$DIR/`hostname`-local.key
Generate the site key:
# twadmin –generate-keys –site-keyfile $SITE_KEY
Generate the local key:
# twadmin –generate-keys –local-keyfile $LOCAL_KEY
Sign the configuration file:
# twadmin –create-cfgfile –cfgfile $DIR/tw.cfg \ –site-keyfile $SITE_KEY $DIR/twcfg.txt
Sign the policy file:
# twadmin –create-polfile –cfgfile $DIR/tw.cfg \ –site-keyfile $SITE_KEY $DIR/twpol.txt
Set appropriate permissions:
# cd $DIR
# chown root:root $SITE_KEY $LOCAL_KEY tw.cfg tw.pol
# chmod 600 $SITE_KEY $LOCAL_KEY tw.cfg tw.pol
– Configuration
configuration file “twcfg.txt” path at /etc/tripwire
that have the used by the tripwire like the location on tripwire report file
to generate the active configuration file:
# cd /etc/tripwire
# twadmin –print-cfgfile > twcfg.txt
-policy file “twpol.txt” path at /etc/tripwire
that tell tripwire what file to monitoring to generate the active policy file:
# cd /etc/tripwire
# twadmin –print-polfile > twpol.txt
– create a snapshot (database)
Tripwire builds a collection of filesystem objects based on the rules in the policy file
to create the database use the command”
# tripwire -–init
Untitled-2
-integrity check
this command is used to integrity check
#tripwire -–check
When running an integrity check, Tripwire compares the current filesystem with last Tripwire snapshot
Untitled-1
-printing the report
this is a script to print the report
save the following in a file and kick it [“# bash <file- name>”]

#!/bin/sh
DIR=/var/lib/tripwire/report
HOST=’hostname -s’
LAST_REPORT=`ls -1t $DIR/$HOST-*.twr | head -1`
twprint –print-report –twrfile “$LAST_REPORT”
or just in one command
  #twprint -m r –twrfile /var/lib/tripwire/report/<name>.twr
-update the database
this is a script to update the database
save the following in a file and kick it [“# bash <file- name>”]
#!/bin/sh
DIR=/var/lib/tripwire/report
HOST=`hostname -s`
LAST_REPORT=`ls -1t $DIR/$HOST-*.twr | head -1`
tripwire –update –twrfile “$LAST_REPORT”
or just in one command
#tripwire -–ipdate -–twrfile /var/lib/tripwire/report/<name>.twr
NOTE:
The first version of Tripwire was written by Gene Kim and Dr. Eugene Spafford at Purdue University in 1992 and released to the open source community