[NTLUG:Discuss] tripwire config file?

Steve steve at cyberianhamster.com
Sun Dec 2 23:56:13 CST 2001 

Daniel L. Shipman wrote:

> Does anyone have a good config file that they are using for tripwire 
> that you can pass along - the suggested config file contains soooooo 
> many unutilized programs that it will take me forever to sort through - 
> I'd just like another NTLUGger's config file to use as a jumping point


I fooled around with this on a Debian system a few months ago. I probably will 
end up using it again later. I'm not a Tripwire by any stretch of the 
imagination. If you're going to use this for "important" use, it's in your best 
interest to read up a lot and go find the gurus.

I think Tripwire is among the best known of this type of thing, but it generally 
gets not-so-good remarks on usability as I guess you've discovered. However, 
since it is the best known, there is a lot of documentation out there. Just go 
to Google or LinuxToday's search and type in "Tripwire" or "Tripwire tutorial" 
You'll find lots of articles to get a barebones setup started.

Here's the one that I was using:

ROOT          =/usr/sbin
POLFILE       =/etc/tripwire/tw.pol
DBFILE        =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE    =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE   =/etc/tripwire/site.key
LOCALKEYFILE  =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR        =/usr/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL   =3
SYSLOGREPORTING =true
MAILMETHOD    =SMTP
SMTPHOST      =localhost
SMTPPORT      =25

The value of Tripwire drops some if you leave all of the important Tripwire 
material on your machine. How much you want to do depends on how paranoid you 
want to be.

Email : I don't think it's covered in this config file. During the setup 
process, it asked for a user to receive it. Was the actual email address stored 
in my cron.daily? Can't remember. In any case, you probably don't want to use 
somebody on the system as your sole email recipient. You should consider sending 
at least an email to a different machine.

Polfile, tripwire binary, keys, dbfile: I don't think it's a good idea to leave 
these on the host machine. You should store these on mounted, read-only medium 
like a floppy or CD-R. I don't think all of this will fit on a floppy. If you 
foresee a lot of changes to your polfile and dbfile, then maybe you can put 
those on a floppy and the rest on a CD-R. Now, if you do get compromised, you 
can compare with trusted sources although I suppose that some creative kernel 
hacking could still spoof you.
Steve

More information about the Discuss mailing list