draft howto tripwire unofficial
 

Hi

this is about 160 Kilobytes ODT file very much in draft mode.

I have lots todo, but as I am not an expert, maybe I am wasting my time.

so you guys and gals decide for me.


TODO

add credits

clean up

I am currently playing with a cut down pre-defined variables and have been checking the database objects....tw.db was 4.4Megs cut down to 1.1 Megs.....

I am not good with cron auto mail...I got into trouble sending too fast a crontabs to my test mail site with my mail server. I think it was a daemon detecting mail sent from one ip every 10 minutes that did it.

if its worth doing, eventually it will be submitted as a request to the SF Tripwire site, not the Tripwire Inc site as its based on the open source edition.

Questions
1) Is there anything obvious wrong with it so far?

Be as blunt as you like.

2) Is it worth doing, meaning is there a better guide already available just because I could not find it, does not mean its not there?

3) Is it NOT worth doing because catch 22, those who need it, already know how to use it. .



I will review any replies, thankyou mid Feb. As I have other things I have to do as well.

EDIT

post 11 has new links

cheerio

well I will have to increase the db I had too severe ruleset

* also note Divshare goes through maintenance. Last time I checked the file was unavailable for D/L.

that may be true but when I first posted, I tested the link and I have just then.

However, it may relate to your browser as Rick (post 2) had problems with a different link
http://www.linuxquestions.org/questi...72#post2890672

ok trying another link in case its only opera users who can see the old one



ok second attempt link works in opera

EDIT...this link was editted after win32sux's post so he is referring to the earlier links, I think and not this ripway one.

EDIT 2

post 11 has new links

Both links work fine here, using Firefox.

EDIT: For clarity, these are the two links I've tested: Link 1, Link 2.

At the time of this edit, both provide a tw.odt file with these fingerprints:

bugger, as I posted 2 links earlier and I saw the time of our posts I made an assumption.

Now should I learn English, my teacher says there is a lot going for it but not so much for me?

altho its not YET in the howto, my test of a honeytoken is complete.

Pretend the file name is /home/yourname/honeytoken.txt....it won't be for my real one.

a) rule for text policy to be "updated" with database is:

/home/gordy/honeytoken.txt -> $(IgnoreAll) +ac ; # honeytoken

b) examine database shows:
Object name: /home/gordy/honeytoken.txt

Property: Value:
------------- -----------
Object Type Regular File
Access Time Fri 18 Jan 2008 14:44:30 WST
Change Time Fri 18 Jan 2008 14:44:30 WST

c) Then never access file but if the intruder does, after a scan

d) report fragment shows:

Modified object name: /home/gordy/honeytoken.txt

Property: Expected Observed
------------- ----------- -----------
* Access Time Fri 18 Jan 2008 14:44:30 WST
Fri 18 Jan 2008 16:15:51 WST

which is exactly what I was expecting....the atime has changed.


CREDIT to LQ user OlRoy as per post 3 here
http://www.linuxquestions.org/questi...ght=honeytoken

EDIT

culled discussed on diff thread

EDIT

culled

section flowchart stage 16 has been rewritten.

It had a fault, having deleted the text policy files, users should use the update database command. And so I waffle on about using bash completion and give an example



tripwire -m u -a -r /opt/tw/lib/tripwire/report/gs.net-20080114-105614.twr

2) I also have a simple text file on usb stick with frequent commands I copy and paste into my shell but thats it for now.

new file is here

http://h1.ripway.com/aus9/tw.odt

or

http://www.divshare.com/download/3539570-95d


md5sum tw.odt
1e630da4c349b7a1bef33bccd9cd8e7d
openssl sha1 tw.odt
SHA1(tw.odt)= be17c3ab16a1597c86ec611d536bb8395e6524f1

ingracious BUMP

ok anyone now care to offer any feedback, rude, crude or indifferent?

if not, I will close down my thoughts on TW and move elsewhere as I am sure everyone appreciates time is a pressing on my brain cells as much as yours.

I will accept all feedback but now only for 2 weeks. After that, I am likely to be doing something else.....like maybe using virtualbox for grub for raid or something non-tripwire.

I'm in a crunch at work. I'll sincerely try, though.

And in the family :cry:

ok democracy and my impatience in action.

not enough posters saying its crap or good or anything so I have now dismissed this from my mind.

mods you can close this post pls.

I reserve the right to cull my links but will leave online as long as possible.

I have started a new thought on grub and raid...I think slowwwwly

Okay, for what it is worth, here are my comments.

I do support the use of .odt files -- but my employer does not. So I had to convert at home to be able to read the source. Next time plain text?

"Modify Config File" -> your explanation of "strict" and "loose" is very short. I got it after three re-reads.

Install on Hard Drive Part 2: Some explanation of all those passwords /-phrases would be helpful. In particular their required strenghts and how to get them (examples or templates) would be helpful for us noobs.

"Add :/opt/tw/sbin to the current path, so it looks like this" -- well like what? You neglected to show your $PATH line...

"Research file structure Flowchart stage 10" Ummm. What? The SuSE I use is FHS compliant but what exactly am I to research?

"Special syntax for a stop decision is for example /pathwayto/folder/ file -> $(Growing) ;" Does that mean a symbolic link or do you want to imply a growing file like a log?

"Internal research -- The command I am going to use with root powers is
find..." I suggest "locate". On a non-compromised system just so much faster.

More to follow as soon as I can find some free time. Thanks for your efforts aus9.