draft howto tripwire unofficial
Hi
this is about 160 Kilobytes ODT file very much in draft mode. I have lots todo, but as I am not an expert, maybe I am wasting my time. so you guys and gals decide for me. TODO add credits clean up I am currently playing with a cut down pre-defined variables and have been checking the database objects....tw.db was 4.4Megs cut down to 1.1 Megs..... I am not good with cron auto mail...I got into trouble sending too fast a crontabs to my test mail site with my mail server. I think it was a daemon detecting mail sent from one ip every 10 minutes that did it. if its worth doing, eventually it will be submitted as a request to the SF Tripwire site, not the Tripwire Inc site as its based on the open source edition. Questions 1) Is there anything obvious wrong with it so far? Be as blunt as you like. 2) Is it worth doing, meaning is there a better guide already available just because I could not find it, does not mean its not there? 3) Is it NOT worth doing because catch 22, those who need it, already know how to use it. . I will review any replies, thankyou mid Feb. As I have other things I have to do as well. EDIT post 11 has new links cheerio |
well I will have to increase the db I had too severe ruleset
|
* also note Divshare goes through maintenance. Last time I checked the file was unavailable for D/L.
|
that may be true but when I first posted, I tested the link and I have just then.
However, it may relate to your browser as Rick (post 2) had problems with a different link http://www.linuxquestions.org/questi...72#post2890672 |
ok trying another link in case its only opera users who can see the old one
ok second attempt link works in opera EDIT...this link was editted after win32sux's post so he is referring to the earlier links, I think and not this ripway one. EDIT 2 post 11 has new links |
|
bugger, as I posted 2 links earlier and I saw the time of our posts I made an assumption.
Now should I learn English, my teacher says there is a lot going for it but not so much for me? |
altho its not YET in the howto, my test of a honeytoken is complete.
Pretend the file name is /home/yourname/honeytoken.txt....it won't be for my real one. a) rule for text policy to be "updated" with database is: /home/gordy/honeytoken.txt -> $(IgnoreAll) +ac ; # honeytoken b) examine database shows: Object name: /home/gordy/honeytoken.txt Property: Value: ------------- ----------- Object Type Regular File Access Time Fri 18 Jan 2008 14:44:30 WST Change Time Fri 18 Jan 2008 14:44:30 WST c) Then never access file but if the intruder does, after a scan d) report fragment shows: Modified object name: /home/gordy/honeytoken.txt Property: Expected Observed ------------- ----------- ----------- * Access Time Fri 18 Jan 2008 14:44:30 WST Fri 18 Jan 2008 16:15:51 WST which is exactly what I was expecting....the atime has changed. CREDIT to LQ user OlRoy as per post 3 here http://www.linuxquestions.org/questi...ght=honeytoken |
EDIT
culled discussed on diff thread |
EDIT
culled |
section flowchart stage 16 has been rewritten.
It had a fault, having deleted the text policy files, users should use the update database command. And so I waffle on about using bash completion and give an example tripwire -m u -a -r /opt/tw/lib/tripwire/report/gs.net-20080114-105614.twr 2) I also have a simple text file on usb stick with frequent commands I copy and paste into my shell but thats it for now. new file is here http://h1.ripway.com/aus9/tw.odt or http://www.divshare.com/download/3539570-95d md5sum tw.odt 1e630da4c349b7a1bef33bccd9cd8e7d openssl sha1 tw.odt SHA1(tw.odt)= be17c3ab16a1597c86ec611d536bb8395e6524f1 |
ingracious BUMP
ok anyone now care to offer any feedback, rude, crude or indifferent? if not, I will close down my thoughts on TW and move elsewhere as I am sure everyone appreciates time is a pressing on my brain cells as much as yours. I will accept all feedback but now only for 2 weeks. After that, I am likely to be doing something else.....like maybe using virtualbox for grub for raid or something non-tripwire. |
I'm in a crunch at work. I'll sincerely try, though.
And in the family :cry: |
ok democracy and my impatience in action.
not enough posters saying its crap or good or anything so I have now dismissed this from my mind. mods you can close this post pls. I reserve the right to cull my links but will leave online as long as possible. I have started a new thought on grub and raid...I think slowwwwly |
Okay, for what it is worth, here are my comments.
I do support the use of .odt files -- but my employer does not. So I had to convert at home to be able to read the source. Next time plain text? "Modify Config File" -> your explanation of "strict" and "loose" is very short. I got it after three re-reads. Install on Hard Drive Part 2: Some explanation of all those passwords /-phrases would be helpful. In particular their required strenghts and how to get them (examples or templates) would be helpful for us noobs. "Add :/opt/tw/sbin to the current path, so it looks like this" -- well like what? You neglected to show your $PATH line... "Research file structure Flowchart stage 10" Ummm. What? The SuSE I use is FHS compliant but what exactly am I to research? "Special syntax for a stop decision is for example /pathwayto/folder/ file -> $(Growing) ;" Does that mean a symbolic link or do you want to imply a growing file like a log? "Internal research -- The command I am going to use with root powers is find..." I suggest "locate". On a non-compromised system just so much faster. More to follow as soon as I can find some free time. Thanks for your efforts aus9. |
All times are GMT -5. The time now is 01:37 AM. |