Hi All,
I have been asked to investigate some of our servers that run tripwire 2.3.0 on Red Hat Linux Advanced Server release 2.1AS (Pensacola)
We have the reports emailed to us using cron and twprint -m r -r report -t 4, it has been growing steadily and today it was 9mb
It seems the database records go back to before 2004 and are being compared against today's files.
I really need to be informed what needs to be done to tripwire to keep it serviced through cron.
I have tried to google this but could not find any information that seemed to answer my questions.
Looking at the following guide
http://www.akadia.com/services/tripwire.html step 6 talks about "Updating the Database after an Integrity Check" using
Code:
# tripwire --update --twrfile /var/lib/tripwire/report/<name>.twr
Should I be using this command or should I be re-creating the db every month or so and using the #tripwire -init?
Extract from report -
Quote:
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed
Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Tripwire Data Files 100 0 0 0
Temporary directories 33 0 0 0
* Critical devices 100 0 0 1
Tripwire Binaries 100 0 0 0
* User binaries 66 130 62 781
* Libraries 66 120 47 7455
* OS executables and libraries 100 10 2 167
* File System and Disk Administraton Programs
100 0 0 38
* Networking Programs 100 0 0 16
* System Administration Programs 100 0 0 16
* Operating System Utilities 100 0 0 33
* Critical Utility Sym-Links 100 0 0 25
* Shell Binaries 100 0 0 6
* Security Control 100 4 1 25
Login Scripts 100 0 0 0
* System boot changes 100 3088 0 19
* Critical configuration files 100 87 16 137
* Kernel Administration Programs 100 0 0 10
* Hardware and Device Control Programs
100 0 0 5
* System Information Programs 100 0 0 2
* Application Information Programs
100 0 0 3
* Shell Releated Programs 100 0 0 1
(/sbin/getkey)
* Critical system boot files 100 13 0 6
* Root config files 100 11 10902 11
Total objects scanned: 21039
Total violations found: 23250
|
Can you tell me perhaps what I should be looking for as well as there are lots of entries.
eg:
Code:
-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Added Objects: 109
----------------------------------------
Added object name: /usr/bin/neat-control
Added object name: /usr/bin/usernet
Added object name: /usr/bin/rp3
Added object name: /usr/bin/cawin_echo
Added object name: /usr/bin/sddtaflt
Added object name: /usr/bin/dmscript
Added object name: /usr/bin/casdips
Added object name: /usr/bin/isodebug
Added object name: /usr/bin/man2dvi
Added object name: /usr/bin/oldrdist
Added object name: /usr/bin/isodump
Added object name: /usr/bin/isoinfo
Added object name: /usr/bin/isovfy
Added object name: /usr/bin/slabtop
Added object name: /usr/bin/rep
Code:
----------------------------------------
Removed Objects: 4
----------------------------------------
Removed object name: /usr/bin/glibcbug
Removed object name: /usr/bin/isag
Removed object name: /usr/bin/nsupdate
Removed object name: /usr/bin/saucer
----------------------------------------
Modified Objects: 564
----------------------------------------
Modified object name: /usr/bin
Property: Expected Observed
------------- ----------- -----------
* Modify Time Mon Jul 26 12:08:39 2004 Fri Aug 1 10:39:35
2008
Modified object name: /usr/bin/[
Property: Expected Observed
------------- ----------- -----------
* Inode Number 311657 312687
* Modify Time Wed Jul 23 21:36:35 2003 Fri Aug 1 10:34:10
2008
Modified object name: /usr/bin/a2p
Property: Expected Observed
------------- ----------- -----------
* Inode Number 311452 311470
* Size 102461 102477
* Modify Time Wed Mar 27 07:30:20 2002 Fri Feb 27 05:09:04
2004
* CRC32 D/5rsJ DHU6bv
* MD5 Bbb7+HIxh3xDHQG/fFCcGy BnJaC1HRBWM2GVMne807FB
The above list is huge!
I need to understand how to change the expected to the observed so the db will be up to date.
I would also like some of the rules explained:
What does removed and added mean?
Is it removed as it has not changed and added if it finds a new one that has?
Code:
-------------------------------------------------------------------------------
Rule Name: System boot changes (/lib/modules)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Added Objects: 3075
----------------------------------------
Added object name: /lib/modules/2.4.9-e.72
Added object name: /lib/modules/2.4.9-e.72/kernel
Added object name: /lib/modules/2.4.9-e.72/kernel/net
Added object name: /lib/modules/2.4.9-e.72/kernel/net/atm
Added object name: /lib/modules/2.4.9-e.72/kernel/net/atm/pppoatm.o
Added object name: /lib/modules/2.4.9-e.72/kernel/net/atm/lec.o
Added object name: /lib/modules/2.4.9-e.72/kernel/net/atm/mpoa.o
Added object name: /lib/modules/2.4.9-e.72/kernel/net/bluetooth
Added object name: /lib/modules/2.4.9-e.72/kernel/net/bluetooth/hci.o
Added object name: /lib/modules/2.4.9-e.72/kernel/net/bluetooth/l2cap.o
Added object name: /lib/modules/2.4.9-e.72/kernel/net/irda
Added object name: /lib/modules/2.4.9-e.72/kernel/net/irda/ircomm
Added object name:
/lib/modules/2.4.9-e.72/kernel/net/irda/ircomm/ircomm-tty.o
Added object name:
-------------------------------------------------------------------------------
Rule Name: System boot changes (/dev/log)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /dev/log
Property: Expected Observed
------------- ----------- -----------
* Inode Number 73492 65646
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Added Objects: 8
----------------------------------------
Added object name: /root/1
Added object name: /root/fp3/base/java_tmp/jre/lib/core.jar_jtzubackup
Added object name: /root/fp3/nd/java_tmp/jre/lib/core.jar_jtzubackup
Added object name: /root/.gnupg
Added object name: /root/.gnupg/options
Added object name: /root/.gnupg/secring.gpg
Added object name: /root/.gnupg/trustdb.gpg
Added object name: /root/.gnupg/pubring.gpg
----------------------------------------
Removed Objects: 10902
----------------------------------------
Removed object name: /root/oshard-erato-20050527.tar
Removed object name: /root/was510
Removed object name: /root/was510/base
Removed object name: /root/was510/base/readme
Removed object name: /root/was510/base/readme/readme_de.html
Removed object name: /root/was510/base/readme/readme_en.html
Cheers
Tripwire Reports huge in size how can I reduce / prune them
