tripwire initial setup ?

[quacked]

I've been looking for an intrusion detection system and had installed tripwire , to use and look at the changes that may of been made to different files if , someone were able to login to my machine or network

I've been looking at the initial setup and use of tripwire to be able to use it and have found it to be somewhat overwhelming ,

So I thought I'd ask here , for a little help. Anyone know of some good guides and tutorials for the setup and use of tripwire ?

Trying to learn more about it, and being somewhat new to linux in general, ( ie. not an expert by any means ) would like to know more , Have Googled tripwire use and installation , and found many different sites , giving many command line , commands and am unsure of how to go forward with the setting up of it, Have installed it via the software package manager , and am currently looking to set it up and use it,,

Thanks for any more Info on it , in advance

[LT72884]

http://www.linuxjournal.com/article/8758
dont know if this helps but it looks informative.

[yonnieboy]

The article is 3 years old, is it still relevant? Also, as I understand it, you're supposed to install Tripwire immediately after installing your new OS and prior to connecting your new install to a network or internet. Um....if it don't come on with the new install media, how you going to accomplish this? (it's not on my F8 cd) And...how does it determine legit changes from bad ones? When you update software, do you just take it on blind faith that the updates are good and tell Tripwire the changes are good?

[marcrblevins]

I use tripwire and get e-mails from it daily.

To install and get it going

Code:

su -
yum install tripwire
tripwire-setup-keyfiles

Use strong passwords.

[Evil_Bert]

Quote:

Originally Posted by yonnieboy

The article is 3 years old, is it still relevant? Also, as I understand it, you're supposed to install Tripwire immediately after installing your new OS and prior to connecting your new install to a network or internet. Um....if it don't come on with the new install media, how you going to accomplish this? (it's not on my F8 cd) And...how does it determine legit changes from bad ones? When you update software, do you just take it on blind faith that the updates are good and tell Tripwire the changes are good?

You could try this: Download and burn to read-only medium on a trusted (e.g. freshly built) system. Then wipe and re-install, including tripwire.

Tripwire only knows what you tell it, i.e. it records changes in the files/folders you have designated in the config .... you decide whether the changes are legitimate. For that reason, you should be careful with what you designate to be checked - too much and you'll be forever verifying changes; too little and you could miss malware/intrusion.

I wouldn't recommend Tripwire for the casual user .... but if you want/need the peace of mind or the learning experience, it's worth it when appropriately configured.

Tip: the example template included (last time I checked, anyway) is out of date and you will need to spend a fair bit of time tailoring to a modern Fedora system.

[marcrblevins]

Anytime you do a yum install packagename, you should open your web browser to:
file:///usr/share/doc/packagename

In this case:
file:///usr/share/doc/tripwire-2.4.1.2/README.Fedora
That is how I found my answer after hours googling. :P

[Evil_Bert]

Quote:

Originally Posted by marcrblevins

file:///usr/share/doc/tripwire-2.4.1.2/README.Fedora

... particularly the bit about "Modifying the Policy File" ... which is what I mean by tailoring - you need to tailor it to Fedora (which is different to other distros, including SELinux) and to your system if you're going to achieve the maximum benefit.

[yonnieboy]

Oh boy:
While trying to figure out how to save a copy of tripwire, I ran yumex to get tripwire on the file system so I could read the readme. Then I went back to yumex to see if I can get it to just send the package to a file for installing on a fresh installation.

And I got this problem instead:
E: Wow, you exceeded the number of package names this APT is capable of.
E: Problem with MergeList /var/lib/apt/lists/rpm.livna.org_fedora_8_i386_repodata_primary.sqlit e
E: The package lists or status file could not be parsed or opened.

Synaptic just closes, so it's useless too. I have not run Tripwire yet, just reading the readme and poking around for other docs. Other forums suggest deleting the repo lists, i think this is a drastic non-solution /var/lib/apt/lists/*

[Evil_Bert]

Quote:

Originally Posted by yonnieboy

Oh boy:
While trying to figure out how to save a copy of tripwire, I ran yumex to get tripwire on the file system so I could read the readme. Then I went back to yumex to see if I can get it to just send the package to a file for installing on a fresh installation.

And I got this problem instead:
E: Wow, you exceeded the number of package names this APT is capable of.
E: Problem with MergeList /var/lib/apt/lists/rpm.livna.org_fedora_8_i386_repodata_primary.sqlit e
E: The package lists or status file could not be parsed or opened.

Synaptic just closes, so it's useless too. I have not run Tripwire yet, just reading the readme and poking around for other docs. Other forums suggest deleting the repo lists, i think this is a drastic non-solution /var/lib/apt/lists/*

Why are you mixing apt and yum/yumex?

Edit: It would be easiest to web browse to the repo (or a mirror) and download it.

Failing that, if your system is setup to cache installed rpm's (keepcache=1 is set in /etc/yum.conf) then check folder /var/cache/yum/updates/packages.

Edit again:
"I have not run Tripwire yet" - Good. Take a couple of days at least to figure out what policy you want to run and to understand how to write one (using the template as guidance).

[marcrblevins]

I saw that too, was confused as well.

Maybe he is running Debian, not Fedora at the moment.
Last month I read about apt running on Fedora, thought that was lame.

I see this:
apt.i386 : Debian's Advanced Packaging Tool with RPM support
synaptic.i386 : Graphical frontend for APT package manager.

[yonnieboy]

yes, got it backwards, sorry. After I hit the close button on that above error message, and then try reload on the synaptic, it goes through the downloads of 21 files and then just closes.

I just tried the Yumex again and it worked. Two times in a row, it just died. Never done that before, been using F8 since it's release. I should probably do reinstall.

[yonnieboy]

Synaptic has always been on this machine since day one. Don't remember installing it. I do remember installing yumex.

[yonnieboy]

I like synaptic as it gives a heck of a lot more info on the packages than yumex does. (well, most of the time) Was unaware that using Synaptic was an issue, I thought both programs end up using apt. Guess I'd best re-read about it.

[marcrblevins]

yonnieboy, don't do a fresh install. You are using your Fedora Updates properly. If you are happy with Synaptic, then go ahead use it, those were for Debian, someone ported over to Fedora. You are the first I seen use it.

Start your terminal:

Code:

su -
yum install tripwire

[yonnieboy]

OK. Thanks, Yumex installed Tripwire. It was after that, that Yumex quit working, (and then started working again)(i don't know, maybe it quit again). I was just trying to figure out how to save Tripwire as a file so I could install it on a fresh known non-hacked installation. This particular installation is the one I've been learning on. It's been running since the release date, well, I might have done a reinstall once but that was probably a week or so after the initial install. So it's been what, 8 months? I'm pretty happy, almost everything I had on that other O$ is on here. What I need, is working, and what wouldn't work I found alternatives that would. Being a noob, and all the experiments, installing/uninstalling...this system doesn't even approach looking like an original F8 system. If somebody tried to hack in here, they probably already have. This one is my favorite machine, I've got Mepis and Kubuntu running on my other systems and an untangle box connecting them together. XP was just left on the hard-drives and removed to a shelf for "just-in-case" back-ups. Haven't needed them yet and as more time goes by it gets even more remote I ever will. (bye M$, please cry me a river)