This page looks plain and unstyled because you're using a non-standard compliant browser. To see it in its best form, please upgrade to a browser that supports web standards. It's free and painless.

Blog About Dedicated Servers

« | »

Set up Tripwire on RedHat

Luigi Ramone | 15 December, 2005 21:45

Install tripwire

It's installed by default, but if it isn't, grab your RedHat disks, and install it:

---------------------

# rpm -ihv /mnt/cdrom/RedHat/RPMS/tripwire-2.3.1-5.i386.rpm
# /etc/tripwire/twinstall.sh

---------------------

Clean the policy file
Go over to /etc/tripwire, and clean out the policy file with this handy script:

---------------------

# cat > ./cleantw.pl
#!/usr/bin/perl

while (<>){
#look at the line, and check for a line that can be
# Construed as a file name
CASE:{
( m|(^s*)(/[/w._-]+)(s+->.*)| ) and do {
print $1;
print "#" unless (-e $2);
print "$2$3n";
last;
};

print $_;
}
};
^D
#

---------------------



Now clean out the crap in the sample policy file they have.

---------------------

# perl cleantw.pl < twpol.txt > cleanedpol.txt

---------------------

Edit the file. You'll need to change the hostname that is defined somewhere around the 65th line to match what comes out of the 'hostname' command. You'll also need to change some of the parameters for things that are monitored (Log rotating changes inodes for a given filename).

---------------------

/var/run -> $(SEC_INVARIANT)
/var/log -> $(SEC_INVARIANT)
/var/tty[1-8] -> $(SEC_INVARIANT)

---------------------

Finishing up

---------------------

# /usr/sbin/twadmin -m P cleanedpol.txt
# /usr/sbin/tripwire --init

---------------------

Credits: http://www.afonsoconsulting.com/

RedHat :: Comment (0) :: Permalink :: Trackbacks (3)

Add comment

Topic

Text

Your name

Your email address (if any)

Your personal page (if any)


authimage




Powered by Boonic, Bloogo & pLog
This Blog does not have any affiliation nor relation with the mentioned companies. All the logotipos, trade names and images are property of the companies that registered them.