Q: [COBALT] Tuning Tripwire Policy for Cobalt RaQ3
http://www.linuxsecurity.com/feature_stories/feature_story-81.html is a good place to start for a hand-holding howto for using Tripwire.
But tripwire out of the box will produce lots of missing file warnings for Colbalt Raq3s as it's not tuned for that version of Linux.
The perl script at ftp://ftp.iprcom.com/fixpol automates the tuning advice given in the tutorial above.
The full procedure is:
su -
mkdir /home/kits
cd /home/kits
wget http://www.tripwire.org/files/rpm4/tripwire-2.3-47.i386.tar.gz
tar xfz tripwire-2.3-47.i386.tar.gz
rpm -i tripwire-2.3-47.i386.rpm
/etc/tripwire/twinstall.sh
# you'll be asked for two passphrases. Make them good, strong ones you can remember.
# I use the first line of my favourite poem (which has lots of nonesense words)
# for both...
cd /etc/tripwire
/usr/sbin/twadmin --create-polfile twpol.txt
/usr/sbin/tripwire --init # Have patience, this will take a minute or so and
# you'll get loads of "No such file" warnings...
# Ok, we're fully installed now. So let's run our first check so we can
# tune the policy
/usr/sbin/tripwire --check > twout.txt # lots of warnings and patience again...
wget ftp://ftp.iprcom.com/fixpol
chmod u+x fixpol
./fixpol twout.txt twpol.txt | more # there's lots of output
# fixpol prints what to do next near the end of its output
# in particular:
# You should now run
diff twpol.txt twpol.txt.new | more
# to make sure my changes aren't garbage. If it looks ok run
/usr/sbin/twadmin --create-polfile twpol.txt.new
/usr/sbin/tripwire --init
# to install the new policy in the database.
# Now you're in a position to run
/usr/sbin/tripwire --check
# regularly in cron or whatever.