Script started on Thu 22 Oct 2009 03:03:52 PM EDT /root # rpm -q tripwire tripwire-2.4.1.2-9.fc11.i586 /root # cd /etc/tripwire /etc/tripwire # cp twcfg.txt twcfg.txt-OIG /etc/tripwire # cp twpol.txt twpol.txt-ORIG /etc/tripwire # vi twcfg.txt /etc/tripwire # diff twcfg.txt-ORIG twcfg.txt # diff twcfg.txt-ORIG twcfg.txt 3,4c3,4 < DBFILE =/var/lib/tripwire/$(HOSTNAME).twd < REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr --- > DBFILE =/var/lib/tripwire/localhost.twd > REPORTFILE =/var/lib/tripwire/report/localhost-$(DATE).twr 6c6 < LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key --- > LOCALKEYFILE =/etc/tripwire/localhost-local.key /etc/tripwire # : vi twpol.txt /etc/tripwire # twadmin --generate-keys --site-keyfile site.key (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ****** Verify the site keyfile passphrase: ****** Generating key (this may take several minutes)...Key generation complete. /etc/tripwire # twadmin --generate-keys --local-keyfile localhost-local.key (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: Verify the local keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. /etc/tripwire # ls -l total 112 -rw-r--r--. 1 root root 931 2009-10-22 16:39 site.key -rw-r--r--. 1 root root 593 2009-10-22 16:38 twcfg.txt -rw-r--r--. 1 root root 603 2009-10-22 15:32 twcfg.txt-ORIG -rw-r--r--. 1 root root 46645 2009-10-15 16:46 twpol.txt -rw-r--r--. 1 root root 46645 2009-10-22 15:32 twpol.txt-ORIG -rw-r--r--. 1 root root 931 2009-10-22 16:40 localhost-local.key /etc/tripwire # twadmin --create-cfgfile --cfgfile tw.cfg \ --site-keyfile site.key twcfg.txt Please enter your site passphrase: Wrote configuration file: /etc/tripwire/tw.cfg /etc/tripwire # twadmin --create-polfile twpol.txt Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol /etc/tripwire # ls -l total 136 -rw-r--r--. 1 root root 931 2009-10-22 16:39 site.key -rw-r--r--. 1 root root 4586 2009-10-22 16:43 tw.cfg -rw-r--r--. 1 root root 593 2009-10-22 16:38 twcfg.txt -rw-r--r--. 1 root root 603 2009-10-22 15:32 twcfg.txt-ORIG -rw-r--r--. 1 root root 12415 2009-10-22 16:45 tw.pol -rw-r--r--. 1 root root 46645 2009-10-15 16:46 twpol.txt -rw-r--r--. 1 root root 46645 2009-10-22 15:32 twpol.txt-ORIG -rw-r--r--. 1 root root 931 2009-10-22 16:40 wpserver-local.key /etc/tripwire # tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** ### Warning: File system error. ### Filename: /dev/kmem ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /proc/ksyms ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /proc/pci ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/sbin/fixrmtab ### No such file or directory ### Continuing... [ many more error messages omitted ] ### Continuing... Wrote database file: /var/lib/tripwire/localhost.twd The database was successfully generated. /etc/tripwire # ls -l /var/lib/tripwire total 1900 drwx------. 2 root root 4096 2009-04-07 15:03 report -rw-r--r--. 1 root root 1940196 2009-10-22 16:53 localhost.twd /etc/tripwire # : tripwire --check /etc/tripwire # cd /var/lib/tripwire/report /var/lib/tripwire/report # ls -l total 12 -rw-r--r--. 1 root root 11982 2009-10-22 20:40 localhost-20091022-203657.twr /var/lib/tripwire/report # twprint --print-report \ -r localhost-20091022-203657.twr Note: Report is not encrypted. Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Thu 22 Oct 2009 08:36:57 PM EDT Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: localhost Host IP address: 127.0.0.1 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/localhost.twd Command line used: tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 * Tripwire Data Files 100 1 0 0 Critical devices 100 0 0 0 User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Critical configuration files 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 Critical system boot files 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 Shell Related Programs 100 0 0 0 Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 * Root config files 100 0 0 1 Total objects scanned: 41733 Total violations found: 2 =============================================================================== Object Detail: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- ---------------------------------------- Added Objects: 1 ---------------------------------------- Added object name: /var/lib/tripwire/localhost.twd ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- ---------------------------------------- Modified Objects: 1 ---------------------------------------- Modified object name: /root/typescript Property: Expected Observed ------------- ----------- ----------- * Size 12288 16384 * Modify Time Thu 22 Oct 2009 04:52:57 PM EDT Thu 22 Oct 2009 04:53:09 PM EDT * Change Time Thu 22 Oct 2009 04:52:57 PM EDT Thu 22 Oct 2009 04:53:09 PM EDT * Blocks 24 32 * CRC32 C2k7Sm A36jlk * MD5 D6P4nOoLtJgVRAadI/2OAd ByTszXcSpr7T+s5F9iBXsL =============================================================================== Error Report: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- 1. File system error. Filename: /dev/kmem No such file or directory 2. File system error. Filename: /proc/ksyms No such file or directory 3. File system error. Filename: /proc/pci No such file or directory 4. File system error. Filename: /usr/sbin/fixrmtab No such file or directory 5. File system error. Filename: /usr/local/lib64 No such file or directory 6. File system error. Filename: /usr/lib64 No such file or directory 7. File system error. Filename: /sbin/busybox No such file or directory 8. File system error. Filename: /sbin/convertquota No such file or directory 9. File system error. Filename: /sbin/debugreiserfs No such file or directory 10. File system error. Filename: /sbin/dump.static No such file or directory 11. File system error. Filename: /sbin/ftl_check No such file or directory 12. File system error. Filename: /sbin/ftl_format No such file or directory 13. File system error. Filename: /sbin/mkbootdisk No such file or directory 14. File system error. Filename: /sbin/mkraid No such file or directory 15. File system error. Filename: /sbin/mkreiserfs No such file or directory 16. File system error. Filename: /sbin/pcinitrd No such file or directory 17. File system error. Filename: /sbin/raidstart No such file or directory 18. File system error. Filename: /sbin/reiserfsck No such file or directory 19. File system error. Filename: /sbin/resize_reiserfs No such file or directory 20. File system error. Filename: /sbin/restore.static No such file or directory 21. File system error. Filename: /sbin/scsi_info No such file or directory 22. File system error. Filename: /sbin/stinit No such file or directory 23. File system error. Filename: /sbin/unpack No such file or directory 24. File system error. Filename: /sbin/insmod_ksymoops_clean No such file or directory 25. File system error. Filename: /sbin/klogd No such file or directory 26. File system error. Filename: /sbin/minilogd No such file or directory 27. File system error. Filename: /sbin/sndconfig No such file or directory 28. File system error. Filename: /sbin/ifport No such file or directory 29. File system error. Filename: /sbin/ifuser No such file or directory 30. File system error. Filename: /sbin/ipx_configure No such file or directory 31. File system error. Filename: /sbin/ipx_interface No such file or directory 32. File system error. Filename: /sbin/ipx_internal_net No such file or directory 33. File system error. Filename: /sbin/mgetty No such file or directory 34. File system error. Filename: /sbin/portmap No such file or directory 35. File system error. Filename: /sbin/vgetty No such file or directory 36. File system error. Filename: /sbin/pwdb_chkpwd No such file or directory 37. File system error. Filename: /sbin/rescuept No such file or directory 38. File system error. Filename: /sbin/rpc.lockd No such file or directory 39. File system error. Filename: /sbin/rpcdebug No such file or directory 40. File system error. Filename: /sbin/syslogd No such file or directory 41. File system error. Filename: /sbin/cardctl No such file or directory 42. File system error. Filename: /sbin/cardmgr No such file or directory 43. File system error. Filename: /sbin/dump_cis No such file or directory 44. File system error. Filename: /sbin/elvtune No such file or directory 45. File system error. Filename: /sbin/hotplug No such file or directory 46. File system error. Filename: /sbin/ide_info No such file or directory 47. File system error. Filename: /sbin/lspnp No such file or directory 48. File system error. Filename: /sbin/pack_cis No such file or directory 49. File system error. Filename: /sbin/probe No such file or directory 50. File system error. Filename: /sbin/shapecfg No such file or directory 51. File system error. Filename: /sbin/kernelversion No such file or directory 52. File system error. Filename: /sbin/genksyms No such file or directory 53. File system error. Filename: /sbin/sash No such file or directory 54. File system error. Filename: /sbin/fsck.reiserfs No such file or directory 55. File system error. Filename: /sbin/kallsyms No such file or directory 56. File system error. Filename: /sbin/ksyms No such file or directory 57. File system error. Filename: /sbin/mkfs.reiserfs No such file or directory 58. File system error. Filename: /sbin/mount.ncp No such file or directory 59. File system error. Filename: /sbin/mount.ncpfs No such file or directory 60. File system error. Filename: /sbin/mount.smb No such file or directory 61. File system error. Filename: /sbin/mount.smbfs No such file or directory 62. File system error. Filename: /sbin/raid0run No such file or directory 63. File system error. Filename: /sbin/raidhotadd No such file or directory 64. File system error. Filename: /sbin/raidhotremove No such file or directory 65. File system error. Filename: /sbin/raidstop No such file or directory 66. File system error. Filename: /sbin/rdump.static No such file or directory 67. File system error. Filename: /sbin/rrestore.static No such file or directory 68. File system error. Filename: /sbin/lilo No such file or directory 69. File system error. Filename: /sbin/mkkerneldoth No such file or directory 70. File system error. Filename: /var/lock/subsys/portmap No such file or directory 71. File system error. Filename: /var/lock/subsys/apmd No such file or directory 72. File system error. Filename: /var/lock/subsys/canna No such file or directory 73. File system error. Filename: /var/lock/subsys/kudzu No such file or directory 74. File system error. Filename: /var/lock/subsys/netfs No such file or directory 75. File system error. Filename: /var/lock/subsys/nfslock No such file or directory 76. File system error. Filename: /var/lock/subsys/random No such file or directory 77. File system error. Filename: /var/lock/subsys/sendmail No such file or directory 78. File system error. Filename: /var/lock/subsys/syslog No such file or directory 79. File system error. Filename: /var/lock/subsys/xfs No such file or directory 80. File system error. Filename: /var/lock/subsys/xinetd No such file or directory 81. File system error. Filename: /etc/tripwire/tw.pol No such file or directory 82. File system error. Filename: /etc/tripwire/tw.cfg No such file or directory 83. File system error. Filename: /etc/tripwire/localhost-local.key No such file or directory 84. File system error. Filename: /etc/sysconfig/network-scripts/ifdown-cipcb No such file or directory 85. File system error. Filename: /etc/sysconfig/network-scripts/ifdown-sl No such file or directory 86. File system error. Filename: /etc/sysconfig/network-scripts/ifup-cipcb No such file or directory 87. File system error. Filename: /etc/sysconfig/network-scripts/ifup-sl No such file or directory 88. File system error. Filename: /etc/modules.conf No such file or directory 89. File system error. Filename: /etc/xinetd.conf No such file or directory 90. File system error. Filename: /etc/syslog.conf No such file or directory 91. File system error. Filename: /bin/sfxload No such file or directory 92. File system error. Filename: /bin/ash No such file or directory 93. File system error. Filename: /bin/ash.static No such file or directory 94. File system error. Filename: /bin/aumix-minimal No such file or directory 95. File system error. Filename: /bin/igawk No such file or directory 96. File system error. Filename: /bin/mt No such file or directory 97. File system error. Filename: /bin/pgawk No such file or directory 98. File system error. Filename: /bin/zsh No such file or directory 99. File system error. Filename: /bin/bash2 No such file or directory 100. File system error. Filename: /bin/bsh No such file or directory 101. File system error. Filename: /bin/csh No such file or directory 102. File system error. Filename: /bin/ksh No such file or directory 103. File system error. Filename: /bin/tcsh No such file or directory 104. File system error. Filename: /dev/cua0 No such file or directory 105. File system error. Filename: /dev/initctl No such file or directory 106. File system error. Filename: /root/.Xresources No such file or directory 107. File system error. Filename: /root/.gnome No such file or directory 108. File system error. Filename: /root/.ICEauthority No such file or directory ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. /var/lib/tripwire/report # cd /etc/tripwire /etc/tripwire # vi twpol.txt # diff twpol.txt-ORIG twpol.txt 186c186 < /sbin/busybox -> $(SEC_CRIT) ; --- > #/sbin/busybox -> $(SEC_CRIT) ; 188c188 < /sbin/convertquota -> $(SEC_CRIT) ; --- > #/sbin/convertquota -> $(SEC_CRIT) ; 191c191 < /sbin/debugreiserfs -> $(SEC_CRIT) ; --- > #/sbin/debugreiserfs -> $(SEC_CRIT) ; 194c194 < /sbin/dump.static -> $(SEC_CRIT) ; --- > #/sbin/dump.static -> $(SEC_CRIT) ; 205,206c205,206 < /sbin/ftl_check -> $(SEC_CRIT) ; < /sbin/ftl_format -> $(SEC_CRIT) ; --- > #/sbin/ftl_check -> $(SEC_CRIT) ; > #/sbin/ftl_format -> $(SEC_CRIT) ; [ 100 other changes omitted ] 980c980 < /proc/pci -> $(Device) ; --- > #/proc/pci -> $(Device) ; 989c989 < /proc/ksyms -> $(Device) ; --- > #/proc/ksyms -> $(Device) ; /etc/tripwire # tripwire --update-policy twpol.txt [ output omitted by accident ] /etc/tripwire # cd - /var/lib/tripwire/report # tripwire --update --accept-all \ -r localhost-20091022-215826.twr /var/lib/tripwire/report # tripwire --check Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... Wrote report file: /var/lib/tripwire/report/localhost-20091022-215826.twr Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Thu 22 Oct 2009 09:58:26 PM EDT Database last updated on: Thu 22 Oct 2009 09:57:41 PM EDT =============================================================================== Report Summary: =============================================================================== Host name: localhost Host IP address: 127.0.0.1 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/localhost.twd Command line used: tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 * Tripwire Data Files 100 1 0 0 Critical devices 100 0 0 0 User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 Critical system boot files 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 (/sbin/rtmon) Shell Related Programs 100 0 0 0 Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical configuration files 100 0 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 * Root config files 100 0 0 1 Total objects scanned: 41739 Total violations found: 2 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/lib/tripwire/localhost.twd.bak" ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/root/typescript" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. /var/lib/tripwire/report # exit Script done on Thu 22 Oct 2009 10:14:28 PM EDT