Board index Unix Security

Tripwire / Cannot --Update (### Filename: /var/lib/tripwire/report/etcetcetc.twr)

Tripwire / Cannot --Update (### Filename: /var/lib/tripwire/report/etcetcetc.twr)

Post by Thomas Gagn » Thu, 22 Aug 2002 23:55:00



Aha!  "tripwire --update -r path-to-report-file" works
great.  Glad you asked the question!



>>I am trying to get an update on the tripwire --update database so I
>>can pass the files that were/are updated.  I get the same report
>>every day; or some that are updated.

>>I am running RH 7.2 and


>>### Error: File could not be opened.
>>### Filename: /var/lib/tripwire/report/xxxxetc-234242sd-234242424etc.twr
>>### No such file or directory
>>### Exiting...

>>Although the file does not exist; in that directory there are about 20 or
>>so other files.

> After reading about 10 msg.. on newsgroups I had to use the manual
> command of:

> tripwire --update --twrfile /var/lib/tripwire/report/<existing-file>.twr

> It is now doing some integrity check and I'm gonna leave it there
> for awhile even though it looks like it froze/ssh and such but
> it created a temp file and still cranking.

> Although It might be that my computer time is the issue.  Even
> though I have a ntp (time server IP) that updates the date and it is
> accurate I am not sure: i still get issues via ftp and other programs
> saying that it cannot determine the time of the server so when
> transfering files from one computer to another it says.. the
> remote is older and okay to overwrite and such... (Using
> MX Macromedia stuff).

--
.tom
remove dashes in email for replies
 
 
 
Top

Tripwire / Cannot --Update (### Filename: /var/lib/tripwire/report/etcetcetc.twr)

Post by Thomas Gagn » Fri, 20 Sep 2002 23:36:04


Whenever I logged on as root and tried updating my policy,
I'd get errors because /root's stamps changed.  About a year
ago in comp.os.linux.security there was a discussion about
the possible need to be in single-user mode before updating
policies.  The steps I used to get around this:

1) cd / (important - you don't want to be in /root)
2) tripwire -m c -I (updates the database)
3) tripwire -m p /etc/tripwire/twpol.txt (updates policy)

--
.tom
remove dashes in email for replies
http://isectd.sourceforge.net

 
 
 
Top

Tripwire / Cannot --Update (### Filename: /var/lib/tripwire/report/etcetcetc.twr)

Post by Securit » Sat, 21 Sep 2002 13:03:15



Quote:> 1) cd / (important - you don't want to be in /root)
> 2) tripwire -m c -I (updates the database)
> 3) tripwire -m p /etc/tripwire/twpol.txt (updates policy)

    quickly, and maybe off topic, but what is the version?...
    i'm assuming its (version) is beyond the asr release...
 
 
 
Top

Tripwire / Cannot --Update (### Filename: /var/lib/tripwire/report/etcetcetc.twr)

Post by Thomas Gagn » Sun, 22 Sep 2002 01:54:26



Tripwire(R) 2.3.1.2 for Linux




>>1) cd / (important - you don't want to be in /root)
>>2) tripwire -m c -I (updates the database)
>>3) tripwire -m p /etc/tripwire/twpol.txt (updates policy)

>     quickly, and maybe off topic, but what is the version?...
>     i'm assuming its (version) is beyond the asr release...

--
.tom
remove dashes in email for replies
http://isectd.sourceforge.net
 
 
 
Top

1. tripwire email reports to not match harddrive reports

When I run tripwire with

# tripwire --check -M

to send a copy of the report by email, the report I am getting in my
inbox
does not match the report that is generated to STDOUT (and logged to
/var/lib/tripwire/reports/ (the latter two match).

For example, the report generated to STDOUT finds 12 violations but
the email reports none.  The times of the reports match exactly.  I
have tested this several times and changed the level of reporting
with, -t 4, -t 3, etc..., always with the same incongruity.

The violations are minor and all accounted for.  I think a hacked
tripwire is
unlikely because it is a clean install with the version off the
install CD
and it is almost the first thing I installed and configured after the
initial
OS install.

Any thoughts on why this may be?  Has anyone else seen this before?

Here are the params from my config file:

ROOT                   =/usr/sbin
POLFILE                =/etc/tripwire/tw.pol
DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE            
=/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE            =/etc/tripwire/site.key
LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR                 =/usr/bin/emacs
LATEPROMPTING          =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS       =true
EMAILREPORTLEVEL       =3
REPORTLEVEL            =3
MAILMETHOD             =SENDMAIL
SYSLOGREPORTING        =false
MAILPROGRAM            =/usr/sbin/sendmail -oi -t

Thanks,
JDH

2. 7318 & reverse telnet

3. Tripwire -update won't update!

4. Trouble with JetAdmin and print clients

5. tripwire - email report?

6. GUI QUESTION ???

7. Tripwire reporting setuid/gid changes & changes can't be verified.

8. How do I decode patch files?

9. demuxing Tripwire output in to one report

10. Tripwire report question

11. Tripwire initialize stop on /usr/lib on Open Server 5.1

12. tripwire update fails

13. Tripwire update problem


All times are UTC
Board index