Script started on Sun Oct 22 16:24:26 2000 [jwatt@ttk210 jwatt]$ tz ar zxf Tripwire_221_for_Linux_x86.tar.gz [jwatt@ttk210 jwatt]$ ls -l total 28012 -r--r--r-- 1 jwatt jwatt 9825 Jan 11 2000 License.txt -r--r--r-- 1 jwatt jwatt 7060 Jan 11 2000 README -r--r--r-- 1 jwatt jwatt 23065 Jan 11 2000 Release_Notes -rw-rw-r-- 1 jwatt jwatt 283196 Oct 10 02:34 Tripwire-1.3.1-1.tar.gz -rw-r--r-- 1 jwatt jwatt 2556173 Oct 22 16:21 Tripwire_221_for_Linux_x86.tar.gz drwxr-xr-x 8 1078 1078 4096 Sep 19 20:09 apache_1.3.12 -rw-rw-r-- 1 jwatt jwatt 6737920 Sep 18 22:16 apache_1.3.12.tar -r--r--r-- 1 jwatt jwatt 3300 Jan 11 2000 install.cfg -r-xr-xr-x 1 jwatt jwatt 31919 Jan 11 2000 install.sh drwx------ 2 jwatt jwatt 4096 Oct 19 00:45 mail -rw-r--r-- 1 jwatt jwatt 4954563 Sep 28 22:19 mysql-3.22.32-pc-linux-gnu-i686.tar.gz drwxrwxr-x 16 512 ahec 4096 Sep 19 20:15 php-4.0.2 -rw-rw-r-- 1 jwatt jwatt 11591680 Sep 18 22:17 php-4.0.2.tar dr-xr-xr-x 2 jwatt jwatt 4096 Jan 11 2000 pkg -rw-rw-r-- 1 jwatt jwatt 0 Oct 22 16:24 tripwire1 -rw-rw-r-- 1 root root 656094 Sep 28 22:04 wu-ftpd drwxr-xr-x 8 root root 4096 Sep 28 21:34 wu-ftpd-2.6.1 -rw-rw-r-- 1 root root 1730560 Sep 28 21:01 wu-ftpd-2.6.1.tar [jwatt@ttk210 jwatt]$ rm License.txt Release_Notes   Re EADME install.cfg install.sh rm: remove write-protected file `License.txt'? y rm: remove write-protected file `Release_Notes'? y rm: remove write-protected file `README'? y rm: remove write-protected file `install.cfg'? y rm: remove write-protected file `install.sh'? y [jwatt@ttk210 jwatt]$ ls-l    cd pkg/ [jwatt@ttk210 pkg]$ rm -rf * rm: cannot unlink `bin.pkg': Permission denied rm: cannot unlink `man.pkg': Permission denied rm: cannot unlink `policy.pkg': Permission denied [jwatt@ttk210 pkg]$ ls bin.pkg man.pkg policy.pkg [jwatt@ttk210 pkg]$ su Password: [root@ttk210 pkg]# rm -rf * [root@ttk210 pkg]# cd .. [root@ttk210 jwatt]# rmdir p php-4.0.2 php-4.0.2.tar pkg [root@ttk210 jwatt]# rmdir pcd ..rmdir pkg/ [root@ttk210 jwatt]# ls -l total 27928 -rw-rw-r-- 1 jwatt jwatt 283196 Oct 10 02:34 Tripwire-1.3.1-1.tar.gz -rw-r--r-- 1 jwatt jwatt 2556173 Oct 22 16:21 Tripwire_221_for_Linux_x86.tar.gz drwxr-xr-x 8 1078 1078 4096 Sep 19 20:09 apache_1.3.12 -rw-rw-r-- 1 jwatt jwatt 6737920 Sep 18 22:16 apache_1.3.12.tar drwx------ 2 jwatt jwatt 4096 Oct 19 00:45 mail -rw-r--r-- 1 jwatt jwatt 4954563 Sep 28 22:19 mysql-3.22.32-pc-linux-gnu-i686.tar.gz drwxrwxr-x 16 512 ahec 4096 Sep 19 20:15 php-4.0.2 -rw-rw-r-- 1 jwatt jwatt 11591680 Sep 18 22:17 php-4.0.2.tar -rw-rw-r-- 1 jwatt jwatt 0 Oct 22 16:24 tripwire1 -rw-rw-r-- 1 root root 656094 Sep 28 22:04 wu-ftpd drwxr-xr-x 8 root root 4096 Sep 28 21:34 wu-ftpd-2.6.1 -rw-rw-r-- 1 root root 1730560 Sep 28 21:01 wu-ftpd-2.6.1.tar [root@ttk210 jwatt]# mkdr ir tripwair   ire [root@ttk210 jwatt]# mv Tripwire_221_for_Linux_x86.tar.gz tripwire [root@ttk210 jwatt]# ls  cd tripwire [root@ttk210 tripwire]# ls Tripwire_221_for_Linux_x86.tar.gz [root@ttk210 tripwire]# tzr  art  x zxt f Tripwire_221_for_Linux_x86.tar.gz [root@ttk210 tripwire]# ls -l total 2588 -r--r--r-- 1 root root 9825 Jan 11 2000 License.txt -r--r--r-- 1 root root 7060 Jan 11 2000 README -r--r--r-- 1 root root 23065 Jan 11 2000 Release_Notes -rw-r--r-- 1 jwatt jwatt 2556173 Oct 22 16:21 Tripwire_221_for_Linux_x86.tar.gz -r--r--r-- 1 root root 3300 Jan 11 2000 install.cfg -r-xr-xr-x 1 root root 31919 Jan 11 2000 install.sh dr-xr-xr-x 2 root root 4096 Jan 11 2000 pkg [root@ttk210 tripwire]# sz README rz **B00000000000000 Š*A º*A Tripwire 2.2.1 for Unix README January 2000 ---------------------------------------------------------------------------- Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R) is a registered trademark of the Purdue Research Foundation and is licensed exclusively to Tripwire (R) Security Systems, Inc. This document describes the Tripwire 2.2.1 for Unix distribution package. For the most comprehensive information regarding installing, configuring, and running Tripwire 2.2.1 for Unix, please see the User's Guide. For late breaking technical news regarding this product, please see the accompanying release notes. These will detail any technical notes regarding this product that did not make it into the printed edition of the manual. For the most current information about Tripwire Security Systems, Inc. and our products, always check online at http://iGIwww.tripwiresecurity.com/. -------- CONTENTS -------- 1. Brief Product Overview 2. Package Contents 3. Supported Configurations/Platforms 4. Installation 5. Support ------------------------- 1. Brief Product Overview ------------------------- Tripwire works at the most fundamental layer, protecting the servers and workstations that make up the corporate network. Tripwire works by first scanning a computer and creating a database of system files, a compact digital "snapshot" of the system in a known secure state. The user can configure Tripwire very precisely, specifying individual files and directories on each machine to monitor, or creating a standard template that can be used on all machines in an enterprise. Once this baseline database is created, a system administrator can use Tripwire to check the integrity of a system at any time. By scanning the current system and comparing that information with the data stored in the database, Tripwire detects and reports any additions, deletions, or i1½changes to the system outside of the specified boundaries. If these changes are valid, the administrator can update the baseline database with the new information. If malicious changes are found, the system administrator will instantly know which parts of which components of the network have been affected. This version of Tripwire has significant product enhancements over previous versions of Tripwire. Some of the enhancements include: - Multiple levels of reporting allow you to choose different levels of report detail. - Syslog option sends information about database initialization, database update, policy update and integrity check to the syslog. - Database performance has been optimized to increase the efficiency of integrity checks. - Individual email recipients can be sent certain sections of a report. - SMTP email reporting support. - Email test mode enables you to verify that the email settings are correct. - Ability to create multiple sections within a policy file to be eiò”xecuted separately. ------------------- 2. Package Contents ------------------- The Tripwire 2.2.1 for Unix package consists of: 1 distribution CD 1 printed User's Guide 1 Quick Reference Card 1 end user license agreement 1 customer letter 2 marketing brochures If you are missing any of these components, please contact Tripwire Security Systems, Inc. as described in section 5 below. The following files are contained on the CD: . Release_Notes - Support information, known issues, and differences from previous releases . README - This file . License.txt - License Agreement . install.sh - Bourne shell installation script . install.cfg - Configuration file for installation script (also a Bourne shell script) /bin: (live binaries, so Tripwire can be executed from the CD-ROM) . siggen - Signature generation (hash) utility . tripwire - Integrity checking program . twprint - Database and report printing program . twadmin - Tripwire administration utility /pkg: . policy.pkg - Package file iBicontaining default policy file . man.pkg - Package file containing online documentation . bin.pkg - Package file containing Tripwire binaries ------------------------------------- 3. Supported Configurations/Platforms ------------------------------------- Tripwire 2.2.1 is supported on the following platforms: 1. HP-UX, versions 10.20 and 11.00 2. IBM AIX, versions 4.2 and 4.3 3. Solaris (SPARC), versions 2.6 and 7.0 4. Solaris (Intel), version 2.6 and 7.0 5. SGI Irix, version 6.5 6. Compaq TRU64 UNIX, version 4.0 7. Linux - see release notes for the latest supported versions. For best performance, we recommend the following minimum configurations: For HP-UX: - HP-UX 10.20 or 11.00 - PA-RISC 1.1 or higher - 32 MB RAM (64 MB or greater recommended) - 10 MB disk space For AIX: - AIX 4.2 or 4.3 - RS/6000 - 32 MB RAM (64 MB or greater recommended) - 10 MB hard disk space For Solaris (SPARC) - Solaris SPARC 2.6 or 7.0 - SPARC 2 or higher - 32 MB RAM (64 MB or greater recommended) - 10 MB disk spacei« For Solaris (Intel) - Solaris Intel 2.6 or 7.0 - Intel Pentium-class processor or above - 32 MB RAM (64 MB or greater recommended) - 14 MB disk space - patch 106328-05 or later (Solaris 7.0), or 104678-04 or later (Solaris 2.6) For SGI Irix - SGI Irix 6.5 - MIPS-III or higher (R5200) - 32 MB RAM (64 MB or greater recommended) - 12 MB disk space For Compaq Tru64 - Compaq Tru64 4.0 - Alpha EV5 or EV6 processor - 32 MB RAM (64 MB or greater recommended) - 12 MB disk space For Linux _ Linux kernal 2.0.36 or higher (2.2.12 recommended) - Intel Pentium-class processor or above - 32 MB RAM - 9 MB disk space Database files will vary in size, up to as much as several megabytes, depending on the number of files scanned and the properties checked. --------------- 4. Installation --------------- For installation instructions, refer to the Installation sections of the User's Guide. A hardcopy version of the manual is included in the distribution package. --------------------------------------iüð------------ 5. Support Information for Tripwire 2.2.1 for Unix -------------------------------------------------- For any communications regarding this product, please contact Tripwire Security Systems, Inc. at: URL: http://www.tripwiresecurity.com/ EMAIL: support@tripwiresecurity.com VOICE: 503.223.0280 (08:00 - 17:00 PST) FAX: 503.223.0182 You are also encouraged to take advantage of the Tripwire discussion groups Full instructions for joining and using these groups may be found on the web site. In addition to the discussion groups, Tripwire has recently installed a knowledge base to allow users of Tripwire to intuitively find answers to commonly asked questions about Tripwire. You may reach this by going to the Tripwire web site at http://www.tripwiresecurity.com/ and clicking on the support icon. Thank you for purchasing and using Tripwire to ensure the integrity of your systems. hÈ×*A ” **B0800000000022d ŠOO[root@ttk210 tripwire]# cd pkg/ [root@ttk210 pkg]# ls bin.pkg man.pkg policy.pkg [root@ttk210 pkg]# ls -l total 8644 -r--r--r-- 1 root root 8704000 Jan 11 2000 bin.pkg -r--r--r-- 1 root root 92160 Jan 11 2000 man.pkg -r--r--r-- 1 root root 30720 Jan 11 2000 policy.pkg [root@ttk210 pkg]# netstat -natu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 20 152.2.38.210:22 152.2.14.152:1091 ESTABLISHED tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:54320 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:49724 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:40421 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:32774 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:32773 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:31337 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:20034 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:12346 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5742 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:635 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:540 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:119 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:79 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:15 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:11 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:54321 0.0.0.0:* udp 0 0 0.0.0.0:31337 0.0.0.0:* udp 0 0 0.0.0.0:32774 0.0.0.0:* udp 0 0 0.0.0.0:32773 0.0.0.0:* udp 0 0 0.0.0.0:32772 0.0.0.0:* udp 0 0 0.0.0.0:32771 0.0.0.0:* udp 0 0 0.0.0.0:32770 0.0.0.0:* udp 0 0 0.0.0.0:700 0.0.0.0:* udp 0 0 0.0.0.0:641 0.0.0.0:* udp 0 0 0.0.0.0:640 0.0.0.0:* udp 0 0 0.0.0.0:635 0.0.0.0:* udp 0 0 0.0.0.0:7 0.0.0.0:* udp 0 0 0.0.0.0:1 0.0.0.0:* udp 0 0 152.2.38.210:138 0.0.0.0:* udp 0 0 152.2.38.210:137 0.0.0.0:* udp 0 0 0.0.0.0:138 0.0.0.0:* udp 0 0 0.0.0.0:137 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* [root@ttk210 jwatt]# cd tripwire [root@ttk210 tripwire]# ls -l total 2588 -r--r--r-- 1 root root 9825 Jan 11 2000 License.txt -r--r--r-- 1 root root 7060 Jan 11 2000 README -r--r--r-- 1 root root 23065 Jan 11 2000 Release_Notes -rw-r--r-- 1 jwatt jwatt 2556173 Oct 22 16:21 Tripwire_221_for_Linux_x86.tar.gz -r--r--r-- 1 root root 3311 Oct 23 22:14 install.cfg -r-xr-xr-x 1 root root 31919 Jan 11 2000 install.sh dr-xr-xr-x 2 root root 4096 Jan 11 2000 pkg [root@ttk210 tripwire]# ./install.sh Installer program for: Tripwire(R) 2.2.1 for Unix Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R) is a registered trademark of the Purdue Research Foundation and is licensed exclusively to Tripwire (R) Security Systems, Inc. * * * * Warning * * * * The uname command, which tells what operating system is running on this machine, returned a result that this installation script did not expect. Tripwire 2.2.1 for Unix is supported on the following configurations: Hewlett-Packard HP-UX 10.20 Hewlett-Packard HP-UX 11.0 IBM AIX 4.2 IBM AIX 4.3 Sun Solaris - Sparc 2.6 Sun Solaris - Sparc 7.0 Sun Solaris - Intel 2.6 Sun Solaris - Intel 7.0 Redhat Linux 5.2 Redhat Linux 6.0 SGI Irix 6.5 Compaq Tru64 Unix 4.0 Continue with installation? [y/n] y LICENSE AGREEMENT for Tripwire(R) 2.2.1 for Unix Please read the following license agreement. You must accept the agreement to continue installing Tripwire. Press ENTER to view the License Agreement. END USER SOFTWARE LICENSE AGREEMENT This Tripwire Security Systems, Inc. ("Tripwire") End-User License Agreement ("EULA") is a legal agreement between you (either an individual or a legal entity) and Tripwire for the enclosed software product, which includes computer software and associated media and printed materials, and may include "online" or electronic documentation ("Software"). By signing below, and/or by installing, copying, or otherwise using the Software, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, promptly return the unused Software to Tripwire for a full refund. 1. GRANT OF LICENSE. Tripwire grants you a license to install the Software for which you have paid a license fee and for which Tripwire has provided you with copies, subject to the terms and conditions of this Agreement. Tripwire hereby grants you the non-exclusive and non-assignable right to use the Software at your principal place of business on a single computer, solely for your internal business use. 2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS. You may not rent, lease, distribute, sell, assign, pledge, sublicense, loan, timeshare or otherwise use the Software for the commercial benefit of third parties, but you may transfer the Software on a permanent basis, provided you retain no copies and the recipient agrees to the terms of this EULA. Limitation on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, translate, or disassemble the Software, except and only to the extent that applicable law notwithstanding this limitation expressly permits such activity. Notice to Users. You shall inform all users of the Software of all terms and conditions of the EULA. Not for Resale Software. If the Software is labeled "Not for Resale" or "NFR", your license only permits use for demonstration, test, or evaluation purposes. Version Limitation. The Software contains a certain version number (such as version "1.1"). This EULA permits you to install one copy of the Software with the same (or a lower) version number as the Software version number of the enclosed Software (for example, if you purchase version "1.1," you may --More--(22%) install Software that contains a "1.1" or "1.0" version number, but not --More--(23%) a "1.5" version number). 3. UPGRADES. If the Software is labeled as an upgrade, you must be properly licensed to use a product identified by Tripwire as being eligible for the upgrade in order to use the Software. A Software labeled as an upgrade replaces and/or supplements the product that formed the basis for your eligibility for the upgrade, and following the upgrade you may use the resulting Software only in accordance with the terms of this EULA. If the Software is an upgrade of a component of a package of software programs that you licensed as a single product, the Software may be used and transferred only as part of that single product package and may not be separated for use on more than one computer. 4. COPYRIGHT. The Software is licensed, not sold. Title and copyrights in and to the Software (including any images, "applets," photographs, animations, video, audio, music, and text incorporated into the Software), accompanying printed materials, and any copies you are permitted to make herein are owned by Tripwire or its suppliers and are protected by United States copyright laws and international treaty provisions. Therefore, you must treat the Software like any other copyrighted material (e.g., a book or musical recording) except that you may either (a) make a copy of the Software solely for backup or archival purposes, or (b) transfer the Software to a single hard disk, provided you keep the original solely for backup or archival purposes. You may not copy the printed materials accompanying the Software. 5. DUAL-MEDIA SOFTWARE. You may receive the Software in more than one medium. Regardless of the type or size of media you receive, you may use only the single medium that is appropriate for your single computer. You may not use or install the other media on another computer. You may not loan, rent, lease, or otherwise transfer the other media to another user, except as part of the permanent transfer of the Software. 6. EXPORT RESTRICTIONS. The Software is subject to the export control laws of the United States. You may not export or re-export the Software without the appropriate United States and foreign government licenses. You must otherwise comply with all applicable export control laws and shall defend, --More--(46%) indemnify and hold Tripwire and all its suppliers not liable from any claims arising out of your violation of such export control laws. You further agree to comply with the United States Foreign Corrupt Practices Act, as amended. 7. LIMITED WARRANTY. Tripwire warrants that the Software will perform substantially in accordance with the accompanying documentation for a period of ninety (90) days from the date of receipt. Some states/jurisdictions provide for a longer warranty period by statute, so the above term may not apply to you. Any implied warranties on the Software are limited to ninety (90) days. Some states/jurisdictions do not allow limitations on duration of an implied warranty, so the above limitation may not apply to you. CUSTOMER REMEDIES. Tripwire and its suppliers' entire liability and your exclusive remedy for breach of this limited warranty shall be, at Tripwire's option, either (a) return of the price paid, or (b) replacement of the Software. The foregoing warranty is void if failure of the Software results from accident, abuse, or misapplication. Any replacement Software will be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. Outside the United States, neither these remedies nor any product support services offered by Tripwire are available without proof of purchase from an authorized non-U.S. source. NO OTHER WARRANTIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SOFTWARE IS BEING LICENSED TO YOU "AS IS" AND TRIPWIRE AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT OF THIRD PARTIES, WITH REGARD TO THE SOFTWARE, THE ACCOMPANYING WRITTEN MATERIALS, AND ANY ACCOMPANYING HARDWARE. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHERS, WHICH VARY FROM STATE/JURISDICTION TO STATE/JURISDICTION. 8. LIABILITY LIMITATION. NO LIABILITY FOR CONSEQUENTIAL DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL TRIPWIRE OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, EXEMPLARY, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF TRIPWIRE HAS BEEN ADVISED OF THE POSSIBILITY --More--(72%) OF SUCH DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL TRIPWIRE'S TOTAL CUMULATIVE LIABILITY IN CONNECTION WITH THIS AGREEMENT OR THE SOFTWARE EXCEED THE AMOUNT OF THE LICENSE FEES PAID IN CONNECTION WITH THE SOFTWARE. 9. U.S. GOVERNMENT END USERS. The Software is a "commercial item," as that term is defined at 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer software" and "commercial computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R 227.7202-1 through 227.7202-4 (June 1995), the Software is licensed to any U.S. Government End Users (i) only as a commercial end item and (ii) with only those rights as are granted to all other End Users pursuant to the terms and conditions herein. 10. CHOICE OF LAW. This Agreement is governed by the laws of the State of California, USA, without giving effect to its conflict of laws provisions. The United Nations Conventions on Contracts for the International Sale of Goods is expressly disclaimed. 11. TERM AND TERMINATION. This Agreement shall continue indefinitely, unless terminated earlier in accordance with this Section 11. You may terminate this Agreement at any time by returning or deleting all copies of the Software in your possession and providing Tripwire written notice that you have done so. (No refund will be provided upon such termination). Tripwire may terminate this Agreement (and your right to continue to use the Software hereunder) immediately upon written notice if you breach a material term or condition of this Agreement. Sections 4, 6, 7, 8, 9, 10, 11 and 12 shall survive any termination of this Agreement. 12. MISCELLANEOUS. If any provision of this Agreement is held by a court of competent jurisdiction to be unenforceable for any reason, the remaining provisions hereof shall be unaffected and remain in full force and effect. This Agreement is the final, complete and exclusive agreement between the parties relating to the scope of license rights, warranties, --More--(95%) liability limitations, choice of law, and the other issues addressed herein, and supersedes all prior and contemporaneous understandings and agreements relating to such subject matter, whether oral or written. Should you have any questions concerning this Agreement, or if you desire to contact Tripwire Security Systems, Inc. for any reason, please contact us at: Tripwire Security Systems, Inc., 1631 NW Thurman St., Portland, OR 97209-2518, USA, http://www.tripwiresecurity.com/. Please type "accept" to indicate your acceptance of this license agreement. [do not accept] accept Using configuration file install.cfg Checking for programs specified in install configuration file.... /usr/lib/sendmail exists. Continuing installation. /bin/vi exists. Continuing installation. This program will copy Tripwire files to the following directories: TWROOT: /usr/local/tripwire TWBIN: /usr/local/tripwire/bin TWMAN: /usr/local/tripwire/man TWPOLICY: /usr/local/tripwire/policy TWREPORT: /usr/local/tripwire/report TWDB: /usr/local/tripwire/db TWSITEKEYDIR: /usr/local/tripwire/key TWLOCALKEYDIR: /usr/local/tripwire/key CLOBBER is false. Continue with installation? [y/n] y ---------------------------------------------- Creating directories... /usr/local/tripwire: created /usr/local/tripwire/bin: created /usr/local/tripwire/policy: created /usr/local/tripwire/report: created /usr/local/tripwire/db: created /usr/local/tripwire/key: created /usr/local/tripwire/key: already exists /usr/local/tripwire/man: created ---------------------------------------------- Copying files... /usr/local/tripwire/bin/siggen: copied /usr/local/tripwire/bin/twprint: copied /usr/local/tripwire/bin/twadmin: copied /usr/local/tripwire/bin/tripwire: copied /usr/local/tripwire/policy/policyguide.txt: copied /usr/local/tripwire/policy/twpol.txt: copied /usr/local/tripwire/man/man4/twconfig.4: copied /usr/local/tripwire/man/man4/twpolicy.4: copied /usr/local/tripwire/man/man5/twfiles.5: copied /usr/local/tripwire/man/man8/siggen.8: copied /usr/local/tripwire/man/man8/tripwire.8: copied /usr/local/tripwire/man/man8/twadmin.8: copied /usr/local/tripwire/man/man8/twintro.8: copied /usr/local/tripwire/man/man8/twprint.8: copied /usr/local/tripwire/README: copied /usr/local/tripwire/Release_Notes: copied /usr/local/tripwire/License.txt: copied ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: Verify the site keyfile passphrase: Incorrect site passphrase. Enter the site keyfile passphrase: Verify the site keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: Verify the local keyfile passphrase: Incorrect local passphrase. Enter the local keyfile passphrase: Verify the local keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Generating Tripwire configuration file... ---------------------------------------------- Creating signed configuration file... Please enter your site passphrase: Wrote configuration file: /usr/local/tripwire/bin/tw.cfg A clear-text version of the Tripwire configuration file /usr/local/tripwire/bin/twcfg.txt has been preserved for your inspection. It is recommended that you delete this file manually after you have examined it. ---------------------------------------------- Customizing default policy file... ---------------------------------------------- Creating signed policy file... Please enter your site passphrase: Wrote policy file: /usr/local/tripwire/policy/tw.pol A clear-text version of the Tripwire policy file /usr/local/tripwire/policy/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. ---------------------------------------------- The installation succeeded. Please refer to /usr/local/tripwire/Release_Notes for release information and to the printed user documentation for further instructions on using Tripwire 2.2.1 for Unix. [root@ttk210 tripwire]# cd /usr/local/r tripwire/ [root@ttk210 tripwire]# ls License.txt README Release_Notes bin db key man policy report [root@ttk210 tripwire]# ls -l total 68 -r--r--r-- 1 root root 9825 Oct 23 22:23 License.txt -r--r--r-- 1 root root 7060 Oct 23 22:23 README -r--r--r-- 1 root root 23065 Oct 23 22:23 Release_Notes drwxr-x--- 2 root root 4096 Oct 23 22:29 bin drwxr-x--- 2 root root 4096 Oct 23 22:22 db drwxr-x--- 2 root root 4096 Oct 23 22:28 key drwxr-xr-x 5 root root 4096 Oct 23 22:23 man drwxr-x--- 2 root root 4096 Oct 23 22:29 policy drwxr-x--- 2 root root 4096 Oct 23 22:22 report [root@ttk210 tripwire]# cd policy [root@ttk210 policy]# ls -l total 52 -r--r----- 1 root root 9684 Dec 9 1999 policyguide.txt -rw-r----- 1 root root 4159 Oct 23 22:29 tw.pol -rw-r----- 1 root root 14960 Oct 23 22:29 twpol.txt -rw-r----- 1 root root 14766 Oct 23 22:29 twpol.txt.bak [root@ttk210 policy]# vi twpol.txt [?25l"twpol.txt" 348L, 14960C@@section GLOBAL TWROOT="/usr/local/tripwire"; TWBIN="/usr/local/tripwire/bin"; TWPOL="/usr/local/tripwire/policy"; TWDB="/usr/local/tripwire/db"; TWSKEY="/usr/local/tripwire/key"; TWLKEY="/usr/local/tripwire/key"; TWREPORT="/usr/local/tripwire/report"; HOSTNAME=ttk210.sph.unc.edu; [?25l[?25h[root@ttk210 policy]# cl [root@ttk210 policy]# cd .. [root@ttk210 tripwire]# ls -l total 68 -r--r--r-- 1 root root 9825 Oct 23 22:23 License.txt -r--r--r-- 1 root root 7060 Oct 23 22:23 README -r--r--r-- 1 root root 23065 Oct 23 22:23 Release_Notes drwxr-x--- 2 root root 4096 Oct 23 22:29 bin drwxr-x--- 2 root root 4096 Oct 23 22:22 db drwxr-x--- 2 root root 4096 Oct 23 22:28 key drwxr-xr-x 5 root root 4096 Oct 23 22:23 man drwxr-x--- 2 root root 4096 Oct 23 22:33 policy drwxr-x--- 2 root root 4096 Oct 23 22:22 report [root@ttk210 tripwire]# cd bin [root@ttk210 bin]# ls -l total 8524 -r-xr-x--- 1 root root 1881172 Dec 5 1999 siggen -r-xr-x--- 1 root root 2519940 Dec 5 1999 tripwire -rw-r----- 1 root root 4586 Oct 23 22:29 tw.cfg -r-xr-x--- 1 root root 2256192 Dec 5 1999 twadmin -rw-r----- 1 root root 541 Oct 23 22:28 twcfg.txt -r-xr-x--- 1 root root 2035600 Dec 5 1999 twprint [root@ttk210 bin]# ./twadmn in --create-polfile ../policy/twpol.txt Please enter your site passphrase: Wrote policy file: /usr/local/tripwire/policy/tw.pol [root@ttk210 bin]# ls ../policy [1@ [1@-[1@l total 60 -r--r----- 1 root root 9684 Dec 9 1999 policyguide.txt -rw-r----- 1 root root 4159 Oct 23 22:34 tw.pol -rw-r----- 1 root root 4159 Oct 23 22:34 tw.pol.bak -rw-r----- 1 root root 14960 Oct 23 22:29 twpol.txt -rw-r----- 1 root root 14766 Oct 23 22:29 twpol.txt.bak [root@ttk210 bin]# ./tripwire --init Please enter your local passphrase: Parsing policy file: /usr/local/tripwire/policy/tw.pol Generating the database... *** Processing Unix File System *** ### Warning: File system error. ### Filename: /usr/local/bin/ssh1 ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/local/bin/ssh-signer2 ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/local/lib/smb.conf ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/bin/dos ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/bin/ct ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/bin/nwsfind ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/bin/zgv ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/sbin/inndstart ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/X11R6/bin/xhextris ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/X11R6/bin/kterm ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/X11R6/bin/XConsole ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/ccs/bin ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/lib/security ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/lib/Mail.rc ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/share/lib/Mail.rc ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /bin/ksh ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /bin/shell ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /bin/tsh ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/rc ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/rc.bsdnet ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/rc.dt ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/rc.net ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/rc.net.serial ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/rc.nfs ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/rc.powerfail ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/rc.tcpip ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/trcfmt.Z ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/tsh_profile ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/httpd/conf ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /etc/rmtab ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /sbin/rc.boot ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /var/adm ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /var/spool/cron/crontabs ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /var/lock/subsys/nfsfs ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /var/lock/subsys/named ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /var/lock/subsys/lpd ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /var/lock/subsys/nfs ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /var/lock/subsys/httpd ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /var/lock/subsys/sound ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /lib/modules/preferred ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /.automount ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /.bash_history ### No such file or directory ### Continuing... Wrote database file: /usr/local/tripwire/db/ttk210.sph.unc.edu.twd The database was successfully generated. [root@ttk210 bin]# which smb.conf /usr/bin/which: no smb.conf in (/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/home/jwatt/bin) [root@ttk210 bin]# locate smb.conf /usr/local/samba/lib/smb.conf.old /usr/local/samba/lib/smb.conf /usr/local/samba/man/man5/smb.conf.5 /usr/local/samba/swat/help/smb.conf.5.html [root@ttk210 bin]# locak te ssh /var/lock/subsys/sshd /var/run/sshd.pid /etc/rc.d/init.d/sshd /etc/rc.d/rc0.d/K25sshd /etc/rc.d/rc1.d/K25sshd /etc/rc.d/rc2.d/S55sshd /etc/rc.d/rc3.d/S55sshd /etc/rc.d/rc4.d/S55sshd /etc/rc.d/rc5.d/S55sshd /etc/rc.d/rc6.d/K25sshd /etc/pam.d/sshd /etc/ssh /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /home/jwatt/.ssh /home/jwatt/.ssh/known_hosts /root/.ssh /root/.ssh/known_hosts /usr/bin/ssh-keygen /usr/bin/ssh /usr/bin/ssh-add /usr/bin/ssh-agent /usr/doc/openssh-2.2.0p1 /usr/doc/openssh-2.2.0p1/COPYING.Ylonen /usr/doc/openssh-2.2.0p1/CREDITS /usr/doc/openssh-2.2.0p1/ChangeLog /usr/doc/openssh-2.2.0p1/INSTALL /usr/doc/openssh-2.2.0p1/OVERVIEW /usr/doc/openssh-2.2.0p1/README /usr/doc/openssh-2.2.0p1/README.Ylonen /usr/doc/openssh-2.2.0p1/README.openssh2 /usr/doc/openssh-2.2.0p1/UPGRADING /usr/doc/openssh-askpass-2.2.0p1 /usr/doc/openssh-askpass-2.2.0p1/ChangeLog /usr/doc/openssh-askpass-2.2.0p1/README /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-1337.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-NeXTish.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-default.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-green.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-motif.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass.ad /usr/man/man1/ssh-keygen.1.gz /usr/man/man1/ssh-add.1.gz /usr/man/man1/ssh-agent.1.gz /usr/man/man1/ssh.1.gz /usr/man/man8/sshd.8.gz /usr/sbin/sshd /usr/libexec/ssh /usr/libexec/ssh/ssh-askpass /usr/libexec/ssh/x11-ssh-askpass /usr/libexec/ssh/gnome-ssh-askpass [root@ttk210 bin]# [31@./tripwire -m p --secure-mode low ../policy/twpol.txt Parsing policy file: /usr/local/tripwire/policy/twpol.txt Please enter your local passphrase: Please enter your site passphrase: ======== Policy Update: Processing section Unix File System. ======== Step 1: Gathering information for the new policy. ### Warning: File system error. ### Filename: /bin/ssh ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /sbin/sshd ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /var/lock/subsys/sound ### No such file or directory ### Continuing... ### Warning: Policy Update Added Object. ### An object has been added since the database was last updated. ### Object name: /usr/local/tripwire/db/ttk210.sph.unc.edu.twd ### Continuing... ======== Step 2: Updating the database with new objects. ======== Step 3: Pruning unneeded objects from the database. Wrote policy file: /usr/local/tripwire/policy/tw.pol Wrote database file: /usr/local/tripwire/db/ttk210.sph.unc.edu.twd [root@ttk210 bin]# ./tripwire -m p --secure-mode low ../policy/twpol.txt [root@ttk210 bin]# vi ../policy/twpol.txt [?25l"../policy/twpol.txt" 359L, 15388C@@section GLOBAL TWROOT="/usr/local/tripwire"; TWBIN="/usr/local/tripwire/bin"; TWPOL="/usr/local/tripwire/policy"; TWDB="/usr/local/tripwire/db"; TWSKEY="/usr/local/tripwire/key"; TWLKEY="/usr/local/tripwire/key"; TWREPORT="/usr/local/tripwire/report"; HOSTNAME=ttk210.sph.unc.edu; @@section FS SEC_CRIT = $(IgnoreNone)-SHa; # Critical files - we can't afford to miss any changes. SEC_SUID = $(IgnoreNone)-SHa; # Binaries with the SUID or SGID flags set. SEC_TCB= $(ReadOnly);# Members of the Trusted Computing Base. SEC_BIN= $(ReadOnly);# Binaries that shouldn't change SEC_CONFIG = $(Dynamic);# Config files that are changed infrequently but accessed often. SEC_LOG= $(Growing);# Files that grow, but that should never change ownership. SEC_INVARIANT = +pug;# Directories that should never change permission or ownership. SIG_LOW= 33;# Non-critical files that are of minimal security impact SIG_MED= 66;# Non-critical files that are of significant security impact SIG_HI= 100;# Critical files that are significant points of vulnerability # Tripwire Binaries (rulename = "Tripwire Binaries", severity = $(SIG_HI)) { $(TWBIN)/siggen -> $(ReadOnly); $(TWBIN)/tripwire -> $(ReadOnly); $(TWBIN)/twadmin -> $(ReadOnly); $(TWBIN)/twprint -> $(ReadOnly); } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases (rulename = "Tripwire Data Files", severity = $(SIG_HI)) { # NOTE: Removing the inode attribute because when Tripwire creates a backup # it does so by renaming the old file and creating a new one (which will # have a new inode number). Leaving inode turned on for keys, which shouldn't # ever change. # NOTE: this rule will trigger on the first integrity check after database # initialization, and each integrity check afterward until a database update[?25h[?25l:[?25hq [?25l[?25h[root@ttk210 bin]# cd /bin [root@ttk210 /bin]# ls ssh ls: ssh: No such file or directory [root@ttk210 /bin]# hw  which ssh /usr/bin/ssh [root@ttk210 /bin]# locate ssh /var/lock/subsys/sshd /var/run/sshd.pid /etc/rc.d/init.d/sshd /etc/rc.d/rc0.d/K25sshd /etc/rc.d/rc1.d/K25sshd /etc/rc.d/rc2.d/S55sshd /etc/rc.d/rc3.d/S55sshd /etc/rc.d/rc4.d/S55sshd /etc/rc.d/rc5.d/S55sshd /etc/rc.d/rc6.d/K25sshd /etc/pam.d/sshd /etc/ssh /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /home/jwatt/.ssh /home/jwatt/.ssh/known_hosts /root/.ssh /root/.ssh/known_hosts /usr/bin/ssh-keygen /usr/bin/ssh /usr/bin/ssh-add /usr/bin/ssh-agent /usr/doc/openssh-2.2.0p1 /usr/doc/openssh-2.2.0p1/COPYING.Ylonen /usr/doc/openssh-2.2.0p1/CREDITS /usr/doc/openssh-2.2.0p1/ChangeLog /usr/doc/openssh-2.2.0p1/INSTALL /usr/doc/openssh-2.2.0p1/OVERVIEW /usr/doc/openssh-2.2.0p1/README /usr/doc/openssh-2.2.0p1/README.Ylonen /usr/doc/openssh-2.2.0p1/README.openssh2 /usr/doc/openssh-2.2.0p1/UPGRADING /usr/doc/openssh-askpass-2.2.0p1 /usr/doc/openssh-askpass-2.2.0p1/ChangeLog /usr/doc/openssh-askpass-2.2.0p1/README /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-1337.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-NeXTish.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-default.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-green.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass-motif.ad /usr/doc/openssh-askpass-2.2.0p1/SshAskpass.ad /usr/man/man1/ssh-keygen.1.gz /usr/man/man1/ssh-add.1.gz /usr/man/man1/ssh-agent.1.gz /usr/man/man1/ssh.1.gz /usr/man/man8/sshd.8.gz /usr/sbin/sshd /usr/libexec/ssh /usr/libexec/ssh/ssh-askpass /usr/libexec/ssh/x11-ssh-askpass /usr/libexec/ssh/gnome-ssh-askpass [root@ttk210 /bin]# locate sshwhich sshls sshcd /binvi ../policy/twpol.txt [root@ttk210 /bin]# [31@./tripwire -m p --secure-mode low ../policy/twpol.txt [root@ttk210 /bin]# vi ../policy/twpol.txt [root@ttk210 /bin]# cd /binls ssh[3@which ssh[1@locate sshwhich sshls sshcd /binvi ../policy/twpol.txt [root@ttk210 /bin]# [31@./tripwire -m p --secure-mode low ../policy/twpol.txt [root@ttk210 /bin]# vi ../policy/twpol.txt [root@ttk210 /bin]# [31@./tripwire -m p --secure-mode low ../policy/twpol.txt [root@ttk210 /bin]# vi ../policy/twpol.txt [root@ttk210 /bin]# [31@./tripwire -m p --secure-mode low ../policy/twpol.txt [root@ttk210 /bin]# cd ../binvi twpol.txtclvi twpol.txtcd ../policy/./tripwire -m p --secure-mode low ../policy/twpol.txt [root@ttk210 /bin]# cd binlscd /usr/local/tripwire/ [root@ttk210 /bin]# fgcd /usr/local/tripwire/ [root@ttk210 tripwire]# cd /usr/local/tripwire/locate sshwhich sshls sshcd /binvi ../policy/twpol.txt [?25l"../policy/twpol.txt" [New File]~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ [?25h[?25l:[?25hq [?25l[?25h[root@ttk210 tripwire]# cd bin [root@ttk210 bin]# cd binvi ../policy/twpol.txt [?25l"../policy/twpol.txt" 359L, 15388C@@section GLOBAL TWROOT="/usr/local/tripwire"; TWBIN="/usr/local/tripwire/bin"; TWPOL="/usr/local/tripwire/policy"; TWDB="/usr/local/tripwire/db"; TWSKEY="/usr/local/tripwire/key"; TWLKEY="/usr/local/tripwire/key"; TWREPORT="/usr/local/tripwire/report"; HOSTNAME=ttk210.sph.unc.edu; @@section FS SEC_CRIT = $(IgnoreNone)-SHa; # Critical files - we can't afford to miss any changes. SEC_SUID = $(IgnoreNone)-SHa; # Binaries with the SUID or SGID flags set. SEC_TCB= $(ReadOnly);# Members of the Trusted Computing Base. SEC_BIN= $(ReadOnly);# Binaries that shouldn't change SEC_CONFIG = $(Dynamic);# Config files that are changed infrequently but accessed often. SEC_LOG= $(Growing);# Files that grow, but that should never change ownership. SEC_INVARIANT = +pug;# Directories that should never change permission or ownership. SIG_LOW= 33;# Non-critical files that are of minimal security impact SIG_MED= 66;# Non-critical files that are of significant security impact SIG_HI= 100;# Critical files that are significant points of vulnerability # Tripwire Binaries (rulename = "Tripwire Binaries", severity = $(SIG_HI)) { $(TWBIN)/siggen -> $(ReadOnly); $(TWBIN)/tripwire -> $(ReadOnly); $(TWBIN)/twadmin -> $(ReadOnly); $(TWBIN)/twprint -> $(ReadOnly); } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases (rulename = "Tripwire Data Files", severity = $(SIG_HI)) { # NOTE: Removing the inode attribute because when Tripwire creates a backup # it does so by renaming the old file and creating a new one (which will # have a new inode number). Leaving inode turned on for keys, which shouldn't # ever change. # NOTE: this rule will trigger on the first integrity check after database # initialization, and each integrity check afterward until a database update[?25h[?25l/[?25hssh [?25l/usr/bin/lpr -> $(SEC_SUID); /usr/bin/lprm -> $(SEC_SUID); # /usr/bin/ct -> $(SEC_SUID); # /usr/bin/nwsfind -> $(SEC_SUID); /usr/bin/passwd -> $(SEC_SUID); /usr/bin/suidperl -> $(SEC_SUID); /usr/bin/procmail -> $(SEC_SUID); /usr/bin/rcp -> $(SEC_SUID); /usr/bin/rlogin -> $(SEC_SUID); /usr/bin/screen -> $(SEC_SUID); /usr/bin/chfn -> $(SEC_SUID); /usr/bin/chsh -> $(SEC_SUID); /usr/bin/newgrp -> $(SEC_SUID); /usr/bin/cu -> $(SEC_SUID); /usr/bin/uucp -> $(SEC_SUID); /usr/bin/uuname -> $(SEC_SUID); /usr/bin/uustat -> $(SEC_SUID); /usr/bin/uux -> $(SEC_SUID); /usr/bin/crontab -> $(SEC_SUID); # /usr/bin/zgv -> $(SEC_SUID); # /usr/local/bin/ssh1 -> $(SEC_SUID); # /usr/local/bin/ssh-signer2 -> $(SEC_SUID); # added by jwatt 10-23-00 /bin/ssh -> $(SEC_SUID); /sbin/sshd -> $(SEC_SUID);/usr/sbin/usernetctl -> $(SEC_SUID); # /usr/sbin/inndstart -> $(SEC_SUID); /usr/sbin/sendmail -> $(SEC_SUID); /usr/sbin/traceroute -> $(SEC_SUID); /usr/sbin/userhelper -> $(SEC_SUID); /usr/sbin/uucico -> $(SEC_SUID); /usr/sbin/uuxqt -> $(SEC_SUID); } # Temporary directories (rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW)) { /usr/tmp-> $(SEC_INVARIANT); /var/tmp-> $(SEC_INVARIANT); /tmp-> $(SEC_INVARIANT); }[?25hh [?25l[?25h[?25l-- INSERT --[?25h[?25l//bin/ssh -> $(SEC_SUID); /[?25h[?25lu/bin/ssh -> $(SEC_SUID);[?25h[?25ls/bin/ssh -> $(SEC_SUID);[?25h[?25lr/bin/ssh -> $(SEC_SUID);[?25h[?25l//sbin/sshd -> $(SEC_SUID); /[?25h[?25lu/sbin/sshd -> $(SEC_SUID);[?25h[?25ls/sbin/sshd -> $(SEC_SUID);[?25h[?25lr/sbin/sshd -> $(SEC_SUID);[?25h[?25l[?25h[?25l/[?25hsound [?25l/dev/tty4-> $(Dynamic) ; # variable/dev/tty5-> $(Dynamic) ;/dev/tty6-> $(Dynamic) ;/dev/urandom-> $(Dynamic) ;/dev/initctl-> $(Dynamic) ;/var/lock/subsys-> $(Dynamic) ;/var/lock/subsys/random-> $(Dynamic) ;/var/lock/subsys/network-> $(Dynamic) ;/var/lock/subsys/portmap-> $(Dynamic) ; # /var/lock/subsys/nfsfs-> $(Dynamic) ;/var/lock/subsys/syslog-> $(Dynamic) ;/var/lock/subsys/atd-> $(Dynamic) ;/var/lock/subsys/crond-> $(Dynamic) ;/var/lock/subsys/inet-> $(Dynamic) ; # /var/lock/subsys/named-> $(Dynamic) ; # /var/lock/subsys/lpd-> $(Dynamic) ; # /var/lock/subsys/nfs-> $(Dynamic) ;/var/lock/subsys/sendmail-> $(Dynamic) ;/var/lock/subsys/gpm-> $(Dynamic) ; # /var/lock/subsys/httpd-> $(Dynamic) ;/var/lock/subsys/sound-> $(Dynamic) ;/var/lock/subsys/smb-> $(Dynamic) ;/var/run-> $(Dynamic) ; # daemon PIDs/var/spool/lpd/lpd.lock-> $(Dynamic) ;/var/log-> $(Dynamic) ;/etc/issue.net-> $(Dynamic) ;/etc/ioctl.save-> $(Dynamic) ;/etc/issue-> $(Dynamic) ;/etc/.pwd.lock-> $(Dynamic) ;/etc/mtab-> $(Dynamic) ;/lib/modules-> $(Dynamic) ; # /lib/modules/preferred-> $(Dynamic) ; } # These files change the behavior of the root account (rulename = "Root config files", severity = 100) {# /.profile-> $(SEC_CRIT) ; # /.automount-> $(SEC_CRIT) ; # /.bash_history-> $(SEC_CRIT) ;# /.kshrc-> $(SEC_CRIT) ;# /.cshrc-> $(SEC_CRIT) ;[?25h[?25l?\ [?25h[?25l-- INSERT --[?25h[?25l# /var/lock/subsys/sound -> $(Dynamic) ; #[?25h[?25l[?25h[?25l:[?25hwq [?25l"../policy/twpol.txt" 359L, 15397C written [?25h [root@ttk210 bin]# vi ../policy/twpol.txt [root@ttk210 bin]# cd binvi ../policy/twpol.txt [root@ttk210 bin]# cd /usr/local/tripwire/ [root@ttk210 bin]# locate sshwhich sshls sshcd /binvi ../policy/twpol.txt [root@ttk210 bin]# [31@./tripwire -m p --secure-mode low ../policy/twpol.txt Parsing policy file: /usr/local/tripwire/policy/twpol.txt Please enter your local passphrase: Please enter your site passphrase: ======== Policy Update: Processing section Unix File System. ======== Step 1: Gathering information for the new policy. ### Warning: Policy Update Added Object. ### An object has been added since the database was last updated. ### Object name: /usr/local/tripwire/db/ttk210.sph.unc.edu.twd.bak ### Continuing... ### Warning: Policy Update Changed Object. ### An object has been changed since the database was last updated. ### Object name: Conflicting properties for object ### /usr/local/tripwire/policy/tw.pol ### > Modify Time ### > CRC32 ### > MD5 ### Continuing... ======== Step 2: Updating the database with new objects. ======== Step 3: Pruning unneeded objects from the database. Wrote policy file: /usr/local/tripwire/policy/tw.pol Wrote database file: /usr/local/tripwire/db/ttk210.sph.unc.edu.twd [root@ttk210 bin]# ./tripwire -m p --secure-mode low ../policy/twpol.txt [root@ttk210 bin]# / ./ tr   tripwire init Unknown mode specified: init Use --help to get help. [root@ttk210 bin]# ./tripwire init [1@-[1@- Please enter your local passphrase: Parsing policy file: /usr/local/tripwire/policy/tw.pol Generating the database... *** Processing Unix File System *** Wrote database file: /usr/local/tripwire/db/ttk210.sph.unc.edu.twd The database was successfully generated. [root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire --check | /bin/mail -s "blue tripwire" gbnewby @ils.unc.edu[root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire --check | /bin/mail -s "blue tripwire" gbnewb | /bin/mail -s "blue tripwire" gbnewby@iroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire --chec | /bin/mail -s "blue tripwire" gbnewby@ilroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire --che | /bin/mail -s "blue tripwire" gbnewby@ilsroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire --ch | /bin/mail -s "blue tripwire" gbnewby@ils.root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire --c | /bin/mail -s "blue tripwire" gbnewby@ils.uroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire -- | /bin/mail -s "blue tripwire" gbnewby@ils.unroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire - | /bin/mail -s "blue tripwire" gbnewby@ils.uncroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire | /bin/mail -s "blue tripwire" gbnewby@ils.unc.root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire | /bin/mail -s "blue tripwire" gbnewby@ils.unc.eroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwir | /bin/mail -s "blue tripwire" gbnewby@ils.unc.eduoot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwi | /bin/mail -s "blue tripwire" gbnewby@ils.unc.eduroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripw | /bin/mail -s "blue tripwire" gbnewby@ils.unc.edu [root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/trip [root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tri[1@l[1@s | /bin/mail -s "blue tripwire" gbbnewb[1@j[1@u[1@s[1@t[1@ [1@a[1@ [1@t[1@e[1@s[1@t" gbnewby@ils.ils.unc.edu                   jwatt@rem  e  email.unc.edu [root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire --check | /bin/mail -s "blue tripwire" gbnewby @ils.unc.edu[root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bin/tripwire --check | /bin/mail -s "blue tripwire" gbnewbtripwire --check | /bin/mail -s "blue tripwire" gbnewby@iroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bintripwire --check | /bin/mail -s "blue tripwire" gbnewby@ilroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/bitripwire --check | /bin/mail -s "blue tripwire" gbnewby@ilsroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/btripwire --check | /bin/mail -s "blue tripwire" gbnewby@ils.root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSS/tripwire --check | /bin/mail -s "blue tripwire" gbnewby@ils.uroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TSStripwire --check | /bin/mail -s "blue tripwire" gbnewby@ils.unroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/TStripwire --check | /bin/mail -s "blue tripwire" gbnewby@ils.uncroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/Ttripwire --check | /bin/mail -s "blue tripwire" gbnewby@ils.unc.root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwire/tripwire --check | /bin/mail -s "blue tripwire" gbnewby@ils.unc.eroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwiretripwire --check | /bin/mail -s "blue tripwire" gbnewby@ils.unc.eduoot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwirtripwire --check | /bin/mail -s "blue tripwire" gbnewby@ils.unc.eduroot@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripwitripwire --check | /bin/mail -s "blue tripwire" gbnewby@ils.unc.edu [root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Tripw [root@ttk210 bin]# /home/ftp/pub/inls183/Oct18/Trip[1@.[1@/tripwire --check | /bin/mail -s "blue[1@n[1@c[1@h[1@c[1@a[1@p tripwire" gbnewby@ils.u[1@j[1@w[1@a[1@t[1@t[1@@[1@e[1@m[1@a[1@i[1@l [root@ttk210 bin]# crontab -e [?25l"/tmp/crontab.7119" 8L, 278C# Utilities in /usr/bin that backup the fileshare, daily and weekly # and clean out old backup files in /export/samba/fb/ 30 23 * * 1,2,3,4,5 fbclean; fbdaily 30 23 * * 0 fbweekly # Runs Psionic Software's logcheck every 4 hours 0 */4 * * * /bin/sh /usr/local/etc/logcheck.sh ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ [?25h 0 */4 * * * /bin/sh /usr/local/etc/logcheck.s[?25l-- INSERT --[?25hh[?25l-- INSERT --[?25h[?25l-- INSERT --[?25h[?25l#[?25h[?25l [?25h[?25lC[?25h[?25lh[?25h[?25le[?25h[?25lc[?25h[?25lk[?25h[?25ls[?25h[?25l [?25h[?25lt[?25h[?25lr[?25h[?25li[?25h[?25lp[?25h[?25l [?25h[?25l[?25h[?25lw[?25h[?25li[?25h[?25lr[?25h[?25le[?25h[?25l [?25h[?25l[?25h[?25l[?25h[?25l[?25h[?25l[?25h[?25l[?25h[?25l[?25h[?25l[?25h[?25l[?25h[?25l[?25h[?25lS[?25h[?25lt[?25h[?25l[?25h[?25ly[?25h[?25ls[?25h[?25l[?25h[?25l[?25h[?25l[?25h[?25ls[?25h[?25ly[?25h[?25ls[?25h[?25lt[?25h[?25le[?25h[?25lm[?25h[?25l [?25h[?25la[?25h[?25lg[?25h[?25la[?25h[?25li[?25h[?25ln[?25h[?25ls[?25h[?25lt[?25h[?25l [?25h[?25lR[?25h[?25lT[?25h[?25l[?25h[?25l[?25h[?25lT[?25h[?25lr[?25h[?25li[?25h[?25lp[?25h[?25lw[?25h[?25li[?25h[?25lr[?25h[?25le[?25h[?25l [?25h[?25ld[?25h[?25la[?25h[?25lt[?25h[?25la[?25h[?25lb[?25h[?25la[?25h[?25ls[?25h[?25le[?25h[?25l [?25h[?25le[?25h[?25lv[?25h[?25le[?25h[?25lr[?25h[?25ly[?25h[?25l [?25h[?25ld[?25h[?25la[?25h[?25ly[?25h[?25lt[?25h[?25l[?25h[?25l-- INSERT --[?25h[?25l# Utilities in /usr/bin that backup the fileshare, daily and weekly-- INSERT --[?25h[?25l# Utilities in /usr/bin that backup the fileshare, daily and weekly-- INSERT --[?25h[?25l<[?25h[?25l[?25h[?25l#[?25h[?25l [?25h[?25lF[?25h[?25lO[?25h[?25l[?25h[?25lr[?25h[?25lo[?25h[?25l[?25h[?25l[?25h[?25lo[?25h[?25lr[?25h[?25lm[?25h[?25la[?25h[?25lt[?25h[?25l:[?25h[?25l-- INSERT --[?25h[?25l<[?25h[?25l[?25h[?25l#[?25h[?25l [?25h[?25l<[?25h[?25lm[?25h[?25li[?25h[?25ln[?25h[?25lu[?25h[?25lt[?25h[?25le[?25h[?25l>[?25h[?25l [?25h[?25l<[?25h[?25l>[?25h[?25l[?25h[?25lh[?25h[?25lo[?25h[?25lu[?25h[?25lr[?25h[?25l>[?25h[?25l [?25h[?25l<[?25h[?25ld[?25h[?25la[?25h[?25ly[?25h[?25l [?25h[?25lf[?25h[?25l[?25h[?25l[?25h[?25lo[?25h[?25lf[?25h[?25l [?25h[?25lm[?25h[?25l[?25h[?25l[?25h[?25lm[?25h[?25lo[?25h[?25ln[?25h[?25lt[?25h[?25lh[?25h[?25l>[?25h[?25l [?25h[?25l<[?25h[?25lm[?25h[?25lo[?25h[?25ln[?25h[?25lt[?25h[?25lh[?25h[?25l>[?25h[?25l [?25h[?25l<[?25h[?25ld[?25h[?25la[?25h[?25ly[?25h[?25l [?25h[?25l[?25h[?25lo[?25h[?25lf[?25h[?25lw[?25h[?25le[?25h[?25le[?25h[?25lk[?25h[?25l>[?25h    y[?25l-- INSERT --[?25h[?25l0[?25h[?25l [?25h[?25l1[?25h[?25l0[?25h[?25l[?25h[?25l[?25h[?25l2[?25h[?25l2[?25h[?25l [?25h[?25l*[?25h[?25l [?25h[?25l*[?25h[?25l [?25h[?25l*[?25h[?25l [?25h[?25l./tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu [?25h.[?25l/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu [?25h[?25l//tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25lu/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25ls/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25lr/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25l//tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25ll/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25lo/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25lc/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25la/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25ll/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25l//tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25lt/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25lr/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25li/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25lp/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25lw/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25li/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25lr/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h[?25le/tripwire --check | /bin/mail -s "nchcap tripwire" jwatt@email.unc.edu[?25h [?25l30 23 * * 1,2,3,4,5 fbclean; fbdaily0 fbweekly~ -- INSERT --[?25h # Checks systsm against Tripwire database every daay[?25l [?25h[?25la[?25h[?25lt[?25h[?25l [?25h[?25l1[?25h[?25l0[?25h[?25lp[?25h[?25lm[?25h[?25l[?25h[?25l:[?25hwq [?25l"crontab.7119" 14L, 503C written [?25h crontab: installing new crontab [root@ttk210 fileshare]# x exit Script done on Tue Oct 24 01:11:03 2000