Initializing the database is a one-time operation that should be done prior to exposing the host to live traffic. This step generates the filesystem snapshot that is used as a reference for all subsequent verifications. I recommend taking extra care in its generation. In fact, this is the best time to tweak policy files and configurations. If you find that your database is inadequate after running the initialization, do not hesitate to erase, adjust, and regenerate the snapshot. Once you are satisfied with your database, make a backup on read-only media and store it in a safe location.
Prior to initializing, it is usually a good idea to somewhat sanitize your filesystem.
Check the ownership of all files and verify that UID and GID actually match an existing user account. For example, uncompressing Tar archives sometimes create files owned by nonexistent local users. If that is the case, fix it with chown, such as:
[emoret@simca-1000 ˜]$sudo chown -Remoret:emoret/usr/local/src
To initialize the database, type:
[emoret@simca-1000 ˜]$ sudo samhain -t initThis operation can take a long time depending on the number of files that need to be fingerprinted. The error message regarding GPG displayed after finishing file analysis is expected because the database is not signed. Just remember to sign it with:
[emoret@simca-1000 etc]$sudo samhainadmin.pl --create-datafile-------------------------------------------------- Please remember that yule will drop root after startup. Signature verification on SIGHUP will fail if you do not import the public key into the keyring of the non-root yule user. -------------------------------------------------- gpg: WARNING: unsafe ownership on homedir '/home/emoret/.gnupg' You need a passphrase to unlock the secret key for user: "Eric Moret <emoret@juniper.net>" 4096-bit RSA key, ID DBC967BC, created 2005-05-11 Enter passphrase:<gpg secret key passphrase>
The Tripwire policy file describes which files ought to be verified by Tripwire. It is important to tweak it so the tool can generate the most accurate reports. The default policy file may include files missing on your system and vice versa; some important files in your system might not be under watch by Tripwire.
To create your first database, just type the following:
[emoret@simca-1000 etc]$sudo tripwire --initParsing policy file: /usr/local/etc/tw.pol Generating the database... *** Processing Unix File System ***The object: "/sys" is on a different file system...ignoring.### Warning: File system error.### Filename: /usr/local/sysinfo### No such file or directory### Continuing... [...] Please enter your local passphrase:<local passphrase>Wrote database file: /usr/local/lib/tripwire/simca-1000.secteam.juniper.net.twd The database was successfully generated.
The warning messages generated are good indications of what needs to be removed from the default policy file. To make the report readable, you should tweak the policy until no more warnings are displayed. On my stock FC5 installation, I had to comment out the following lines to get rid of the warning messages: /usr/local/sysinfo, /usr/X11R6/lib, /etc/mail/statistics, /var/lost+found, /floppy, /initrd, /home/lost+found, and /home.
I also had to replace /cdrom by /media/cdrom and add an entry to ignore the /sys file system, as shown here:
!/sys ;
Regenerate your policy file and reinitialize the database with:
[emoret@simca-1000 etc]$sudo twadmin --create-polfile -S ./site.key ./twpol.txtPlease enter your site passphrase:<site passphrase>Wrote policy file: /usr/local/etc/tw.pol [emoret@simca-1000 etc]$sudo rm twpol.txt[emoret@simca-1000 etc]$sudo tripwire -m -iParsing policy file: /usr/local/etc/tw.pol Generating the database... *** Processing Unix File System *** Please enter your local passphrase:<local passphrase>Wrote database file: /usr/local/lib/tripwire/simca-1000.secteam.juniper.net.twd The database was successfully generated.