###########################################################################
#                    Honeywall Initial Tripwire Setup                     #    
#                                  by                                     #
#             The Honeynet Project and the Research Alliance              #
###########################################################################

                      Last Modified: 20 July, 2005


PURPOSE
=======
To document the process for enabling and configuring Tripwire on
the Honeywall base operating system.


CONFIGURATION
=============
Your roo comes with tripwire built and ready to go.  You will need
to first coppy the default config over, set up your keys, then initialize 
the database as follows.

1. Copy the Honeywall specific Tripwire Policy file into place:

    cp /hw/etc/tripwire/twpol.txt /etc/tripwire/

2.  #tripwire-setup-keyfiles
       -enter your site passphrase.
       -enter your local passphrase.

There are two files provided in your /etc/tripwire directory,
one for the policy and one for the configuration.  The above setup
script will collect your site passphrase and local passphrase.  The
site passphrase is used to encrypt your policy and configuration
files, then the local passphrase is used to run tripwire.

3.  Now that your configuration and policy files are encrypted, you
should not leave the plain text version laying around. Erase your
plain text files with:
    #rm /etc/twcfg.txt
    #rm /etc/twpol.txt

Don't worry, if you need them again, you can get them back with:

    #/usr/sbin/twadmin -m p > /etc/tripwire/twpol.txt
    #/usr/sbin/twadmin -m f > /etc/tripwire/twcfg.txt

4.  Initialize your tripwire database with:
    #tripwire --init
This will take a few minutes, depending on your hardware.  You will
need to supply your local key when prompted to unlock the policy
files for use.

5.  We have created the following script for you, but you want to
cron up the call to tripwire as follows:

Create the file "runtw.sh" in the directory /usr/local/bin that has
the following contents:

#!/bin/sh

/usr/sbin/tripwire -m c | mail -s "Tripwire Report from HOST"
root@localhost

Of course, HOST should be changed to the hostname of the system.
Don't forget to make the shell script executable by root (done for
you).

Then, schedule the script to execute nightly at 1:01am by adding
the line:

  1 1 * * *     /usr/local/bin/runtw.sh

to root's crontab using the command:

  crontab -e

Again, we have created the script /usr/local/bin/runtw.sh, you need
to place it in your crontab file.

6.  Occasionally, you may want to check it manually with:
     #tripwire --check

Output will be sent to screen for your review.

7.  You may also want to review the reports manually sometimes
with:

     # twprint -m r --twrfile /var/lib/tripwire/report/<name>.twr

8.  Surely, you will see findings, particualarly the tripwire files
themselves in /usr/lib/tripwire will change and fire off a
violation.  If you agree with the report and want to update
tripwire to not report the same findings again, then issue the
following command:

     # tripwire --update --twrfile /var/lib/tripwire/report/<name>.twr

You will be sent into your favorite editor and will have to review
the report, looking for [x] marks, where if you leave the [x] in
place, then tripwire will update the database for those recommended
findings.  Remove the "x" to keep that as a finding.

9.  If you wish to edit the policy file to ignore certain files,
then extract the policy file as in #1 above, then edit the file and
comment out the desired line as follows (for example only):

     # /etc/smb.conf -> $(SEC_CONFIG) ;

10.  If you change a policy or configuration file, then you need to
re-encrypt them by running:

     #tripwire-setup-keyfiles

11.  Be sure to erase the old tripwire database and create a new
one by:
     # rm /var/lib/tripwire/<host-name>.twd

Then type the command to create a new database:
     # tripwire --init

12.  An alternative way to send emails is when you want some alerts
to go to one person and other alerts to go to another.  Then edit
the policy file as shown in step 8 above and add the email address
to a rule  section as follows:

(
  rulename = "Networking Programs",
  severity = $(SIG_HI),
  emailto = adm@anywhere.com
)

13.  You may then Send a Test Email Message as follows:

To make sure that Tripwire's email notification configuration can
actually send email correctly, use the following command:

    # /usr/sbin/tripwire --test --email adm@anywhere.com

That should be enought to get you going, see the following
references for more info:

  http://www.akadia.com/services/tripwire.html#Printing%20Reports
  http://www.ms.washington.edu/Docs/Linux/rhl-rg-en-9/s1-tripwire-install-rpm.html