title: Tripwire updates link: https://onemoretech.wordpress.com/2010/01/12/tripwire-updates/ author: lembobro description: post_id: 200 created: 2010/01/12 21:26:39 created_gmt: 2010/01/12 21:26:39 comment_status: open post_name: tripwire-updates status: publish post_type: post

Tripwire updates

Tripwire is an IDS (Intrusion Detection System) that used to come standard with Red Hat Enterprise Linux and other server operating systems. There is, and was, an open source version and a closed source “enterprise” version. In recent Red Hat releases the open source AIDE IDS is included with in the distribution.

AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.

There are two basic parts to the tripwire IDS that you can update: the configuration file and the policy file.

The configuration file is named tw.cfg and is an encrypted binary built from a plain text template usually called twcfg.txt (the documentation advises you to remove this text file from the tripwire protected host for security reasons, so it may not be on the system you’re updating — personally I don’t see a problem with letting the file stay out there, the main point of encrypting the config is to make it harder for someone to update).

To update the config (for example, the e-mail address that alerts are sent to), edit the twcfg.txt file and then run the command:

twadmin --create-cfgfile -S site.key twcfg.txt

The system will prompt for the site password that was used on the original install of tripwire and then overwrite any existing tw.cfg with a new one.

Updating the tripwire policy that governs where the IDS checks for changes, and what it looks for, is done by updating the tw.pol file. There is a corresponding clear text template file, twpol.txt, that is edited to make the desired changes and then run through the update policy process. Among other things, the policy file contains detailed configuration of the various alerts sent out by the system, including the e-mail addresses that get notified.

tripwire --update-policy --secure-mode low twpol.txt

The “–secure-mode low” switch might be needed if you haven’t updated the policy in awhile. Running this command will overwrite any existing tw.pol with a new file. The system prompts for both a Local password and the Site password.

Copyright 2004-2019 Phil Lembo