/usr/share/doc/tripwire/README.Debian is in tripwire 2.4.2.2-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 | tripwire for DEBIAN
----------------------
This is tripwire 2.3.1 packaged for Debian at the timestamp at the
bottom of this file.
Once an initial database is generated, Tripwire will detect changes
made to files from this point on. You *must* be certain that the
system on which you generate the initial database is clean, however
--- Tripwire cannot detect unauthorized modifications that have
already been made. One way to do this would be to take the machine to
single-user mode, reinstall all system binaries, and run Tripwire in
initialization mode before returning to multi-user operation.
This database must be moved someplace where it cannot be modified.
Because data from Tripwire is only as trustworthy as its database,
choose this with care. We recommend placing all the system databases
on a read-only disk (you need to be able to change the disk to
writable during initialization and updates, however), or exporting it
via read-only NFS from a "secure-server." (This pathname is encoded
in the signed, encrypted Tripwire configuration file,
/etc/tripwire/tw.cfg'. Any time you change the pathname to the
database repository, you must generate a Tripwire configuration file.
This prevents a malicious intruder from spoofing Tripwire into giving
a false "okay" message.)
NOTE: The default tripwire policy changes with version 2.3.1.2-5
----------------------------------------------------------------
The previous version of twpol.txt tried to allow the administrator to
ad, overwrite & upgrade non-essential packages without having to update or
regenerate their tripwire database. This resulted in a very fine
grained policy set that occasionally produced false positives due to
difference in the definition of essential.
As of version 2.3.1.2-5, the tripwire package now manages policy at a
directory level. This means that if a directory appears in the
policy, tripwire will add the files in that directory. Not all
directory policy entries are recursive, however, so tripwire may not
check the contents of any subdirectories. This means that addition of
packages to a system will almost certainly require the updating or
regeneration of the tripwire database. You can gracefully update your
tripwire database by running:
tripwire -m p /etc/tripwire/twpol.txt
as root.
Accessing older versions of tripwire
------------------------------------
If you've upgraded from a version of tripwire ealier than 2.3.0, the
upgrade process renames the tripwire executable and configuration file
to ensure you can continue to validate your system's integrity while
building the new database.
To access the previous version's database use the following command:
/usr/lib/tripwire/tripwire-1.2 -c /etc/tripwire/tw.config-1.2
The man page for the previous version of tripwire is also retaind and
cn be accessesed as:
man tripwire-1.2
NOTE: Integrity checks using this method may complain about the
alteration of the two files above. However, the inodes & MD5
checksums should remain the same as the files are only moved, not
copied.
Stephen Zander <gibreel@debian.org> Fri, 17 May 2002 10:32:49 -0700
|