How To

go here for tripwire install and configs
http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system/
http://www.techrepublic.com/article/using-tripwire-for-filesystem-integrity-part-2-tripwire-administration/1053398
-----------
## good docs to set up tripwire.
http://www.linuxhelp.net/guides/tripwire/
------------
## these files did not exist and therefore were commented out of twpol.txt
/etc/mail/statistics
/initrd
/home/lost+found
/usr/X11R6/lib
/usr/local/doc
/usr/local/sysinfo
/root/.bash_history
------------
### to initialize your tw.pol database run:
>tripwire --init

### this will set up the database.  
## if it fails due to a huge file or some issue in a directory it can't read
## you need to comment out/add and comment out that offending directory in the twpol.txt and then run:
> ../sbin/twadmin --create-polfile twpol.txt
Please enter your site passphrase: 
Wrote policy file: /opt/tripwire/etc/tw.pol

### now rerun the initialization and it will work!!
bash-3.2# ../sbin/tripwire --init
Please enter your local passphrase: 
Parsing policy file: /opt/tripwire/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/data" is on a different file system...ignoring.
The object: "/db" is on a different file system...ignoring.
The object: "/misc" is on a different file system...ignoring.
The object: "/net" is on a different file system...ignoring.
The object: "/sys" is on a different file system...ignoring.
The object: "/var/lib/nfs/rpc_pipefs" is on a different file system...ignoring.
Wrote database file: /opt/tripwire/lib/tripwire/regulomedb.Stanford.EDU.twd
The database was successfully generated.
---------------

## this is the command to run a readable report ###
/opt/tripwire/sbin/twprint --print-report --twrfile /opt/tripwire/lib/tripwire/report/serv.somewhere.EDU-20110323-040001.twr > /tmp/2011-0322.txt

----------------
## This is to mail the readable report to someone ###
mail admin@serv.somewhere.edu -s "Vin Tripwire Report"< /tmp/2011-0322.tx
------------------
###  you can change the settings in the install/installcfg file for loosedirectory and mailnoviolations!! ####
## the twcfg.txt file
# I changed the LOOSEDIRECTORYCHECKING to true this wasy it will not send two reports for the directory and th
e file in the directory if it is set to false it will do this.
LOOSEDIRECTORYCHECKING =true

## I changed the MAILNOVIOLATIONS to false so that it will only generate email in the event a violation occurr
ed rather than everytime it is run.
MAILNOVIOLATIONS =false

To make the twcfg.txt file work you have to run:
>../sbin/twadmin --create-cfgfile -S site.key twcfg.txt
### to check the twcfg database settings run:
>../sbin/twadmin --print-cfgfile
----------------------------
## the twpol.txt file ###
##  this file is the rules file. You set all the rules you need that you want
## to see changes to and you can set the email to wherever you want,
## in the top is the global variables for tripwire  
@@section GLOBAL
TWDOCS="/opt/tripwire/doc/tripwire";
TWBIN="/opt/tripwire/sbin";
TWPOL="/opt/tripwire/etc";
TWDB="/opt/tripwire/lib/tripwire";
TWSKEY="/opt/tripwire/etc";
TWLKEY="/opt/tripwire/etc";
TWREPORT="/opt/tripwire/lib/tripwire/report";
HOSTNAME=vin.myplace.EDU;

## variables can be set for any directory or file you want.
## next are the rules variables, you can create any rules variables you see fit.
## I added the email variable so we can email any specific or group rules.

Device        = +pugsdr-intlbamcCMSH ;
Dynamic       = +pinugtd-srlbamcCMSH ;
Growing       = +pinugtdl-srbamcCMSH ;
IgnoreAll     = -pinugtsdrlbamcCMSH ;
IgnoreNone    = +pinugtsdrbamcCMSH-l ;
ReadOnly      = +pinugtsdbmCM-rlacSH ;
Temporary     = +pugt ;
email         = emailto=dude@myplace.edu ;  <------added

## this is an example of a group ruleset with variavle:

(
  rulename = "Tripwire Binaries",
)
{
  $(TWBIN)/siggen                      -> $(ReadOnly) ;
  $(TWBIN)/tripwire                    -> $(ReadOnly) ;
  $(TWBIN)/twadmin                     -> $(ReadOnly) ;
  $(TWBIN)/twprint                     -> $(ReadOnly) ;
}

## to stack variables you can do the following:

  /home                         -> $(ReadOnly) ;  <----change this
  /home                         -> $(ReadOnly, email) ;  <-----to this

## now it will email the assigned email in the variable

## another way is to attach the rule in the group main:
(
  rulename = "Monitor Filesystems", severity=99, emailto=sysadmin@myplace.edu

)

## you can also add severity levels for each file or group:
## for a directory or file do the following:

/etc/hosts.conf ->  +p (severity=50 emailto=matt@someplace.net);

## you can shut off a rule by:

! /etc/hosts;

## or comment it out:

# /etc/hosts;

## To update your changes in the policy you need to do the following command:

>/opt/tripwire/sbin/tripwire --update-policy /opt/tripwire/etc/twpol.txt
 ## it will prompt you for local and site passphrases.


## to check on a report and update a policy based on what it's snapshot:

>/opt/tripwire/sbin/tripwire --update --twrfile /opt/tripwire/lib/report/$server.$date-$time.twr

## This will bring it into a vi which will ask you if you want to remove certain rules or keep current rules, 
if you want to update an object leave the x in the box and it will update the database as a know object and it
 won't alert again.

## to force an update on the twpol.txt run the low severity

LD_LIBRARY_PATH=/usr/local/lib
>sudo ./tripwire --update-policy --secure-mode low ../etc/twpol.txt

## this worked for me fine. but did not work without the --secure part
# if you have a twpol.txt file that has been configured all except the hostname you can copy it to the real one:

>sed 's/malt/dough/' /tmp/twpol.txt > ../etc/twpol.txt   ###done no editing at all!!

# or from another host
>sed 's/malt/dough/' ssh admin@serv:/tmp/twpol.txt > ../etc/twpol.txt

## to change the site key file
>sudo ./twadmin --generate-keys --site-keyfile /opt/tripwire/etc/site.key
## to change the local keyfile
>sudo ./twadmin --generate-keys --local-keyfile /opt/tripwire/etc/big.someplace.EDU-local.key

## to test the email fundtion (does not test the emailto in policy)
>sudo ./tripwire -m t --email dude@myplace.edu
## also
>sudo ./tripwire -m t -e dude@myplace.edu

## to set it up in the crontab.
>00 4 * * * /opt/tripwire/sbin/tripwire  --check | /bin/mail dude@myplace.edu -s "Tripwire Check" 2>&1

#############################
##
# some great policy examples
##
#############################
http://linux-sxs.org/files/text/twpol.txt
http://www.cs.montana.edu/courses/309/topics/11-security/tripwire_discussion.html
http://www.faqs.org/docs/securing/chap17sec139.html

############################################################
##
##  all systems that need tripwire installed              ##
##                                                        ##
############################################################
#
# first do sudo bash  this will give you a shell as root and you don't have to type sudo everytime
#\#set path for libraries LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib ; export LD_LIBRARY_PATH ; env

>00 4 * * * /opt/tripwire/sbin/tripwire  --check | /bin/mailx -s "Tripwire Check(malt)" dude@myplace.edu 2>&1


#for Solaris 5.10. 5.10 needs to set LD_LIBRARY_PATH variable. and need mailx!
>00 4 * * * LD_LIBRARY_PATH=/usr/local/lib /opt/tripwire/sbin/tripwire  --check | /bin/mailx -s "Tripwire Check(malt)" dude@myplace.edu 2>&1


AIDE install with pakgadd -d.  installed fine but errors when I try to do things.
malt 124 > aide --check
ld.so.1: aide: fatal: libmhash.so.2: open failed: No such file or directory
Killed

so I guess we need to run hash and some other thing. done works great!