Tripwire software allows you to quickly identify changes occurring in a file system. It is used as a fundamental layer to the security strategy, 
it provides an instrument to detect changes made to file systems, regardless of whether it was made by an unauthorised party or by someone within 
the organization.

Setup a tripwire server which reports file system changes across the unix production environment and mails to the Unix administrators of any 
changes made.

The suite conists of a number of scripts and the tripwire binaries. This document outlines the files used then explains what process takes place 
in order to scan each server.

/tripwire/tw.master This script sets up the ssh-agent used to connect to the hosts being scanned
/tripwire/tw.really This script uses trip.hosts.check file to ssh to each server and run the twcheck script
/tripwire/twinit This script uses the trip.hosts.init file to create a new tripwire database
/tripwire/twscan <host> This script uses the trip.hosts.check file to verify the host then runs a tripwire scan on that host
/tripwire/trip.hosts.check This config file lists all hosts that will be scanned. The format is <Host name>:<Host acess dns entry> 
/tripwire/trip.hosts.init This config file lists all hosts that require a new tripwire database. The format is <Host name>:<Host access dns entry>
/logs/tripwire/databases This directory contains the tripwire databases
/logs/tripwire/reports This directory contains the mailed tripwire report
/logs/tripwire/reports/hosts This directory contains the hosts tripwire report
/logs/tripwire/tw.log This log file contains any output messages from the cron job
/.ssh/authorized_keys This file contains the SSH public key used to to connect to the hosts being scanned
/usr/local/admin/bin/twcheck This script scp's the tripwire files from hosta and runs a scan then scp's the report to hostb
/.ssh/authorized_keys This files contains the public key of ???? and the tripwire identity.

Tripwire Events

Tripwire is run every 4 hours via a cron job: -

	0 0,4,8,12,16,20 * * * /tripwire/tw.master >> /logs/tripwire/tw.log 2>&1 
Any stdout/error messages are recorded in the tripwire log file.

The first script called is tw.master this setups the ssh-agent and then calls tw.really. tw.really uses the trip.hosts.check 
file to ssh to each host and run twcheck on that host.

twcheck secure copies the tripwire binary and configuration files and the tripwire database for that server from hosta, tripwire is then 
run and a report is generated of the changes made to the filesystems. This report is then copied back to hosta.

Once all the reports have been copied tw.really then filters all the host reports to generate a main tripwire report which is mailed to 
the unix administrators.

Creating tripwire database

To create a new tripwire database either for a new host or an existing one, place an entry in the trip.hosts.init file. The format should 
be '<host name>:<host access dns entry>'. Then run twinit , you will be prompted for the hosts root password a number of times as it 
copies the tripwire bainaries and configraution files across, then tripwire will run and create a database file from the new host, this file wil 
be copied back to hosta and the all tripwire files on the new host will be removed.

Then copy the /.ssh/authorized_keys and twcheck from an existsing host to the new host (see above table for paths). Make sure you
update the trip.hosts.check file so that the new host will be scanned every 4 hours via the cron entry.

Testing the Tripwire database on the fly

To test the tripwire database/host file integrity run the command twscan <host> , make sure there is an entry in the
trip.hosts.check file. The tripwire files and database will be copied onto the server after asking for the root password a few times.
The reports will be displayed on the screen. Please note no emails are sent. All tripwire files are then removed from the host.