1.4. Basic Integrity Checking

Problem

You want to check whether any files have been altered since the last Tripwire snapshot.

Solution

# tripwire --check

Discussion

This command is the lifeblood of Tripwire: has your system changed? It compares the current state of your filesystem against the Tripwire database, according to the rules in your active policy. The results of the comparison are written to standard output and also stored as a timestamped, signed Tripwire report.

You can also perform a limited integrity check against one or more files in the database. If your tripwire policy contains this rule:

(
  rulename = "My funky files",
  severity = 50
)
{
  /sbin/e2fsck                         -> $(SEC_CRIT) ;
  /bin/cp                              -> $(SEC_CRIT) ;
  /usr/tmp                             -> $(SEC_INVARIANT) ;
  /etc/csh.cshrc                       -> $(SEC_CONFIG) ;
}

you can check selected files and directories with:

# tripwire --check /bin/cp /usr/tmp

or all files in the given rule with:

# tripwire --check --rule-name "My funky files"

or all rules with severities greater than or equal to a given value:

# tripwire --check --severity 40

See Also

tripwire(8), and the Tripwire manual for policy syntax. You can produce a help message with:

$ tripwire --check --help

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial