June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
1.10. Printing the Latest Tripwire Report
Problem
You want to display the results of the most recent integrity check.
Solution
#!/bin/sh DIR=/var/lib/tripwire/report HOST=`hostname -s` LAST_REPORT=`ls -1t $DIR/$HOST-*.twr | head -1` twprint --print-report --twrfile "$LAST_REPORT"
Discussion
Tripwire reports are stored in the location indicated by the
REPORTFILE variable in the Tripwire
configuration file. A common value is:
REPORTFILE = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
The HOSTNAME
variable contains the
hostname of your machine (big surprise), and
DATE is a numeric timestamp such as
20020409-040521 (April 9, 2002, at 4:05:21). So for host trippy, this report filename would be:
| /var/lib/tripwire/report/trippy-20020409-040521.twr |
When tripwire runs, it can optionally send reports by email. This notification should not be considered reliable since email can be suppressed, spoofed, or otherwise compromised. Instead, get into the habit of examining the reports yourself.
The twprint program can print reports not only for integrity checks but also for the Tripwire database. To do the latter:
# twprint --print-dbfile --dbfile /var/lib/tripwire/`hostname -s`.twd
Tripwire(R) 2.3.0 Database
Database generated by: root
Database generated on: Mon Apr 1 22:33:52 2002
Database last updated on: Never
... contents follow ...See Also
twprint(8).