ns1# make search name=tripwire Port: tripwire-2.3.1.2_3 Path: /usr/ports/security/tripwire Info: File system security and verification program Maint: cy@FreeBSD.org B-deps: gettext-0.13.1_1 gmake-3.80_2 libiconv-1.9.2_1 R-deps: Port: tripwire-1.3.1 Path: /usr/ports/security/tripwire-131 Info: File system security and verification program Maint: cy@FreeBSD.org B-deps: R-deps: Port: tripwire-1.2 Path: /usr/ports/security/tripwire12 Info: File system security and verification program Maint: jgreco@ns.sol.net B-deps: perl-5.6.1_15 R-deps: ns1# cd security ns1# cd tripwire ns1# make install ===> tripwire-2.3.1.2_3 is marked as broken: Fails to build under 5.X. ns1# cd ../tripwire-131 ns1# make install ===> tripwire-1.3.1 'Please read http://www.tripwiresecurity.com/ for details of how to obtain the Tripwire source. Put the file T ripwire-1.3.1-1.tar.gz into the directory /usr/ports/distfiles and run make again.'. ns1# cd ../tripwire-1.2 ../tripwire-1.2: No such file or directory. ns1# cd ../tripwire12 ns1# make install ===> Vulnerability check disabled >> tripwire-1.2.tar.gz doesn't seem to exist in /usr/ports/distfiles/. >> Attempting to fetch from ftp://ftp.fu-berlin.de/unix/security/tripwire/old/. fetch: ftp://ftp.fu-berlin.de/unix/security/tripwire/old/tripwire-1.2.tar.gz: File unavailable (e.g., file not found, no access) >> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. Receiving tripwire-1.2.tar.gz (299831 bytes): 100% 299831 bytes transferred in 8.7 seconds (33.54 kBps) ===> Extracting for tripwire-1.2 >> Checksum OK for tripwire-1.2.tar.gz. ===> tripwire-1.2 depends on file: /usr/local/bin/perl5.6.1 - found ===> Patching for tripwire-1.2 ===> tripwire-1.2 depends on file: /usr/local/bin/perl5.6.1 - found ===> Applying FreeBSD patches for tripwire-1.2 ===> tripwire-1.2 depends on file: /usr/local/bin/perl5.6.1 - found ===> Configuring for tripwire-1.2 ===> Building for tripwire-1.2 (cd aux; make CC=cc CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro" LDFLAGS="-static" CPP="cc -E" SHELL=/bin/sh all) ### ### Ignore warnings about shift count negative/too large on line 36 ### cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -static byteorder.c -o byteorder byteorder.c:35:2: warning: #warning "the shift-width warning below can be ignored" byteorder.c: In function `main': byteorder.c:37: warning: left shift count >= width of type (./byteorder; cat ./ntohl.h) > ../include/byteorder.h cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -static types.c -o types /bin/sh ./types.sh "cc -E" > ../include/inode.h (cd src; make CC=cc CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro" LIBS="" LDFLAGS="-static" CPP="cc -E" SHELL=/bin/sh YACC=" yacc" LEX="lex" all) /bin/sh help.sh help.txt > help.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c config.parse.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c main.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c list.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c ignorevec.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c dbase.build.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c utils.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c preen.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c preen.interp.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c preen.report.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c nullsig.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c config.prim.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c dbase.update.c lex config.pre.l mv lex.yy.c config.lex.c yacc config.pre.y sed 's/lex\.yy\.c/config.lex.c/' < y.tab.c > config.pre.c rm y.tab.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c config.pre.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -c help.c (cd ../sigs/md5; make CC="cc" CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I..") cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c md5.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c md5wrapper.c (cd ../sigs/snefru; make CC="cc" CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I..") cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c snefru.c (cd ../sigs/crc32; make CC="cc" CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I..") cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c crc32.c (cd ../sigs/crc; make CC="cc" CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I..") cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c crc.c (cd ../sigs/md4; make CC="cc" CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I..") cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c md4.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c md4wrapper.c (cd ../sigs/md2; make CC="cc" CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I..") cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c md2wrapper.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c md2.c (cd ../sigs/sha; make CC="cc" CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I..") cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c sha.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c shawrapper.c (cd ../sigs/haval; make CC="cc" CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I..") cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c haval.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -I. -I.. -c havalwrapper.c cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -static -o tripwire config.parse.o main.o list.o ignorevec.o dbase.build.o utils.o pr een.o preen.interp.o preen.report.o nullsig.o config.prim.o dbase.update.o config.pre.o help.o ../sigs/md5/md5wrapper.o ../sigs/m d5/md5.o ../sigs/snefru/snefru.o ../sigs/crc32/crc32.o ../sigs/crc/crc.o ../sigs/md4/md4.o ../sigs/md4/md4wrapper.o ../sigs/md2/md2. o ../sigs/md2/md2wrapper.o ../sigs/sha/sha.o ../sigs/sha/shawrapper.o ../sigs/haval/haval.o ../sigs/haval/havalwrapper.o cc -O -pipe -mcpu=pentiumpro -mcpu=pentiumpro -static -o siggen siggen.c ../sigs/md5/md5wrapper.o ../sigs/md5/md5.o ../sigs/snefru/s nefru.o ../sigs/crc32/crc32.o ../sigs/crc/crc.o ../sigs/md4/md4.o ../sigs/md4/md4wrapper.o ../sigs/md2/md2.o ../sigs/md2/md2wrapper. o ../sigs/sha/sha.o ../sigs/sha/shawrapper.o ../sigs/haval/haval.o ../sigs/haval/havalwrapper.o nullsig.o utils.o ===> Installing for tripwire-1.2 ===> Generating temporary packing list ===> Checking if security/tripwire12 already installed (cd aux; make CC=cc CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro" LDFLAGS="-static" CPP="cc -E" SHELL=/bin/sh all) (cd src; make CC=cc CFLAGS="-O -pipe -mcpu=pentiumpro -mcpu=pentiumpro" LIBS="" LDFLAGS="-static" CPP="cc -E" SHELL=/bin/sh YACC=" yacc" LEX="lex" all) (cd src; make INSTALL=/usr/bin/install DESTDIR=/usr/local/bin install) /usr/bin/install tripwire /usr/local/bin /usr/bin/install siggen /usr/local/bin (cd man; make INSTALL=/usr/bin/install MANDIR=/usr/local/man install) cp siggen.8 /usr/local/man/man8 cp tripwire.8 /usr/local/man/man8 cp tw.config.5 /usr/local/man/man5 chmod 644 /usr/local/man/man8/siggen.8 chmod 644 /usr/local/man/man8/tripwire.8 chmod 644 /usr/local/man/man5/tw.config.5 # Creating tripwire database ### Warning: creating ./databases directory! ### ### Phase 1: Reading configuration file ### Phase 2: Generating file list tripwire: /.rhosts: No such file or directory tripwire: /.login: No such file or directory tripwire: /.exrc: No such file or directory tripwire: /.logout: No such file or directory tripwire: /.forward: No such file or directory tripwire: /kernel: No such file or directory tripwire: /lkm: No such file or directory tripwire: /modules: No such file or directory ### Phase 3: Creating file information database ### ### Warning: Database file placed in ./databases/tw.db_ns1.ensanos.ru. ### ### Make sure to move this file file and the configuration ### to secure media! ### ### (Tripwire expects to find it in '/var/adm/tcheck/databases'.) ===> Compressing manual pages for tripwire-1.2 ===> Registering installation for tripwire-1.2 ns1# # pwd; ll /var/adm/tcheck total 6 drwxr-xr-x 2 root wheel 512 Dec 21 22:42 databases -rw-r--r-- 1 root wheel 3676 Dec 21 22:42 tw.config # cat tw.config # $FreeBSD: ports/security/tripwire12/files/tw.conf.freebsd2,v 1.6 2002/02/27 12:55:34 cy Exp $ # # tripwire.config # Generic version for FreeBSD # Will need editing...see comments below # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tripwire.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # Note the difference between pruning (via "!") and ignoring everything # (via "E" template): Ignoring everything in a directory still monitors # for added and deleted files. Pruning a directory will prevent Tripwire # from even looking in the specified directory. # # # Tripwire running slowly? Modify your tripwire.config entries to # ignore the (signature 2) attribute when this computationally-exorbitant # protection is not needed. (See README and design document for further # details.) # # First, root's traditional "home". Note that FreeBSD's root's home (/root) # is protected by R-2 protections in the default config file. =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist /.exrc R # may not exist /.logout R # may not exist /.forward R # may not exist # Unix itself /kernel R # /bin /bin R-2 # /dev /dev L # /etc /etc R-2 /etc/aliases L /etc/dumpdates L /etc/motd L # my passwd database should be static at time of system build. yours may # not be, if not, uncomment the lines below. # /etc/passwd L # /etc/master.passwd L # /etc/pwd.db L # /etc/spwd.db L # /home =/home # /lkm and /modules /lkm R-2 /modules R-2 # /boot /boot R-2 # /root /root R-2 /root/.history L # /sbin /sbin R-2 # /stand /stand R-2 # /usr/bin /usr/bin R-2 /usr/include R-12 /usr/lib R-2 /usr/libdata R-2 /usr/libexec R-2 /usr/local/bin R-2 /usr/local/etc L /usr/local/lib R-2 /usr/local/libexec R-2 /usr/local/sbin R-2 /usr/local/share R-2 /usr/sbin R-2 /usr/share R-2 ########################################### # tripwire --help usage: tripwire [ options ... ] Where `options' are: -initialize Database Generation mode -init -update entry update entry (a file, directory, or tw.config entry) in the database -interactive Integrity Checking mode with Interactive entry updating -loosedir use looser checking rules for directories -d dbasefile read in database from dbasefile (use `-d -' to read from stdin) -c configfile read in config file from configfile (use `-c -' to read from stdin) -cfd fd read in config file from specified fd -dfd fd read in the database file from specified fd -Dvar=value define a tw.config variable (ala @@define) -Uvar undefine a tw.config variable (ala @@undef) -i #|all ignore the specified signature (to reduce execution time) -q quiet mode -v verbose mode -preprocess print out preprocessed configuration file -E -help print out interpretation help message -version print version and patch information # tripwire -version Tripwire version 1.2 (patchlevel 2) Copyright (c) 1992, 1993, 1994 Purdue Research Foundation By Gene Kim, Eugene Spafford # man tripwire Formatting page, please wait...Done. TRIPWIRE(8) TRIPWIRE(8) NAME tripwire - a file integrity checker for UNIX systems SYNOPSIS tripwire [ options ... ] DESCRIPTION Tripwire is a file integrity checker - a utility that compares a desig- nated set of files and directories against information stored in a pre- viously generated database. Added or deleted files are flagged and reported, as are any files that have changed from their previously recorded state in the database. When run against system files on a regular basis, any file changes would be spotted when Tripwire is next run, giving system administrators information to enact damage control measures immediately. Using Tripwire, system administrators can conclude with an extremely high degree of certainty that a given set of files and directories remain untouched from unauthorized modifications, provided the program and database are appropriately protected (e.g., stored on read-only media). Note that reports of changed files indicate a change from the time of the last Tripwire database installation or update. For best effect, the files being monitored should be reinstalled from known good sources. (See the Tripwire design document for further details.) Tripwire uses message-digest algorithms (one-way hash functions) to detect changes in a hard-to-spoof manner. This should be able to detect significant changes to critical files, including those caused by insertion of backdoors or viruses. Tripwire also monitors changes to file permissions, modification times, and other significant changes to inodes as selected by the system administrator on a per-file/directory basis. Tripwire runs in one of four modes: Database Generation, Database Update, Integrity Checking, or Interactive Update mode. In Database Generation mode, Tripwire initializes the database based upon the entries enumerated in the tw.config file. Database Update mode pro- vides incremental database update functionality on a per-file/directory basis. This obviates having to regenerate the entire database every time a file or set of files change. The Integrity Checking mode gener- ates a report of added, deleted, or changed files, comparing all the files described by the tw.config file against the files residing on the filesystem. Lastly, the Interactive Update mode reports added, deleted, and changed files and prompts the user whether those database entries should be updated. The Interactive Update mode provides a simple and thorough method for system administrators to keep Tripwire databases ``in sync'' with filesystems that change. OPTIONS When run without any arguments, tripwire runs in Integrity Checking mode. -initialize Database Generation mode. Creates the database which is used for all subsequent Integrity Checking runs. -update pathname/entry ... Database Update mode. This mode updates the speci- fied pathname or entry in the database. If the argument provided is a file, only that file is updated. If the argument is a directory, that directory and all of its children are updated. If the argument is an entry in the tw.config file, the entire entry in the database is updated. -interactive Interactive Integrity Checking. Tripwire first reports all added, deleted, and changed files, then prompting the user whether the entry should be updated in the database. Note that Tripwire opens up /dev/tty instead of using stdin. This prevents automating interactive updates, reducing the chance of system administra- tors inadvertently updating entries. Updating the database should always be done with care and delib- eration. -loosedir Loosens checking rules for directories in Integrity Checking modes so changes in size, nlink, modifica- tion and creation times no longer are reported. This significantly quiets Tripwire reports, at the possible risk of missing important changes. -d dbasefile Reads the database information from the specified file dbasefile. stdin can specified by ``-d -''. -c configfile Read the configuration information from the speci- fied file configfile. stdin can specified by ``-c -''. -cfd openfd Read the configuration information from the open file descriptor openfd. This option allows pro- grams outside of Tripwire to supply services such as networking, compression, and encryption. -dfd openfd Read the database file from the open file descrip- tor openfd. This option allows programs outside of Tripwire to supply services such as networking, compression, and encryption. -Dvar=value Defines the tw.config variable var to value. (As if @@define were used.) -Uvar Undefine the tw.config variable var. (As if @@undef were used.) -i [#|all] Ignore the specified signature, and skip it when comparing against database entries. If all is specified, no signatures are collected or compared. -E Prints out preprocessed tw.config file to stdout. -preprocess Same as -E option. -q Quiet mode. In this mode, Tripwire prints only one line reports for each added, changed, or deleted file. Phase 5 is skipped, which prints all the pairs of expected and observed file attribute val- ues. -v Verbose mode. Prints out filenames as they are being scanned during signature computation. -help Print out inode interpretation message (for parsing messages when files have changed). -version Prints out version information. DATABASE GENERATION MODE In Database Generation mode, tripwire creates the database file based upon the entries in tw.config. The name of this database file is defined at compile-time in config.h - it defaults to tw.db_[hostname]. The generated database is placed in the ./databases directory, and must be moved to the target directory manually. Note that you must manually move this file to your database directory. This is because the default database directory should be a read-only file system. DATABASE UPDATE MODE In Database Update mode, tripwire updates the specified files, directo- ries, or entries in the database. The old database is saved in the ./databases directory with the .old suffix. The new, updated database is also written to the ./databases directory. As in the Database Gen- eration mode, the new database must be manually moved to the Tripwire database directory. tripwire in Database Update mode requires at least one argument, which is used as an entry. The entry argument specifies which file or direc- tory is to be updated, and is interpreted similar to tw.config entries. If the argument is a filename, only that file is updated in the data- base. Similarly, if the argument is a directory name, the directory and its children are updated. If the argument is also an entry in the tw.config file, the entire entry is updated. Database updates yield a new database file with added, deleted, or changed entries. This functionality is provided to allow Tripwire databases to be updated in a controlled manner to reflect filesystem changes, obviating the need to regenerate the entire database again. INTEGRITY CHECKING MODE In Integrity Checking mode, tripwire reads in the tw.config file, and rebuilds a new database to reflect the current files. Tripwire then compares the new database with the existing Tripwire database stored on the filesystem, reporting added or deleted files, as well as those files that have changed. The tw.config file, in addition to the list of files and directories, also lists which attributes can change and be safely ignored by Trip- wire. Tripwire applies these select-flags to decide which changes can be safely unreported. Each file that differs from the information stored in the database is considered ``changed.'' However, only the changes that remain after the select-flags are applied are displayed. For each change, the expected and actual information is printed. For instance: 2:30am (mentor) 985 % tripwire ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Creating file information database ### Phase 4: Searching for inconsistencies ### ### Total files scanned: 82 ### Files added: 0 ### Files deleted: 0 ### Files changed: 80 ### ### After applying rules: ### Changes discarded: 79 ### Changes remaining: 1 ### changed: -rw------- genek 4433 Oct 13 02:30:34 1992 /tmp/genek/tripwire-0.92/config.h ### Phase 5: Generating observed/expected pairs for changed files ### ### Attr Observed (what it is) Expected (what it should be) ### =========== ============================= ============================= /tmp/genek/tripwire-0.92/config.h st_size: 4441 4433 md5 (sig1): 0aqL1O06C3Fj1YBXz3.CPdcb 0cPX1H.DYS.s1vZdKD.ELMDR snefru (sig2): 0PcgcK/MZvEm.8pIWe.Gbnn/ /8VoJv1JcoUA0NvoGN.k3P6E crc32 (sig3): .EHA6x /OuGNV crc16 (sig4): ...9/q ...6yu md4 (sig5): /hQ0sU.UEbJo.UR4VZ/mNG/h .UR4VZ/mNG/h/VSG/W/Z643k md2 (sig6): .hLwjb.VRA0O.Z72y90xTYqA 1LR0Gg1l.vqB0.1g330Pi8/p Tripwire in Interactive Update mode will look similar. However, for each added, deleted, or changed file, the user is prompted whether the entry corresponding to the file or directory should be updated. The user can answer with either ``y'', ``n'', ``Y'', or ``N''. The first two answers are simply ``yes, update the specified file'' and ``no, don't update the file'' respectively. Answering ``Y'' not only updates the specified file or directory, but all other files or directories that share the same entry in the tw.con- fig file. For example, if ``Y'' were answered for /etc, then all the files generated by the /etc entry will also be updated. Answering ``N'' is similar, but skips all files and directories corresponding to the specified entry. A possible Tripwire session running in Interactive Update mode may look like: 3:34pm (flounder) tw/src 5 %%% tripwire -interactive ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Creating file information database ### Phase 4: Searching for inconsistencies ### ### Total files scanned: 49 ### Files added: 0 ### Files deleted: 0 ### Files changed: 49 ### ### After applying rules: ### Changes discarded: 48 ### Changes remaining: 1 ### changed: -rw------- genek 7893 May 5 15:30:37 1993 /homes/genek/research/tw/src/databases/tw.db_flounder.Eng.S un.COM.old ### Phase 5: Generating observed/expected pairs for changed files ### ### Attr Observed (what it is) Expected (what it should be) ### =========== ============================= ============================= /homes/genek/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old st_mtime: Wed May 5 15:30:37 1993 Wed May 5 15:24:09 1993 st_ctime: Wed May 5 15:30:37 1993 Wed May 5 15:24:09 1993 ---> File: '/homes/genek/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old' ---> Update entry? [YN(y)nh?] y ### Updating database... ### ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Updating file information database ### Phase 3: Updating file information database ### ### Old database file will be moved to `tw.db_barnum.cs.purdue.edu.old' ### in ./databases. ### ### Updated database will be stored in './databases/tw.db_barnum.cs.purdue.edu' ### (Tripwire expects it to be moved to '/tmp/genek'.) ### 3:34pm (flounder) tw/src 6 %%% DIAGNOSTICS Tripwire exit status is 1 for any error condition. Otherwise, the exit status is the logical OR'ing of the following: 2 for files added, 4 for files deleted, and 8 for files changed. (e.g., if Tripwire exits with status code 10, then files were added and change. 8 + 2 = 10.) ENVIRONMENT None. BUGS This manual page is not self-contained - users are referred to the Tripwire design document to better understand the issues of integrity checking. SEE ALSO tw.config(5) The Design and Implementation of Tripwire: A UNIX File Integrity Checker by Gene Kim and Eugene Spafford. Purdue Technical Report CSD- TR-93-071. AUTHORS Gene Kim Purdue University gkim@cs.purdue.edu Eugene Spafford Purdue University spaf@cs.purdue.edu October 14, 1992 TRIPWIRE(8) # tripwire ### Phase 1: Reading configuration file ### Phase 2: Generating file list tripwire: /.rhosts: No such file or directory tripwire: /.login: No such file or directory tripwire: /.exrc: No such file or directory tripwire: /.logout: No such file or directory tripwire: /.forward: No such file or directory tripwire: /kernel: No such file or directory tripwire: /lkm: No such file or directory tripwire: /modules: No such file or directory ### Phase 3: Creating file information database ### Phase 4: Searching for inconsistencies ### ### Total files scanned: 22983 ### Files added: 0 ### Files deleted: 0 ### Files changed: 20794 ### ### After applying rules: ### Changes discarded: 20794 ### Changes remaining: 0 ### ### Phase 4: Searching for inconsistencies ### ### Total files scanned: 22983 ### Files added: 0 ### Files deleted: 0 ### Files changed: 20794 ### ### After applying rules: ### Changes discarded: 20792 ### Changes remaining: 2 ### changed: -rw-r--r-- bind 575 (null) /etc/namedb/slave/fordex.su changed: -rw-r--r-- bind 575 (null) /etc/namedb/slave/fordex.ru ### Phase 5: Generating observed/expected pairs for changed files ### ### Attr Observed (what it is) Expected (what it should be) ### =========== ============================= ============================= /etc/namedb/slave/fordex.su st_mtime: Tue Dec 21 22:57:57 2004 Tue Dec 21 21:27:50 2004 st_ctime: Tue Dec 21 22:57:57 2004 Tue Dec 21 21:27:50 2004 /etc/namedb/slave/fordex.ru st_mtime: Tue Dec 21 22:59:49 2004 Tue Dec 21 20:50:06 2004 st_ctime: Tue Dec 21 22:59:49 2004 Tue Dec 21 20:50:06 2004