The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

tripwire (8)
  • >> tripwire (8) ( Solaris man: Команды системного администрирования )
  • tripwire (8) ( Linux man: Команды системного администрирования )
  • Ключ tripwire обнаружен в базе ключевых слов.
  • 
    NAME
         tripwire - a file integrity checker for UNIX systems
    
    SYNOPSIS
         tripwire [ options ... ]
    
    DESCRIPTION
         Tripwire is a  file  integrity  checker  -  a  utility  that
         compares  a  designated set of files and directories against
         information  stored  in  a  previously  generated  database.
         Added  or deleted files are flagged and reported, as are any
         files that have changed from their previously recorded state
         in the database.  When run on a regular basis, Tripwire is a
         useful tool for maintaining the integrity of  system  files.
         If unauthorized changes are discovered, Tripwire can quickly
         determine  the  extent  of  the  problem,  allowing   system
         administrators to enact damage control measures.
    
         Using Tripwire, system administrators can conclude  with  an
         extremely high degree of certainty that a given set of files
         and  directories  have  not  been  modified,  provided   the
         tripwire  program  and  database are appropriately protected
         (e.g., stored on read-only media).  Tripwire  uses  message-
         digest algorithms (one-way hash functions) to detect changes
         in a hard-to-spoof manner.  These algorithms are designed to
         detect even the smallest changes to files, including changes
         caused by insertion of backdoors or viruses.   Tripwire  can
         be  configured  to  monitor  changes  to  file  permissions,
         modification times, and other significant inode changes on a
         per-file/directory  basis.  Changes are reported relative to
         the last Tripwire database installation or update.
    
         Tripwire runs in one of  four  modes:  Database  Generation,
         Integrity  Checking,  Database Update, or Interactive Update
         mode.  In Database Generation mode, Tripwire initializes the
         database  based  on  the entries enumerated in the tw.config
         file. The Integrity Checking mode compares all of the  files
         described  by  the tw.config file against the files residing
         on the filesystem to generate a list of added,  deleted,  or
         changed  files.   Database  Update  mode  allows the user to
         update individual file or directory entries in the database,
         rather  than  regenerating  the entire database every time a
         file or set of files change.  The  Interactive  Update  mode
         combines   the  functions  of  the  Integrity  Checking  and
         Database  Update  modes.  Interactive  Update  mode  reports
         added,  deleted,  and  changed  files and gives the user the
         option to update each affected database entry  individually.
         Interactive Update provides a simple and thorough method for
         system administrators to keep Tripwire databases ``in sync''
         with changing filesystems.
    
    
    OPTIONS
         When run without any arguments, tripwire runs  in  Integrity
         Checking mode.
    
         -initialize, --init, --initialize
                             Database Generation mode.   Creates  the
                             database   which   is   used   for   all
                             subsequent Integrity Checking runs.
    
         -update [[pathname|entry] ...], --
                             update [[pathname|entry] ...]
                             Database Update mode.  This mode updates
                             the  specified  pathname or entry in the
                             database.  If the argument provided is a
                             file, only that file is updated.  If the
                             argument is a directory, that  directory
                             and all of its children are updated.  If
                             the  argument  is  an   entry   in   the
                             tw.config  file, the entire entry in the
                             database is updated.
    
         -interactive, --interactive
                             Interactive Update mode.  Tripwire first
                             reports  all added, deleted, and changed
                             files, then allows the  user  to  update
                             the  entry  in  the  database. Note that
                             Tripwire opens up  /dev/tty  instead  of
                             using    stdin.    This   prevents   the
                             automation   of   interactive   updates,
                             reducing    the    chance    of   system
                             administrators  inadvertently   updating
                             entries.   Updating  the database should
                             always   be   done   with    care    and
                             deliberation.
    
         -loosedir, --loose-directory-checking
                             Loosens    checking     criteria     for
                             directories  in  Integrity  Checking  or
                             Interactive Update modes so  changes  in
                             size,  nlink,  modification and creation
                             times  are  no  longer  reported.   This
                             significantly  quiets  Tripwire reports,
                             at  the   possible   risk   of   missing
                             important changes.
    
         -d dbasefile, --dbfile dbasefile
                             Reads the database information from  the
                             specified   dbasefile.    stdin  can  be
                             specified using ``-d -''  or  ``--dbfile
                             -''.
    
         -c configfile, --cfgfile configfile
                             Read the configuration information  from
                             the  specified  configfile. stdin can be
                             specified using ``-c -'' or  ``--cfgfile
                             -''.
    
         -cfd openfd         Read the configuration information  from
                             the  open  file descriptor openfd.  This
                             option  allows   programs   outside   of
                             Tripwire  to  supply  services  such  as
                             networking, compression, and encryption.
    
         -dfd openfd         Read the database  file  from  the  open
                             file  descriptor  openfd.   This  option
                             allows programs outside of  Tripwire  to
                             supply   services  such  as  networking,
                             compression, and encryption.
    
         -Dvar=value         Defines the tw.config  variable  var  to
                             value, as if @@define were used.
    
         -Uvar               Undefine the tw.config variable var,  as
                             if @@undef were used.
    
         -i [#|all], --ignore [#|all]
                             Ignore the specified signature, and skip
                             it   when   comparing  against  database
                             entries.   If  all  is   specified,   no
                             signatures are collected or compared.
    
         -x, --print-hex     Collect and display all signature values
                             in   hexadecimal,   rather  than  base64
                             notation.
    
         -E, -preprocess     Prints out preprocessed  tw.config  file
                             to stdout.
    
         -q, --quiet, --silent
                             Quiet  mode.   In  this  mode,  Tripwire
                             displays  only one line of text for each
                             added, changed, or deleted file.   Phase
                             5  of  the Tripwire report, which prints
                             the pairs of expected and observed  file
                             attribute values, is omitted.
    
         -v, --verbose       Verbose mode.  Prints out  filenames  as
                             they  are being scanned during signature
                             computation.
    
         -help [inode], --help [inode]
                             Prints  out   usage   information.    If
                             "inode"  is  specified  as  an argument,
                             this command will instead print an inode
                             interpretation   message   (for  parsing
                             messages when files have changed).
    
         -version, --version Prints out version information.
    
    DATABASE GENERATION MODE
         In Database Generation mode, tripwire creates  the  database
         file  based  on  the entries in tw.config.  The name of this
         database file is defined at compile-time in config.h  -  the
         default name is tw.db_[hostname].  The generated database is
         placed in the ./databases directory, and must  be  moved  to
         the target directory manually.
    
         Note that you must manually move this file to the  directory
         specified in config.h because the default database directory
         should be a read-only file system.
    
    INTEGRITY CHECKING MODE
         In Integrity Checking mode, tripwire reads in the  tw.config
         file  and  builds  a  new  database  to reflect the state of
         current files.  Tripwire then compares the new database with
         the existing database and reports added, deleted, or changed
         files.
    
         The tw.config file enumerates the files and directories that
         Tripwire  watches,  with  select-flags  for each listing the
         attributes for that file that should and should not  change.
         Tripwire  applies  these  rules  to  determine which changes
         should be reported after an integrity check.
    
         Tripwire detects all changes to  entries  in  the  tw.config
         file,  but  only those changes specified by the select-flags
         for that entry are displayed after an integrity  check.  For
         each   of  these  changes,  the  expected  value  (from  the
         database) and the actual information (observed in the  file)
         are printed. For example:
    
         2:30am (mentor) 985 % tripwire
         ### Phase 1:   Reading configuration file
         ### Phase 2:   Generating file list
         ### Phase 3:   Creating file information database
         ### Phase 4:   Searching for inconsistencies
         ###
         ###                     Total files scanned:            82
         ###                           Files added:              0
         ###                           Files deleted:            0
         ###                           Files changed:            80
         ###
         ###                     After applying rules:
         ###                           Changes discarded:        79
         ###                           Changes remaining:        1
         ###
         changed: -rw-------              4433 Oct 13 02:30:34 1992 /tmp/config.h
         ### Phase 5:   Generating observed/expected pairs for changed files
         ###
         ### Attr        Observed (what it is)         Expected (what it should be)
         ### =========== ============================= =============================
         /tmp/config.h
                st_size: 4441                          4433
             md5 (sig1): 0aqL1O06C3Fj1YBXz3.CPdcb      0cPX1H.DYS.s1vZdKD.ELMDR
          snefru (sig2): 0PcgcK/MZvEm.8pIWe.Gbnn/      /8VoJv1JcoUA0NvoGN.k3P6E
           crc32 (sig3): .EHA6x                        /OuGNV
           crc16 (sig4): ...9/q                        ...6yu
             md4 (sig5): /hQ0sU.UEbJo.UR4VZ/mNG/h      .UR4VZ/mNG/h/VSG/W/Z643k
             md2 (sig6): .hLwjb.VRA0O.Z72y90xTYqA      1LR0Gg1l.vqB0.1g330Pi8/p
    
    DATABASE UPDATE MODE
         In  Database  Update   mode,   tripwire   updates   database
         information  for  specified files, directories, or tw.config
         entries. This mode allows the  user  to  update  a  Tripwire
         database   to   reflect   filesystem  changes,  rather  than
         regenerating the entire database every time a file or set of
         files change.
    
         The new, updated database  is  written  to  the  ./databases
         directory. The old database is also saved in the ./databases
         directory, with the .old suffix added. As  in  the  Database
         Generation  mode, the new database must be manually moved to
         the Tripwire database directory.
    
         The tripwire Database Update  mode  requires  at  least  one
         argument, specifying the file or directory to be updated. If
         the argument is a filename, only that file is updated in the
         database. If the argument is a directory name, the directory
         and its children are updated. If the  argument  is  also  an
         entry in the tw.config file, the entire entry is updated.
    
    INTERACTIVE UPDATE MODE
         tripwire Interactive Update mode  produces  output  that  is
         very similar to the output from Integrity Checking mode (see
         example, above). However, for each  addition,  deletion,  or
         change detected during an integrity check, the user is given
         the option  to  update  the  database  information  for  the
         corresponding file or directory.
    
         Possible responses are ``y'', ``n'', ``Y'', or  ``N''.   The
         first  two  responses are simply ``yes, update the specified
         file or directory'' and  ``no,  don't  update  the  file  or
         directory'',   respectively.  Answering  ``Y''  updates  the
         specified  file  or  directory  and  all  other   files   or
         directories that share the same entry in the tw.config file.
         For example, if ``Y'' were answered for /etc, then  all  the
         files  generated  by  the  /etc  entry will also be updated.
         Answering ``N'' will suppress updating  for  all  files  and
         directories corresponding to the specified entry.
    
         A Tripwire session running in Interactive Update mode  might
         look like:
         3:34pm (flounder) tw/src 5 %%% tripwire -interactive
         ### Phase 1:   Reading configuration file
         ### Phase 2:   Generating file list
         ### Phase 3:   Creating file information database
         ### Phase 4:   Searching for inconsistencies
         ###
         ###            Total files scanned:          49
         ###                  Files added:       0
         ###                  Files deleted:          0
         ###                  Files changed:          49
         ###
         ###            After applying rules:
         ###                  Changes discarded: 48
         ###                  Changes remaining: 1
         ###
         changed: -rw-------                   7893 May  5 15:30:37 1993
         /homes/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old
         ### Phase 5:   Generating observed/expected pairs for changed files
         ###
         ### Attr        Observed (what it is)         Expected (what it should be)
         ### =========== ============================= =============================
         /homes/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old
               st_mtime: Wed May  5 15:30:37 1993      Wed May  5 15:24:09 1993
               st_ctime: Wed May  5 15:30:37 1993      Wed May  5 15:24:09 1993
         ---> File: '/homes/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old'
         ---> Update entry?  [YN(y)nh?] y
    
         ### Updating database...
         ###
         ### Phase 1:   Reading configuration file
         ### Phase 2:   Generating file list
         ### Phase 3:   Updating file information database
         ### Phase 3:   Updating file information database
         ###
         ### Old database file will be moved to `tw.db_barnum.cs.purdue.edu.old'
         ###            in ./databases.
         ###
         ### Updated database will be stored in './databases/tw.db_barnum.cs.purdue.edu'
         ###            (Tripwire expects it to be moved to '/tmp/'.)
         ###
         3:34pm (flounder) tw/src 6 %%%
    
    DIAGNOSTICS
         Tripwire  exit  status  is  1  for  any   error   condition.
         Otherwise,  the  exit  status  is  the logical OR'ing of the
         following:  2 for files added, 4 for files  deleted,  and  8
         for  files  changed.   For  instance, if Tripwire exits with
         status code 10, then files were added and changed (8 +  2  =
         10).
    
    ENVIRONMENT
         None.
    
    BUGS
         This manual page is not self-contained - users are  referred
         to  the  Tripwire  design  document  designdoc.ps  for  more
         information on the issues of integrity checking.
    
    SEE ALSO
         tw.config(5)
    
         The Design and  Implementation  of  Tripwire:  A  UNIX  File
         Integrity  Checker  by Gene Kim and Eugene Spafford.  Purdue
         Technical Report CSD-TR-93-071.
    
    AUTHORS
         Gene Kim
         Tripwire Security Systems, Inc.
         [email protected]
    
         Eugene Spafford
         Purdue University
         [email protected]
    
    
    
    


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру