1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
From cpage@mv.MV.COM Wed Feb 16 05:35:43 1994
Received: from optima.CS.Arizona.EDU by quercus.cs.arizona.edu; Wed, 16 Feb 1994 05:35:42 MST
Received: from arthur.cs.purdue.edu by optima.CS.Arizona.EDU (5.65c/15) via SMTP
id AA14969; Wed, 16 Feb 1994 05:35:40 MST
Received: from barnum.cs.purdue.edu (root@barnum.cs.purdue.edu [128.10.2.70])
by arthur.cs.purdue.edu (8.6.4/PURDUE_CS-1.3) with ESMTP
id <HAA29221> for <gkim@cs.arizona.edu>; Wed, 16 Feb 1994 07:35:38 -0500
Received: from arthur.cs.purdue.edu (root@arthur.cs.purdue.edu [128.10.2.1])
by barnum.cs.purdue.edu (8.6.4/PURDUE_CS-1.3) with ESMTP
id <HAA07276> for <gkim@cs.purdue.edu>; Wed, 16 Feb 1994 07:35:36 -0500
Received: from mv.mv.com (mv.MV.COM [192.80.84.1])
by arthur.cs.purdue.edu (8.6.4/PURDUE_CS-1.3) with ESMTP
id <HAA29216> for <gkim@cs.purdue.edu>; Wed, 16 Feb 1994 07:35:33 -0500
Received: from localhost by mv.mv.com (8.6.4/mem-931109)
id HAA01327 for gkim@cs.purdue.edu; Wed, 16 Feb 1994 07:35:25 -0500
Date: Wed, 16 Feb 1994 07:35:25 -0500
From: Calvin Page <cpage@mv.MV.COM>
Message-Id: <199402161235.HAA01327@mv.mv.com>
To: gkim@cs.purdue.edu
Status: ORrp
To: Gene Kim - gkim@purdue.edu
Eugene Spafford - spaf@cs.purdue.edu
Fr: Cal Page - cpage@mv.MV.COM
Subj: Installing Tripwire Version 1.1 on Linux
Hi,
I installed tripwire on my linux box and came up
with the following README.linux. At some point, I would like
to publish it out on the internet on Comp.os.linux.*.
I am also working on a Linux Security-HOWTO and would like
to include a reference to your work in it with a copy of this
attached README.
Do you have any comments on the README or and suggestions
before I publish it?
Regards,
Cal Page
--------------------------- README.linux ----------------------------
Summary
Tripwire installed fairly easily on Linux using the following
GNU tools; gcc, flex 2.4.5, and bison 1.18. The Linux kernel was
at level 0.99.14.
Build Problems:
---------------
The following problems were encountered during
the make:
1) yy_flex_realloc, yy_flex_alloc, and yy_flex_free were undefined
globals when tripwire was linked. This was solved by adding the
following lines to config.pre.tab.c:
#include <malloc.h>
void *yy_flex_realloc(void *x,int y) { return realloc(x,y); }
void *yy_flex_alloc (int y ) { return malloc(y); }
void *yy_flex_free (void *x ) { free(x); }
2) yyin and yyout were undefined during the compile. This was solved
by adding the following line after the '#include <stdio.h>'
in config.pre.tab.c:
extern FILE *yyin,*yyout;
3) The 'src/Makefile' had to be changed after the $(YACC) line
as follows:
mv config.pre.tab.c y.tab.c
This is because GNU's bison creates a different output file from
yacc.
4) The 'Makefile' defined CC=gcc, FLEX=flex, and YACC=bison
Run Problems
-------------
The following bugs were observed during testing:
1) The '@@include' macro failed in 'tw.config' with the error
---fatal flex scanner internal error--- End of buffer missed.
This error showed up while running the acceptance test named
'tests/test.twpre.sh'
2) While running tripwire on an 'msdos' mounted partition, the following
error was observed:
...
Scanning: /msdos/msm/C&QC
sig_md5_get: read(): Is a directory
#
The code is trying to read data from a directory, but gets a read
error and then exits.
3) The following error was received while doing a '/dev R':
...
Scanning: /dev/ptyqb
sig_null_get: lseek(): Illegal seek
#
This is probably because we should not be doing a '/dev R'. It
is unfair to expect random devices in '/dev' to lseek properly.
The 'tw.config' should be changed.
4) On page 3 of the man page for 'tw.config' when the author states:
"Note the differeence between pruning (via "!") and
ignoring everything (via "N" template):..."
They probably mean:
"Note the ...
ignoring everything (via "E"):..."
5) When you are creating a new database with the '-initialize'
switch, tripwire ignores the '-d' switch. There is no command
line error given for this.
6) There are four modes for runnung tripwire that are specified
with switches that sometime agree with their functions. Specifically:
Mode Switch
--------------------------
Generate -initialize
Update -update
Integrity <none>
Interactive -interactive
Samples:
--------
Here is a sample tw.config file that works reasonably
well on Linux:
#
# Only check '/' disk partition with this
# config file.
#
# Define a variable for searching /dev
#
@@define DEVSEARCH E+pinugsamc
#
# All Files in '/' disk partition. If you want
# to check other mounted partitions, you would
# add them after the '/ R' line.
#
/ R
#
# Except /proc
#
=/proc E
#
# And /dev
#
/dev @@DEVSEARCH
#
# just /tmp
#
=/tmp
#
# End
#
For checking, this command works reasonably well:
./tripwire -v -interactive -loosedir -d databases/tw.db1 -c tw.config
|
