On the care and feeding of Tripwire

Tripwire is used to look for unexpected file updates on several systems. It will report changes by e-mail. A daily report showing no changes will consist of an empty mail message with headers like this:-

Date: Fri 31 May 2002 05:04:55 +0100
From: "Tripwire(R) 2.3.1.2" 
To: cs-duty-officer@ncl.ac.uk
Subject: TWReport belsay.ncl.ac.uk 20020531050200 V:0 S:0 A:0 R:0 C:0

If changes have occured the subject line of the report will show the count of changed items, and the body will list them:-

From: root@byerhope.ncl.ac.uk
Date: Mon 10 Jun 2002 08:16:16 +0100
To: cs-duty-officer@ncl.ac.uk
Subject: TWReport byerhope.ncl.ac.uk 20020610081515 V:112 S:100 A:73 R:0 C:39

Added:	"/lib/modules/2.4.9/kernel/drivers/net/e1000.o"
...
Added:	"/root/e1000-4.1.7/SUMS"
Modified:	"/root"

Until the system is fully deployed, these messages are for information only. If the list of changes becomes large, the internal database can be updated by running one of:-

tripwire --check -I	# on byerhope; or on the others...
tripwire --check -c /home/staff1/ncrr/Tripwire/etc/tw.cfg -I -n -s

If you do want to update the tripwire database, you will need its passphrase from the envelope in my top right hand drawer. Running tripwire --check as above without the -I option will giva a detailed list of changes, which could be helpful in the event of suspected problems.

C.R.Ritson@newcastle.ac.uk

30 May 2002