Tuesday, January 18, 2005

Script to Automate Configuration of Tripwire

In a previous post, I gave a general overview of the process used to configure Tripwire on a Linux system. The most time consuming part of the configuration is configuring the twpol.txt file. The following Perl script will aid in configuring this file by going through each line and checking each file to see if it is on your system. If the file is on your system, it will pass by, if not, it will comment that line out so that you will not get an error when you scan your system with Tripwire.


# Author: Joshua M. Miller
# Date: 08/26/2004
# Purpose: To automate the configuration of the tripwire policies.

use strict ;

my $file = "/etc/tripwire/twpol.txt" ;
my $new_file = "/etc/tripwire/new_twpol.txt" ;

print "Opening $file\n\n" ;

open INFILE, $file or die "Can't open input file : $!" ;
open OUTFILE, ">$new_file" or die "Can't open output file: $!" ;

print "Processing the current tripwire config file...\n" ;

while () {

# If it is a file that requires checking, check it to see if the file is on this system
# If the line begins with a /, then we know it needs to be checked
# If the file is not on this system, comment it out
if (m{^\s+/\w}) {

# Take the file's path from the line
my @tst_file = split(/\s+/,$_) ;

# Check to see if the file exists
unless ( -e $tst_file[1] ) {
$_ = "#" . $_ ;

# Debug, print results
print "Result: $tst_file[1]\n" ;

# Test - print this section to the outfile
#print OUTFILE "$tst_file[1]\n" ;

# Write the line to the new file
print OUTFILE "$_" ;

close INFILE ;
close OUTFILE ;

The resulting file will be in the /etc/tripwire directory and will be named new_twpol.txt. The next step is to back up the old copy and rename the new file to twpol.txt. The next step in the process would be to run the twinstall.sh script.

Keep in mind that this script will only remove entries, and if any files are added which are critical to operation of the system, they should be added to the Tripwire policy through the use of the twadmin tool.

No comments: