tripwire 命令

常用示例

说明

Tripwire is a host-based intrusion detection system (HIDS) that monitors filesystem integrity. It creates a baseline database of file attributes and periodically compares the current state against this baseline to detect unauthorized additions, deletions, or modifications. The tool operates in several modes: initialization creates the baseline database, integrity checking compares current files against the baseline, database update incorporates legitimate changes, and policy update modifies monitoring rules. All database and policy files are cryptographically signed to prevent tampering. Tripwire uses two encryption keys: a site key for organization-wide policies and a local key unique to each server. This allows centralized policy management while maintaining per-server database security. Exit codes from integrity checking indicate what changed: 0 (no changes), 1 (files added), 2 (files modified), 4 (files deleted), 8 (errors).

参数

-m i, --init

Database initialization mode. Create baseline database from current filesystem state.

-m c, --check

Integrity checking mode. Compare current filesystem against baseline database.

-m u, --update

Database update mode. Update database to reflect legitimate changes.

-m p, --update-policy

Policy update mode. Apply new policy and synchronize database.

-m t, --test

Test mode. Verify configuration without making changes.

-I, --interactive

Open report in editor after integrity check for easy database update selection.

-r _file_, --twrfile _file_

Specify report file for database update mode.

-p _file_, --polfile _file_

Specify policy file to use.

-c _file_, --cfgfile _file_

Specify configuration file location.

-v, --verbose

Enable verbose output.

-s, --silent

Suppress output except errors.

-n, --no-tty-output

Suppress report from being printed to console.

-E, --signed-report

Create cryptographically signed report.