tripwire question

[dishawjp]

Hi All,

I installed tripwire on my RH 8 box a few months ago. For a while everything seemed to be fine. Lately though it seems to not be updating properly when I run the "tripwire --update -r /var/lib/tripwire/report/name_of_file.twr"

It seems to do its thing and then asks for the tripwire local password and then tells me that it's updated the database and all, but if I run a "tripwire --check" immediately afterwards, it still reports back a bunch of errors.

Since I usually run it as a daily cron job, I've been getting daily mail to root about all the bad things happening to my computer. Problem is that I don't believe it any more and what good is intrusion detection if you don't trust teh reports?

Is it likely/possible that my computer has been so severely compromised that I could get hundreds of errors within minutes of updating the tripwire database or is it more likely that tripwire is not updating itself properly?

Thanks for any help!

Jim

[Void Main]

It's hard to tell without actually seeing one of your reports and your config file.

[dishawjp]

Thanks Voidmain,

The following is a "# tripwire --check" I just ran.

### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/ntpd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/ospf6d
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/ospfd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/pcmcia
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/postgresql
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/pxe
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/radvd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/rarpd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/reconfig
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/ripd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/ripngd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/routed
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/rstatd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/rusersd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/rwalld
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/rwhod
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/smb
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/snmpd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/squid
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/tux
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/tWnn
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/ups
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/vncserver
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/wine
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/yppasswdd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/ypserv
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/ypxfrd
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /var/lock/subsys/zebra
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /etc/tripwire/localhost-local.key
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /bin/gawk-3.1.0
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /bin/zsh-4.0.2
### No such file or directory
### Continuing...
Wrote report file: /var/lib/tripwire/report/eunix-20030417-135615.twr


Tripwire(R) 2.3.0 Integrity Check Report

Report generated by: root
Report created on: Thu 17 Apr 2003 01:56:15 PM EDT
Database last updated on: Wed 16 Apr 2003 11:51:56 PM EDT

===============================================================================
Report Summary:
===============================================================================

Host name: eunix
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/eunix.twd
Command line used: tripwire --check

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Critical devices 100 0 0 0
Temporary directories 33 0 0 0
Tripwire Data Files 100 0 0 0
* Root config files 100 1 1 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
* Critical configuration files 100 0 0 2
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
* System boot changes 100 3 2 9
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0

Total objects scanned: 40771
Total violations found: 18

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/root/.xauthqbf4d7"

Removed:
"/root/.xauthVavoJu"

-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/log)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/log/sa/sa17"
"/var/log/sa/sar16"

Removed:
"/var/log/sa/sa07"

Modified:
"/var/log/ksyms.0"
"/var/log/ksyms.1"
"/var/log/ksyms.2"
"/var/log/ksyms.3"
"/var/log/ksyms.4"
"/var/log/ksyms.5"
"/var/log/ksyms.6"

-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/run)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/run/netreport/1134"

Removed:
"/var/run/netreport/1200"

Modified:
"/var/run/rcd"
"/var/run/rcd/rcd"

-------------------------------------------------------------------------------
Rule Name: Critical configuration files (/etc/sysconfig)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/sysconfig/hwconf"
"/etc/sysconfig/networking/profiles/default/resolv.conf"

===============================================================================
Error Report:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

1. File system error.
Filename: /usr/share/grub/i386-redhat/e2fs_stage1_5
No such file or directory
2. File system error.
Filename: /usr/share/grub/i386-redhat/fat_stage1_5
No such file or directory
3. File system error.
Filename: /usr/share/grub/i386-redhat/ffs_stage1_5
No such file or directory
4. File system error.
Filename: /usr/share/grub/i386-redhat/minix_stage1_5
No such file or directory
5. File system error.
Filename: /usr/share/grub/i386-redhat/reiserfs_stage1_5
No such file or directory
6. File system error.
Filename: /usr/share/grub/i386-redhat/stage1
No such file or directory
7. File system error.
Filename: /usr/share/grub/i386-redhat/stage2
No such file or directory
8. File system error.
Filename: /usr/share/grub/i386-redhat/vstafs_stage1_5
No such file or directory
9. File system error.
Filename: /sbin/dhcpcd
No such file or directory
10. File system error.
Filename: /var/lock/subsys/ipchains
No such file or directory
11. File system error.
Filename: /var/lock/subsys/ipvsadm
No such file or directory
12. File system error.
Filename: /var/lock/subsys/ypbind
No such file or directory
13. File system error.
Filename: /var/lock/subsys/amd
No such file or directory
14. File system error.
Filename: /var/lock/subsys/arpwatch
No such file or directory
15. File system error.
Filename: /var/lock/subsys/autofs
No such file or directory
16. File system error.
Filename: /var/lock/subsys/bcm5820
No such file or directory
17. File system error.
Filename: /var/lock/subsys/bgpd
No such file or directory
18. File system error.
Filename: /var/lock/subsys/bootparamd
No such file or directory
19. File system error.
Filename: /var/lock/subsys/canna
No such file or directory
20. File system error.
Filename: /var/lock/subsys/cWnn
No such file or directory
21. File system error.
Filename: /var/lock/subsys/dhcpd
No such file or directory
22. File system error.
Filename: /var/lock/subsys/firewall
No such file or directory
23. File system error.
Filename: /var/lock/subsys/freeWnn
No such file or directory
24. File system error.
Filename: /var/lock/subsys/gated
No such file or directory
25. File system error.
Filename: /var/lock/subsys/httpd
No such file or directory
26. File system error.
Filename: /var/lock/subsys/identd
No such file or directory
27. File system error.
Filename: /var/lock/subsys/innd
No such file or directory
28. File system error.
Filename: /var/lock/subsys/irda
No such file or directory
29. File system error.
Filename: /var/lock/subsys/iscsi
No such file or directory
30. File system error.
Filename: /var/lock/subsys/isdn
No such file or directory
31. File system error.
Filename: /var/lock/subsys/junkbuster
No such file or directory
32. File system error.
Filename: /var/lock/subsys/kadmin
No such file or directory
33. File system error.
Filename: /var/lock/subsys/kprop
No such file or directory
34. File system error.
Filename: /var/lock/subsys/krb524
No such file or directory
35. File system error.
Filename: /var/lock/subsys/krb5kdc
No such file or directory
36. File system error.
Filename: /var/lock/subsys/kWnn
No such file or directory
37. File system error.
Filename: /var/lock/subsys/ldap
No such file or directory
38. File system error.
Filename: /var/lock/subsys/linuxconf
No such file or directory
39. File system error.
Filename: /var/lock/subsys/lpd
No such file or directory
40. File system error.
Filename: /var/lock/subsys/mars_nwe
No such file or directory
41. File system error.
Filename: /var/lock/subsys/mcserv
No such file or directory
42. File system error.
Filename: /var/lock/subsys/mysqld
No such file or directory
43. File system error.
Filename: /var/lock/subsys/named
No such file or directory
44. File system error.
Filename: /var/lock/subsys/nfs
No such file or directory
45. File system error.
Filename: /var/lock/subsys/nscd
No such file or directory
46. File system error.
Filename: /var/lock/subsys/ntpd
No such file or directory
47. File system error.
Filename: /var/lock/subsys/ospf6d
No such file or directory
48. File system error.
Filename: /var/lock/subsys/ospfd
No such file or directory
49. File system error.
Filename: /var/lock/subsys/pcmcia
No such file or directory
50. File system error.
Filename: /var/lock/subsys/postgresql
No such file or directory
51. File system error.
Filename: /var/lock/subsys/pxe
No such file or directory
52. File system error.
Filename: /var/lock/subsys/radvd
No such file or directory
53. File system error.
Filename: /var/lock/subsys/rarpd
No such file or directory
54. File system error.
Filename: /var/lock/subsys/reconfig
No such file or directory
55. File system error.
Filename: /var/lock/subsys/ripd
No such file or directory
56. File system error.
Filename: /var/lock/subsys/ripngd
No such file or directory
57. File system error.
Filename: /var/lock/subsys/routed
No such file or directory
58. File system error.
Filename: /var/lock/subsys/rstatd
No such file or directory
59. File system error.
Filename: /var/lock/subsys/rusersd
No such file or directory
60. File system error.
Filename: /var/lock/subsys/rwalld
No such file or directory
61. File system error.
Filename: /var/lock/subsys/rwhod
No such file or directory
62. File system error.
Filename: /var/lock/subsys/smb
No such file or directory
63. File system error.
Filename: /var/lock/subsys/snmpd
No such file or directory
64. File system error.
Filename: /var/lock/subsys/squid
No such file or directory
65. File system error.
Filename: /var/lock/subsys/tux
No such file or directory
66. File system error.
Filename: /var/lock/subsys/tWnn
No such file or directory
67. File system error.
Filename: /var/lock/subsys/ups
No such file or directory
68. File system error.
Filename: /var/lock/subsys/vncserver
No such file or directory
69. File system error.
Filename: /var/lock/subsys/wine
No such file or directory
70. File system error.
Filename: /var/lock/subsys/yppasswdd
No such file or directory
71. File system error.
Filename: /var/lock/subsys/ypserv
No such file or directory
72. File system error.
Filename: /var/lock/subsys/ypxfrd
No such file or directory
73. File system error.
Filename: /var/lock/subsys/zebra
No such file or directory
74. File system error.
Filename: /etc/tripwire/localhost-local.key
No such file or directory
75. File system error.
Filename: /bin/gawk-3.1.0
No such file or directory
76. File system error.
Filename: /bin/zsh-4.0.2
No such file or directory

-------------------------------------------------------------------------------
*** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.


I'm not sure what you mean by the config file, but if you could tell me which file to search for I'll pass it along.

As you can see this error report is so long that it's ridiculous.

Jim

[dishawjp]

Voidmain,

Here is the printout I got after completing the update:


[root@eunix report]# tripwire --update -r /var/lib/tripwire/report/eunix-20030417-135615.twr
Please enter your local passphrase:
Wrote database file: /var/lib/tripwire/eunix.twd
[root@eunix report]#



But if nothing has changed, I could run a # tripwire --check again right now and still get the whole huge error report again. That's what it's been doing recently. Actually I had intended to copy and paste the output of the update, but as soon as I entered ":wq" it disappeared.

Any information would be very appreciated.

Jim

[Void Main]

You are probably running the default policy file which usually comes configured to check for things that you don't even have installed. You need to customize this file to fit your system and then rebuild your policy and database. The source for your config is probably in /etc/tripwire/twpol.txt and the source for your config is probably in /etc/tripwire/twcfg.txt. For each of the error you are getting about the file not existing, comment that out in your twpol.txt file and rebuild your tripwire policy/database.

I usually run /etc/tripwire/twinstall.sh after modifying my twpol.txt and then do a "/usr/bin/tripwire -m i" to initialize the database. If you have all of the things commented out that should be then you should not get any more filesystem error messages for missing files. You can make it as lax or as strict as you want. tripwire is one of the less intuitive security tools but it can be very useful if properly configured.

On a default tripwire install and commenting out the files that do not exist and running the commands as described above, this is what I get when I run a check immediately following:

Code: Select all

[root@kidslinux tripwire]# /usr/sbin/tripwire -m c
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/kidslinux-20030417-165406.twr
 
 
Tripwire(R) 2.3.0 Integrity Check Report
 
Report generated by:          root
Report created on:            Thu 17 Apr 2003 04:54:06 PM CDT
Database last updated on:     Never
 
===============================================================================
Report Summary:
===============================================================================
 
Host name:                    kidslinux
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/kidslinux.twd
Command line used:            /usr/sbin/tripwire -m c
 
===============================================================================
Rule Summary:
===============================================================================
 
-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------
 
  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  Invariant Directories           66                0        0        0
  Temporary directories           33                0        0        0
  Tripwire Data Files             100               0        0        0
  Critical devices                100               0        0        0
  User binaries                   66                0        0        0
  Tripwire Binaries               100               0        0        0
  Libraries                       66                0        0        0
  Operating System Utilities      100               0        0        0
  Critical system boot files      100               0        0        0
  File System and Disk Administraton Programs
                                  100               0        0        0
  Kernel Administration Programs  100               0        0        0
  Networking Programs             100               0        0        0
  System Administration Programs  100               0        0        0
  Hardware and Device Control Programs
                                  100               0        0        0
  System Information Programs     100               0        0        0
  Application Information Programs
                                  100               0        0        0
  Shell Related Programs          100               0        0        0
  Critical Utility Sym-Links      100               0        0        0
  Shell Binaries                  100               0        0        0
  Critical configuration files    100               0        0        0
  System boot changes             100               0        0        0
  OS executables and libraries    100               0        0        0
  Security Control                100               0        0        0
  Login Scripts                   100               0        0        0
  Root config files               100               0        0        0
 
Total objects scanned:  42405
Total violations found:  0
 
===============================================================================
Object Summary:
===============================================================================
 
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
 
No violations.
 
===============================================================================
Error Report:
===============================================================================
 
No Errors
 
-------------------------------------------------------------------------------
*** End of report ***
 
Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.

When you installed tripwire it should have also installed a script to run a check daily "/etc/cron.daily/tripwire-check". You can run that script manually or let it run daily. There is not much to the script:

Code: Select all

#!/bin/sh
HOST_NAME=`uname -n`
if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
        echo "****    Error: Tripwire database for ${HOST_NAME} not found.    ****"
        echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"
else
        test -f /etc/tripwire/tw.cfg &&  /usr/sbin/tripwire --check
fi

The daily output should end up in root's mailbox.

[Doogee]

what's this trip wire thing actually for, what does it do ???

[Void Main]

what's this trip wire thing actually for, what does it do ???

It is something that everyone should be running who has a critical system attached directly to the Internet (and then some). It keeps track of critical system files and if something changes it will let you know. If someone cracks your server and installs a root kit you will know about it.

Of course this is just one of many elements that you should have in your bag of security tricks. For instance, one security practice that you should follow is to keep your system up to date with security updates as soon as they become available. Another security practice that you should follow is to not run unnecessary services and to restrict access to the ones that you do have running via firewall and other access methods. These are "preventative" practices that will help prevent your system from being cracked. Tripwire is one of a few types of "detection" practices. That is if your "preventative" measures failed you may detect that your system has been cracked with tripwire.

There are also network IDS (intrusion detection system) security measures that you can implement with programs such as Snort. Snort helps detect skr1pt kiddies who are trying to pick your locks and logs it in a database. All of these pieces fit together and make for a good security plan. "Prevention" alone is not enough as a cracker may know about a hole that has no patch. "Detection" helps you quickly determine whether you have been cracked. Then you might want to periodically scan your own network with tools like "Nessus" to help ensure you don't have any gaping wide holes. Use of encryption on any network traffic also helps to make your system more secure (use ssh rather than telnet, imaps rather than imap, pop3s rather than pop, etc, etc).

Bottom line is you can't be too security conscious and just covering one piece is not enough. Tripwire covers one of the pieces. If you are alerted that system files have changed that only root has access to you are pretty much tipped off that you have been cracked. If you were smart you were sending your system logs to a different server that is dedicated to collecting system logging from all of your systems. Also if you were smart you were also running an IDS like Snort so you can look through the logs of who came in from where at what time so you have plenty of information to relay on to the FBI as quickly as possible (depending on how critical your systems are).

[Doogee]

well im running ssh, i might now start to get into this kindof stuff.
My box means too much to me.

[dishawjp]

Thanks yet again Voidmain,

I'm working on editing down my twpol.txt now. It'll take a while, but at least then Tripwire should be doing waht I want.

I've already downloaded Snort, but haven't installed it yet. When I get this stable though, expect me to be back begging for help again.

Jim

[siplus]

is Tripwire something that a noob like me can setup easily?

[dishawjp]

Voidmain did it!!

As if there were ever any doubt. All I have to do now is make one more minor change to get rid of that "localhost" error and I'm good to go. Thanks again Viodmain, if you're interested, my current report is as follows:

[root@eunix tripwire]# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
### Warning: File system error.
### Filename: /etc/tripwire/localhost-local.key
### No such file or directory
### Continuing...
Wrote report file: /var/lib/tripwire/report/eunix-20030418-183542.twr


Tripwire(R) 2.3.0 Integrity Check Report

Report generated by: root
Report created on: Fri 18 Apr 2003 06:35:42 PM EDT
Database last updated on: Never

===============================================================================
Report Summary:
===============================================================================

Host name: eunix
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/eunix.twd
Command line used: tripwire --check

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Tripwire Data Files 100 0 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0

Total objects scanned: 40774
Total violations found: 0

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

No violations.

===============================================================================
Error Report:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

1. File system error.
Filename: /etc/tripwire/localhost-local.key
No such file or directory

-------------------------------------------------------------------------------
*** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.


Thanks again!!!
Jim

[Void Main]

As if there were ever any doubt. All I have to do now is make one more minor change to get rid of that "localhost" error and I'm good to go. Thanks again Viodmain, if you're interested, my current report is as follows:

No problem. Yeah to get rid of the localhost error just change the "HOSTNAME" var in your twpol.txt from localhost to eunix, but you probably already figured that out.

[Void Main]

is Tripwire something that a noob like me can setup easily?

No. :) just kidding. Yeah there is nothing to it really, once you figure out how it works. It should be on your Red Hat CD, or if you have apt installed you can just:

# apt-get install tripwire

Once installed it should automatically be set up to run every day. It will not actually work properly until you go through what we went through in this thread though.