US flag signifying that this is a United States Federal Government website An official website of the United States government

Troubleshooting Tripwire Alerts

Troubleshooting Tripwire Alerts

This page is primarily for the team. It's public so that you can learn from it. For help using, see the user docs.

Dealing with Tripwire Violation alerts

tripwire reported a violation, now what?

  1. Use a jumpbox + bosh ssh to access the host that is alerting.
  2. Run a tripwire report in update mode: tripwire -m c -L <local site key path> -S <site-key-path> -P <password> -I
  3. The report opens in vim. Look for the Object Detail section(s) to see what changed. Properties with * by their names have changed.
  4. If the changes seem reasonable:
    1. Update the Tripwire Policy. Try to figure out the most restrictive tripwire policy change you can make that will silence the alert. E.g. a logfile that gets truncated/rotated periodically might need to be changed from Growing to Dynamic. IgnoreAll and ! should be absolute last resorts.
    2. Make sure to exit vim with :cq so your changes are not persisted locally to the database.
    3. Push your changes, make a PR, and redeploy any releases that may be affected by the policy change.
  5. If the changes are not reasonable, find their cause and consider opening a security incident.