Troubleshooting Tripwire Alerts
This page is primarily for the cloud.gov team. It's public so that you can learn from it. For help using cloud.gov, see the user docs.
Dealing with Tripwire Violation alerts
tripwire reported a violation, now what?
- Use a jumpbox + bosh ssh to access the host that is alerting.
- Run a tripwire report in update mode:
tripwire -m c -L <local site key path> -S <site-key-path> -P <password> -I - The report opens in
vim. Look for theObject Detailsection(s) to see what changed. Properties with*by their names have changed. - If the changes seem reasonable:
- Update the Tripwire Policy. Try to figure out the most restrictive tripwire policy change you can make that will silence the alert. E.g. a logfile that gets truncated/rotated periodically might need to be changed from
GrowingtoDynamic.IgnoreAlland!should be absolute last resorts. - Make sure to exit vim with
:cqso your changes are not persisted locally to the database. - Push your changes, make a PR, and redeploy any releases that may be affected by the policy change.
- Update the Tripwire Policy. Try to figure out the most restrictive tripwire policy change you can make that will silence the alert. E.g. a logfile that gets truncated/rotated periodically might need to be changed from
- If the changes are not reasonable, find their cause and consider opening a security incident.