Troubleshooting Tripwire Alerts
Dealing with Tripwire Violation alerts
tripwire reported a violation, now what?
- Use a jumpbox + bosh ssh to access the host that is alerting.
- Run a tripwire report in update mode:
tripwire -m c -L <local site key path> -S <site-key-path> -P <password> -I
- The report opens in
vim
. Look for theObject Detail
section(s) to see what changed. Properties with*
by their names have changed. - If the changes seem reasonable:
- Update the Tripwire Policy. Try to figure out the most restrictive tripwire policy change you can make that will silence the alert. E.g. a logfile that gets truncated/rotated periodically might need to be changed from
Growing
toDynamic
.IgnoreAll
and!
should be absolute last resorts. - Make sure to exit vim with
:cq
so your changes are not persisted locally to the database. - Push your changes, make a PR, and redeploy any releases that may be affected by the policy change.
- Update the Tripwire Policy. Try to figure out the most restrictive tripwire policy change you can make that will silence the alert. E.g. a logfile that gets truncated/rotated periodically might need to be changed from
- If the changes are not reasonable, find their cause and consider opening a security incident.