Troubleshooting Tripwire Alerts
Dealing with Tripwire Violation alerts
tripwire reported a violation, now what?
- Use a jumpbox + bosh ssh to access the host that is alerting.
- Run a tripwire report in update mode:
tripwire -m c -L <local site key path> -S <site-key-path> -P <password> -I - The report opens in
vim. Look for theObject Detailsection(s) to see what changed. Properties with*by their names have changed. - If the changes seem reasonable:
- Update the Tripwire Policy. Try to figure out the most restrictive tripwire policy change you can make that will silence the alert. E.g. a logfile that gets truncated/rotated periodically might need to be changed from
GrowingtoDynamic.IgnoreAlland!should be absolute last resorts. - Make sure to exit vim with
:cqso your changes are not persisted locally to the database. - Push your changes, make a PR, and redeploy any releases that may be affected by the policy change.
- Update the Tripwire Policy. Try to figure out the most restrictive tripwire policy change you can make that will silence the alert. E.g. a logfile that gets truncated/rotated periodically might need to be changed from
- If the changes are not reasonable, find their cause and consider opening a security incident.