# $Id: FAQ,v 1.11 1993/12/15 23:03:35 genek Exp $

#
# FAQ for Tripwire
#

    This file answers frequently asked questions about Tripwire.
The first section of the file covers Tripwire concepts and design,
while the second section addresses troubleshooting.

Concepts:
=========

Q:	Why doesn't Tripwire ever traverse across mounted filesystems?

A:	This is a feature.  This behavior makes it possible to put a
	directory (e.g., '/') in your tw.config file, and you won't
	have to worry whether it will traverse all the locally-mounted
	filesystems.


Q:	What is the difference between pruning an entry in your 
	tw.config file (via "!") and ignoring everything (via the "E" 
	template)?

A:	Ignoring everything in a directory still monitors for added 
	and deleted files.  Pruning a directory will prevent Tripwire
	from even looking in the specified directory.


Q:	Tripwire runs very slowly.  What can I do to make it run 
	faster?

A:	You can modify your tw.config entries to skip the Snefru 
	signatures by appending a "-2" to the ignore flags.  Or you can
	run tell Tripwire at run-time to skip Snefru by:
		
			tripwire -i 2
			
	This computationally expensive operation may not be needed for 
	many applications.  (See README section on security vs. 
	performance trade-offs for further details.)

Troubleshooting:
================

Q:	I build Tripwire and the test suite fails.  What do I do?
A:	Read the README section on "Common Compilation Problems."


Q:	Tripwire reports that my database version is out of date.  What
	should I do?
A:	The database format used by Tripwire v1.0 and v1.1 changed.
	Specifially, Tripwire v1.1 uses a different base-64 alphabet.
	Use the program twconvert to convert between the two formats.
	(This program is located in the ./aux directory.)


Q:	Where do I find Larry Wall's patch program?
A:	You can get it via anonymous FTP at ftp.uu.net:/pub/patch.tar.Z.


Q: 	When running Tripwire in Integrity Checking mode, Tripwire
	fails when it tries to find a file with a name consisting of
	thousands of '/'s.  What went wrong?

A:	Your setting for the #define DIRENT value in your conf-<os>.h
	file is probably set wrong.  Trying switching the setting and
	see if the problem goes away.  (i.e., switch #define to 
	#undef, or vice versa.)


Q:	I have /tmp in my tw.config file, but none of the files in 
	the directory are being read by Tripwire.  What's going on?

A:	Check to see that your /tmp directory isn't a symbolic link
	to another filesystem.  When recursing down into directories,
	Tripwire never traverses symbolic links or enters another
	filesystem.  


Q:	Is there any way I can get Tripwire to print out the names of the
	files as they are being scanned?  I want to know which files
	Tripwire is spending all of its time crunching.

A:	Try using 'tripwire -v'.  This wasn't documented in the first
	tripwire.8 manual page.


Q:	I try to initialize the database by typing 'tripwire -initialize'
	but I can't find the binary.  Where is the tripwire executable?

A:	./src/tripwire is where the binary is built.  'make install'
	will install in the $(DESTDIR) of your choice, as defined
	in the top-level Makefile.


Q:	I have the following line in my tw.config file to do host specific
	actions.  Why doesn't it work?

		@@ifhost chapel || chekov || chewie || data || guinan 
			....
		@@endif

A:	You must put the hostnames as returned by 'hostname' or 'uname'
	(depending on whether you're running a BSD or SYSV derived OS).
	So, the correct form would be:

		@@ifhost chapel.enterprise.fed || chekov.enterprise.fed ...

	The Tripwire preprocessor tries its best to figure out if you
	have used misformed hostnames.


Gene & Gene
Kim  & Spafford

Last updated: December 11, 1993
(genek@mentor.cc.purdue.edu)
(spaf@cs.purdue.edu)
	
