# $Id: FAQ,v 1.20 1999/04/30 06:09:48 Cschutz Exp $

#
# FAQ for Tripwire
#

    Listed below are the most frequently asked questions about 
Tripwire.  The first section of the file covers Tripwire concepts 
and design, while the second section addresses troubleshooting.

Concepts:
=========
Q:	Does Tripwire have any Year 2000 (Y2K) problems?

A:	Tripwire 1.3.1 ASR has been minimally tested for Y2K compliance.
  	This version of Tripwire uses the POSIX ctime() function common to
  	most other UNIX utilities.  Dates are fully represented by 26 characters
  	which allows dates after the year 2000 to be unambiguously displayed.
  	(e.g., Fri Sep 13 00:00:00 2003)  Although it has passed Y2K tests and
  	no problems are expected, Tripwire 1.3.1 ASR has not been certified
  	Y2K compliant. 


Q:	Why doesn't Tripwire traverse mounted file systems?

A:	This is intentional.  This behavior makes it possible to put a directory
 	(e.g., '/') in your tw.config file, and you won't have to worry whether it
 	will traverse all the locally-mounted file systems.  If you want it
 	include the whole file system, list each partition separately in the
 	configuration file.


Q:	What is the difference between pruning an entry in your tw.config file
 	(via "!") and ignoring everything (via the "E" template)?

A:	Ignoring everything in a directory still monitors for added and deleted
 	files.  Pruning a directory will prevent Tripwire from even looking in the
 	specified directory.



Q:	Tripwire runs very slowly.  What can I do to make it run 
	faster?

A:	You can modify your tw.config entries to skip the Snefru signatures by
 	appending a "-2" to the ignore flags.  Or you can tell Tripwire at run-
	time to skip Snefru by:		

			tripwire -i 2
			
	This computationally expensive operation may not be needed for many
 	applications.  (See README section on security vs. performance trade-offs
 	for further details.)


Troubleshooting:
================
Q:	I build Tripwire and the test suite fails.  What do I do?

A:	Read the README section on "Common Compilation Problems."


Q:	Tripwire reports that my database version is out of date.
	What should I do?

A:	The database format used by Tripwire v1.2 changed. You need to rebuild the
 	database with Tripwire v1.2; see the README file for details.  If you are
 	monitoring filenames in which there are spaces, you will need to rebuild
 	the database with Tripwire v1.3.1.


Q: 	When running Tripwire in Integrity Checking mode, Tripwire fails when it
 	tries to find a file with a name consisting of dozens/hundreds/thousands
 	of '/'s.  What went wrong?

A:	Your setting for the #define DIRENT value in your conf-<os>.h file is
 	probably incorrect.  Trying switching the setting and see if the problem
 	goes away.  (i.e., switch #define to  #undef, or vice versa.)


Q:	I have /tmp in my tw.config file, but none of the files in the directory
	are being read by Tripwire.  What's going on?

A:	Check to see that your /tmp directory isn't a symbolic link to another
 	file system.  When recursing down into directories, Tripwire never
 	traverses symbolic links or enters another file system.  


Q:	Is there any way I can get Tripwire to print out the names of the files as
 	they are being scanned?  I want to know which files Tripwire is spending
 	all of its time crunching.

A:	Use 'tripwire -v'.  


Q:	I try to initialize the database by typing 'tripwire -initialize' but I
 	can't find the binary.  Where is the tripwire executable?

A:	./src/tripwire is where the binary is built.  'make install' will install
 	in the $(DESTDIR) of your choice, as defined in the top-level Makefile.


 Q:	I have the following line in my tw.config file to do host specific
 	actions.  Why doesn't it work?

		@@ifhost chapel || chekov || chewie || data || guinan 
			....
		@@endif

A:	You must put the hostnames as returned by 'hostname' or 'uname' (depending 	on whether you're running a BSD or SYSV derived OS). So, the correct form 
	would be:

		@@ifhost chapel.enterprise.fed || chekov.enterprise.fed ...

	The Tripwire preprocessor tries its best to figure out if you have used 
	misformed hostnames.


Q.	As part of my operational security plan for my exported NFS partitions, I
 	want to run "fsirand" regularly.  Unfortunately, if I do this, Tripwire
 	will complain that every file has changed (because the i-node numbers will
 	change).  I don't want to rebuild the entire system database each time.
 	What can I do?

A.	We have included a Perl script in the distribution that will go through a
 	Tripwire db file (the output database) and update the i-node fields, while
 	leaving everything else the same.  To use it, you need to modify the first
 	line to point to your Perl interpreter (if you don't have Perl, you'll
 	need to write your own program in C or get Perl from an ftp site).  

	The Perl script is ./contrib/twdb_newinode.pl.

	The next time you are in single-user mode running fsirand, run this script
 	with the db as input.  For example,

	    cd /usr/local/adm/tcheck/databases
	    ./twdb_newinode.pl tw.db_myhost

	It will automatically create a backup version of the file for you as a
 	"just in case." 

	*Afterwards, be certain to set the disk with the database back to read-
	only!!*  Also, store the Perl script in the same secure place as the
 	Tripwire program.


Last updated: April 30th, 1999.  Mail comments to: support@tripwiresecurity.com
	
