# $Id: FAQ,v 1.4 92/12/10 16:57:57 genek Exp $

#
# FAQ for Tripwire
#

    This file answers frequently asked questions about Tripwire.
The first section of the file covers Tripwire concepts and design,
while the second section addresses troubleshooting.

Concepts:
=========

Q:	Why doesn't Tripwire ever traverse filesystems?

A:	This is a feature.  This behavior makes it possible to put a
	directory (e.g., '/') in your tw.config file, and you won't
	have to worry whether it will traverse all the locally-mounted
	filesystems.


Q:	What is the difference between pruining an entry in your 
	tw.config file (via "!") and ignoring everything (via the "E" 
	template)?

A:	Ignoring everything in a directory still monitors for added 
	and deleted files.  Pruning a directory will prevent Tripwire
	from even looking in the specified directory.


Q:	Tripwire runs very slowly.  What can I do to make it run 
	faster?

A:	You can modify your tw.config entries to skip the Snefru 
	signatures by appending a "-2" to the ignore flags.  Or you can
	run tell Tripwire at run-time to skip Snefru by:
		
			tripwire -i 2
			
	This computationally expensive operation may not be needed for 
	many applications.  (See README section on security vs. 
	performance trade-offs for further details.)

Troubleshooting:
================

Q: 	When running Tripwire in Integrity Checking mode, Tripwire
	fails when it tries to find a file with a name consisting of
	thousands of '/'s.  What went wrong?

A:	Your setting for the #define DIRENT value in your conf-<os>.h
	file is probably set wrong.  Trying switching the setting and
	see if the problem goes away.  (i.e., switch #define to 
	#undef, or vice versa.)


Q:	I have /tmp in my tw.config file, but none of the files in 
	the directory are being read by Tripwire.  What's going on?

A:	Check to see that your /tmp directory isn't a symbolic link
	to another filesystem.  When recursing down into directories,
	Tripwire never traverses symbolic links or enters another
	filesystem.  


Q:	Is there any way I can Tripwire to print out the names of the
	files as they are being scanned?  I want to know which files
	Tripwire is spending all of its time crunching.

A:	Try using 'tripwire -v'.  This wasn't documented in the first
	tripwire.5 manual page.


Q:	I added a new file to a directory already in the tw.config file.
	When I do a 'tripwire -update', the new file isn't added to the
	database!

A: 	This is a feature.  When using 'tripwire -update' to update 
	existing entries, Tripwire scans your existing database and updates
	only those entries that already exist.  This makes it less likely
	to inadverdently add new files into your database unknowingly.  (The
	premise is that initializing the database was a carefully
	thought-out operation, while updates are done more casually.)
	Consider the following scenario:

	A set of tools reside in /usr/local/gnu.  You install the new
	versions of, say, the compilers.  Consequently, the Tripwire
	database entries for these files are out-of-date (time stamp and
	signatures).  By running 'tripwire -update /usr/local/gnu', you will 
	only update the entries that already exist in the database.  New
	files lurking in /usr/local/gnu will not be added, thus making
	less likely an entry being added to your database.

        The idea was to enforce continuity for entries in the
	tw.config file.  So, the /etc entry means "files that currently
	reside in /etc when I initialize the database, but not any files
	that may appear there later."  This is why 'tripwire -update'
	doesn't add new files.

	To add a new file, you'll have to specify it on the command
	line.  For instance, 'tripwire -update /usr/local/gnu/gnunew /etc/wurble'.  
	adds two new entry to your database. 


Q:	I try to initialize the database by typing 'tripwire -initialize'
	but I can't find the binary.  Where is the tripwire executable?

A:	./src/tripwire is where the binary is built.  'make install'
	will install in the $(DESTDIR) of your choice, as defined
	in the top-level Makefile.


Gene & Gene
Kim  & Spafford

December 10, 1992
(genek@mentor.cc.purdue.edu)
(spaf@cs.purdue.edu)
	
