Tripwire causing too much load. Is it Settings?

[Metro2]

Just during the past week I've starting seeing a massive load spike on one of my servers at around 4-5am each morning. It is causing a really bad slowdown - even customer web pages are loading very slow during this approx. 1 hour period.

Top shows that /usr/sbin/tripwire seems to be the culprit, using a ton of CPU.

I'll be the first to admit I don't know a lot about tripwire or how it is setup. I purchased my security setup consulting from Chirpy a while back and I'm assuming this is part of what he configured and is somehow linked with CSF/LFD, but I'm afraid to attempt any adjustments on my own.

I thought I'd try here first to see if someone else has opinions/advice before I contact Chirpy directly, seeing as how it's been a while since I had the service done and I don't want to crowd his helpdesk if I can avoid it.

Thanks for any ideas!

 

[chirpy]

I can answer here Tripwire does indeed use up a lot of resources - it's particularly resource intensive. You either live with it, or do away with it as there's nothing much you can do about the resources it needs to work. If you want to remove tripwire you can do so with:

rpm -e tripwire

 

[Metro2]

Thanks Chirpy,

I've had tripwire for quite a long time on the box in question, probably almost a year since you originally worked on that one in fact, and only recently did it start to become an issue like this.

So I'm wondering - could this have anything to do with the fact that the report files are getting so big? Pardon me if I'm being rather "noob-ish" and naive here, but I just checked /var/lib/tripwire/report with ls -l and see this:

-rw-r--r-- 1 root root 627950 Apr 3 04:39 xxx.xxxxx.net-20060403-043700.twr
-rw-r--r-- 1 root root 627950 Apr 4 04:36 xxx.xxxxx.net-20060404-043327.twr
-rw-r--r-- 1 root root 627934 Apr 5 04:37 xxx.xxxxx.net-20060405-043440.twr
-rw-r--r-- 1 root root 627934 Apr 6 04:35 xxx.xxxxx.net-20060406-043233.twr
.
.
.
(really long list of daily reports snipped out)
.
.
.
-rw-r--r-- 1 root root 1586166 Sep 28 03:49 xxx.xxxxx.net-20060928-034608.twr
-rw-r--r-- 1 root root 1586286 Sep 29 03:50 xxx.xxxxx.net-20060929-034537.twr
-rw-r--r-- 1 root root 1586398 Sep 30 03:50 xxx.xxxxx.net-20060930-034535.twr
-rw-r--r-- 1 root root 1587326 Oct 1 03:50 xxx.xxxxx.net-20061001-034539.twr

The daily report files go all the way back to January or so, and as you can see the files just keep getting bigger each day. Back in April they were about 600k each and now they're up to almost 2mb each.

So now I have 3 questions:

Should I be deleting those old reports?

Is it normal for the files to be getting so big?

Is there a setting I should change that would stop the files from getting so big and stop it from storing them forever?

Again my apologies for being such a noob about this. All I know is I have a "feeling" that these sudden tripwire load spikes might be something that I can actually stop without having to remove tripwire from the server - I'd like to keep it, because security is a good thing

 

[chirpy]

You can remove the old tripwire report files once you're done with them - they're not needed.

 

[Metro2]

As always, thanks Chirpy!!

Does anyone know the answers to these other two questions:
Is it normal for the files to be getting so big?
Is there a setting I should change that would stop the files from getting so big and stop it from storing them forever?

I'm sifting through the tripwire stuff online and I can't seem to find out.

BTW, during my search I found these pages that tripwire noobs might find helpful -
http://www.linuxdevcenter.com/pub/a/linux/2001/06/29/tools_two.html?page=3
http://www-cse.ucsd.edu/classes/sp99/cse190_A/Tripwire.pdf

 

[Infopro]

from chirpy:

When you get your daily report you should read it and note any files that have been changed/modified that you wouldn't normally expect to have changed. If any that are changed seem suspicious, you should investigate further.

If all seems OK and the report is still short, you can just leave things as they are. The next day, the report will include any changes from the previous day(s) plus the latest. The reports can become unwieldy, so it is a good idea to update the database if you're happy with all file modifications. To do this, copy the report file name (including its full path) from the line starting:

Wrote report file:

then, login to the root shell and issue the command:
tripwire -m u -r <filename>

Tripwire will then throw you into the vi editor which you can exit with <ESC>: then enter wq<return> this should then prompt you with the local passphrase to update the database.