Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

151

152

153

154

155

156

157

158

159

160

Chapter 11. Tripwire 153

Important

It is important that you change only authorized integrity violations in the database.

All proposed updates to the Tripwire database start with an [x] before the ﬁle name, similar to the

following example:

Added:

[x] "/usr/sbin/longrun"

Modified:

[x] "/usr/sbin"

[x] "/usr/sbin/cpqarrayd"

If you want to speciﬁcally exclude a valid violation from being added to the Tripwire database, remove

the x. To accept any ﬁles with an x beside them as changes.

To edit ﬁles in the default text editor, vi, type i and press [Enter] to enter insert mode and make any

necessary changes. When ﬁnished press the [Esc] key, type :wq, and press [Enter].

After the editor closes, enter your local password and the database will be rebuilt and signed.

After a new Tripwire database is written, the newly authorized integrity violations will no longer show

up as warnings.

11.8. Updating the Tripwire Policy File

If you want to change the ﬁles Tripwire records in its database, change email conﬁguration, or modify

the severity at which certain violations are reported, you need to edit your Tripwire policy ﬁle.

First, make whatever changes are necessary to the sample policy ﬁle /etc/tripwire/twpol.txt.

If you deleted this ﬁle (as you should whenever you are ﬁnished conﬁguring Tripwire), you can re-

generate it by issuing the following command:

twadmin --print-polfile > /etc/tripwire/twpol.txt

A common change to this policy ﬁle is to comment out any ﬁles that do not exist on your system

so that they will not generate a file not found error in your Tripwire reports. For example, if

your system does not have a /etc/smb.conf ﬁle, you can tell Tripwire not to try to look for it by

commenting out its line in twpol.txt with the # character as in the following example:

# /etc/smb.conf -> $(SEC_CONFIG) ;

Next, you must generate a new, signed /etc/tripwire/tw.pol ﬁle and generate an updated

database ﬁle based on this policy information. Assuming /etc/tripwire/twpol.txt is the edited

policy ﬁle, use this command:

/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

You will be asked for the site password. Then, the twpol.txt ﬁle will be encrypted and signed.

It is important that you update the Tripwire database after creating a new /etc/tripwire/tw.pol

ﬁle. The most reliable way to accomplish this is to delete your current Tripwire database and create a

new database using the new policy ﬁle.

If your Tripwire database ﬁle is named bob.domain.com.twd, type this command:

rm /var/lib/tripwire/bob.domain.com.twd