Table of Contents
Advertisement
178
All proposed updates to the Tripwire database start with a [x] before the file name. If you want to
specifically exclude a valid violation from being added to the Tripwire database, remove the x from
the box. To accept any files with an x beside them as changes, write the file in the editor and quit the
text editor. This signals to Tripwire to alter its database and not report these files as violations.
For example, the default text editor for Tripwire is vi. To write the file with vi and make the changes
to the Tripwire database when updating with a specific report, type :wq in vi's command mode and
press
. You will be asked to enter your local passphrase. Then, a new database file will be
[Enter]
written to include the valid violations.
After a new Tripwire database is written, the newly authorized integrity violations will no longer show
up as warnings when the next integrity check is run.
11.11 Updating the Policy File
If you want to actually change the files Tripwire records in its database or modify the severity in which
violations are reported, you need to edit your Tripwire policy file.
First, make whatever changes are necessary to the sample policy file (/etc/tripwire/tw-
pol.txt). A common change to this policy file is to comment out any files that do not exist on
your system so that they will not generate a file not found error in your Tripwire reports. For
example, if your system does not have a /etc/smb.conf file, you can tell Tripwire not to try to
look for it by commenting out its line in twpol.txt:
#
Next, you must tell Tripwire to generate a new /etc/tripwire/tw.pol signed file and then gen-
erate an updated database file based on this policy information. Assuming /etc/tripwire/tw-
pol.txt is the edited policy file, use this command:
/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt
You will be asked for the site passphrase. Then, the twpol.txt file will be parsed and signed.
It is important that you update the Tripwire database after creating a new /etc/tripwire/tw.pol
file. The most reliable way to accomplish this is to delete your current Tripwire database and create a
new database using the new policy file.
If your Tripwire database file is named wilbur.domain.com.twd, type this command:
rm /var/lib/tripwire/wilbur.domain.com.twd
Then type the command to create a new database:
/usr/sbin/tripwire --init
A new database will be created according to the instructions in the new policy file. To make sure the
database was correctly changed, run the first integrity check manually and view the contents of the
/etc/smb.conf
Chapter 11:Installing and Configuring Tripwire
-> $(SEC_CONFIG) ;
Advertisement
Table of Contents
