Tripwire
Monitor filechanges in filesystem
create backup of original config-file
cp twcfg.txt twcft_original.txt
edit file now
vi twcfg.txt
change the following:
LOOSEDIRECTORYCHECKING =false
to
LOOSEDIRECTORYCHECKING =true
This change is necessary to prepare for the first time the script is run because whatever is on your computer will not match the default sample file exactly. After the install is successfully completed and the policy file edited, LOOSEDIRECTORYCHECKING should be restored to "false".
then run:
twadmin --create-cfgfile --site-keyfile /path/to/site.key twcfg.txt
now edit the twpol.txt file to your needs...
re-run the installation process, which can be one either:
- twinstall.sh (if installed from source)
- dpkg-reconfigure tripwire (if installed using apt/dpkg)
- your favorite pkg-manager of you dist (read man page)
after that you binary config AND policy-files are up to date
run init:
tripwire --init -v
Edit Policy File Search for the files on your computer that tripwire could not find. If several of them all have a similar directory path, it is a good bet that the files are all together in a slightly different path. Also, unless you have installed all the options that came along with your version of RedHat, there is a good chance that you won't have all the files that the original sample policy file, twpol.txt is trying to find. If those files aren't on your computer, you can comment out the lines that reference them from your policy file.
cp /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak vi /etc/tripwire/twpol.txt
Update Policies After editing the text version of your policy file, twpol.txt, you will want to write those changes to the binary database so they will be used the next time you run tripwire --check.
tripwire --update-policy -Z low /etc/tripwire/twpol.txt
You will be asked for your local passphrase and then your site passphrase. Notice the -Z low switch on this command. If you don't use this option, tripwire will operate in high security mode, which will result in a report being generated, but an error message at the end of the report will inform you that the (binary) policy file has not been updated.
Policy update failed: policy and database files were not altered.
Repeat the Generate List of Errors, Edit Policies and Update Policies as many times as required to remove all errors. If Update Policies does not work, you can try re-installing twinstall.sh.
<nr/>
When you are free of errors, you can restore the twcfg.txt from:
LOOSEDIRECTORYCHECKING =true
to
LOOSEDIRECTORYCHECKING =false
Use the update-policy command after restoring twcfg.txt
tripwire --update-policy -Z low /etc/tripwire/twpol.txt