Tripwire

Monitor filechanges in filesystem

create backup of original config-file

cp twcfg.txt twcft_original.txt

edit file now

vi twcfg.txt

change the following:

LOOSEDIRECTORYCHECKING =false

to

LOOSEDIRECTORYCHECKING =true

This change is necessary to prepare for the first time the script is run because whatever is on your computer will not match the default sample file exactly. After the install is successfully completed and the policy file edited, LOOSEDIRECTORYCHECKING should be restored to "false".

then run:

twadmin --create-cfgfile --site-keyfile /path/to/site.key twcfg.txt 

now edit the twpol.txt file to your needs...

re-run the installation process, which can be one either:

1. twinstall.sh (if installed from source)
2. dpkg-reconfigure tripwire (if installed using apt/dpkg)
3. your favorite pkg-manager of you dist (read man page)

after that you binary config AND policy-files are up to date

run init:

tripwire --init -v

Edit Policy File Search for the files on your computer that tripwire could not find. If several of them all have a similar directory path, it is a good bet that the files are all together in a slightly different path. Also, unless you have installed all the options that came along with your version of RedHat, there is a good chance that you won't have all the files that the original sample policy file, twpol.txt is trying to find. If those files aren't on your computer, you can comment out the lines that reference them from your policy file.

cp /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak
vi /etc/tripwire/twpol.txt

Update Policies After editing the text version of your policy file, twpol.txt, you will want to write those changes to the binary database so they will be used the next time you run tripwire --check.

tripwire --update-policy -Z low /etc/tripwire/twpol.txt

You will be asked for your local passphrase and then your site passphrase. Notice the -Z low switch on this command. If you don't use this option, tripwire will operate in high security mode, which will result in a report being generated, but an error message at the end of the report will inform you that the (binary) policy file has not been updated. Policy update failed: policy and database files were not altered.

Repeat the Generate List of Errors, Edit Policies and Update Policies as many times as required to remove all errors. If Update Policies does not work, you can try re-installing twinstall.sh.
<nr/> When you are free of errors, you can restore the twcfg.txt from:

LOOSEDIRECTORYCHECKING =true

to

LOOSEDIRECTORYCHECKING =false

Use the update-policy command after restoring twcfg.txt

tripwire --update-policy -Z low /etc/tripwire/twpol.txt