Updating the Policy File

If you want to actually change the files Tripwire records in its database or modify the severity in which violations are reported, you need to edit your Tripwire policy file.

First, make whatever changes are necessary to the sample policy file (/etc/tripwire/twpol.txt). A common change to this policy file is to comment out any files that do not exist on your system so that they will not generate a file not found error in your Tripwire reports. For example, if your system does not have a /etc/smb.conf file, you can tell Tripwire not to try to look for it by commenting out its line in twpol.txt:

#     /etc/smb.conf                     -> $(SEC_CONFIG) ;

Next, you must tell Tripwire to generate a new /etc/tripwire/tw.pol signed file and then generate an updated database file based on this policy information. Assuming /etc/tripwire/twpol.txt is the edited policy file, use this command:

/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

You will be asked for the site passphrase. Then, the twpol.txt file will be parsed and signed.

It is important that you update the Tripwire database after creating a new /etc/tripwire/tw.pol file. The most reliable way to accomplish this is to delete your current Tripwire database and create a new database using the new policy file.

If your Tripwire database file is named wilbur.domain.com.twd, type this command:

rm /var/lib/tripwire/wilbur.domain.com.twd

Then type the command to create a new database:

/usr/sbin/tripwire --init

A new database will be created according to the instructions in the new policy file. To make sure the database was correctly changed, run the first integrity check manually and view the contents of the resulting report. See the section called Running an Integrity Check and the section called Printing Reports for specific instructions on these points.

Signing the Configuration File

The text file with the configuration file changes (commonly /etc/tripwire/twcfg.txt) must be signed to replace the /etc/tripwire/tw.cfg and be used by Tripwire when it runs its integrity check. Tripwire will not recognize any configuration changes until the configuration text file is correctly signed and used to replace the /etc/tripwire/tw.pol file.

If your altered configuration text file is /etc/tripwire/twcfg.txt, type this command to sign it, replacing the current /etc/tripwire/tw.pol file:

/usr/sbin/twadmin --create-cfgfile -S site.key /etc/tripwire/twcfg.txt

Since the configuration file does not not alter any Tripwire policies or files tracked by the application, it is not necessary to regenerate the database of monitored system files.