Operating System - Linux
1839143 Members
2897 Online
110136 Solutions
New Discussion

Re: tripwire update policy ....

 
K.C. Chan
Trusted Contributor

tripwire update policy ....

All,
is there a way to update the policy without having to regenerate a new tripwire database. I tried updating the policy, then ran a check. It seems that it reset everyting; the files it was reporting inconsistency is nolonger inconsistence. Any idea?
Reputation of a thousand years can be determined by the conduct of an hour
8 REPLIES 8
Steven E. Protter
Exalted Contributor

Re: tripwire update policy ....

What command did you use?

There is an update command set that does not reset the whole database.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Ivan Ferreira
Honored Contributor

Re: tripwire update policy ....

The command should be like:

/usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/.twr
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
K.C. Chan
Trusted Contributor

Re: tripwire update policy ....

tripwire -m p -Z low twpol.txt, I used this to change the the policy file.
Reputation of a thousand years can be determined by the conduct of an hour
Ivan Ferreira
Honored Contributor

Re: tripwire update policy ....

If you want to update the database, run the command that I methioned above, if you want to modify the policy file, run:

twadmin --print-polfile > /etc/tripwire/twpol.txt

Modify the file.

/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

/usr/sbin/tripwire --init
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
K.C. Chan
Trusted Contributor

Re: tripwire update policy ....

twadmin command seems straightforward, but for this command "tripwire --init" which is the same as "tripwire -m i" is questionable as far as updating the database. I think this option "-m i" initialize the database instead of updating it. After reading the man page, I believe the option to update the database should be "tripwire -m u". Any thoughts on this? Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
Ivan Ferreira
Honored Contributor

Re: tripwire update policy ....

I think that -m u is the same as /usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/.twr

It updates the database so file modifications are recorded, but you cannot for example, remove or add a file to the database.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
K.C. Chan
Trusted Contributor

Re: tripwire update policy ....

so tripwire --init will add/remote files to the database? Does it also initialize files that is allready there? If so, then will it reset the files that has changed since the the last run. If it does, then this is not the option I am looking for. I am looking for an option which update add/remove files in the database without resetting the files that has changed in the database. Thanks.
Reputation of a thousand years can be determined by the conduct of an hour
Ivan Ferreira
Honored Contributor

Re: tripwire update policy ....

I did not understand but the --init will do a new snapshot.

What do you mean with:

Does it also initialize files that is allready there?

The new snapshot will consider all "current" files as the good ones.

These are the only ways that I know.

Cheers.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?