Main Menu
PHP Tools
PHP Help Request
PHP Editors Newsletter
Editor Search
Reviewed PHP Editors
Latest News
Submit News
PHP Tutorials
PHP Book Reviews
Online Book Chapters
PHP Games

Forums
RSS 2.0
PHP Desktop Editors
Other PHP Tools
PHP Contests
PHP Programming Help
Linux Help
Apache Help
MySQL Help
PHP Games
PHP Jobs
PHP Forums Home

Programming Contest
PHP Contests
PHP Contests Archive

Documentation
PHP Manual
PEAR Manual
PHP-GTK Manual
Smarty Manual
PostgreSQL Manual
CSS 2 Reference
Redhat Linux 9
HTML 4.01
Apache 2 Manual

Partner Sites
Ajax Tutorials
Webmaster Resources
Web Templates
PHP Scripts
PHP Code Examples
Learn PHP playing Trivia
PHP & MySQL Forums
Web Development Index
web site templates

Sponsors

NuSphere



All Red Hat Linux documents are copyrighted to Red Hat Inc.

Red Hat Linux 9: Red Hat Linux Reference Guide
PrevChapter 19. TripwireNext

19.8. Updating the Tripwire Policy File

If you want to change the files Tripwire records in its database, change email configuration, or modify the severity at which certain violations are reported, you need to edit your Tripwire policy file.

First, make whatever changes are necessary to the sample policy file /etc/tripwire/twpol.txt. If you deleted this file (as you should whenever you are finished configuring Tripwire), you can regenerate it by issuing the following command: 

twadmin --print-polfile > /etc/tripwire/twpol.txt

A common change to this policy file is to comment out any files that do not exist on your system so that they will not generate a file not found error in your Tripwire reports. For example, if your system does not have a /etc/smb.conf file, you can tell Tripwire not to try to look for it by commenting out its line in twpol.txt with the # character as in the following example: 

#     /etc/smb.conf                     -> $(SEC_CONFIG) ;

Next, you must generate a new, signed /etc/tripwire/tw.pol file and generate an updated database file based on this policy information. Assuming /etc/tripwire/twpol.txt is the edited policy file, use this command: 

/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

You will be asked for the site password. Then, the twpol.txt file will be encrypted and signed.

It is important that you update the Tripwire database after creating a new /etc/tripwire/tw.pol file. The most reliable way to accomplish this is to delete your current Tripwire database and create a new database using the new policy file.

If your Tripwire database file is named bob.domain.com.twd, type this command: 

rm /var/lib/tripwire/bob.domain.com.twd

Then type the following command to create a new database using the updated policy file: 

/usr/sbin/tripwire --init

To make sure the database was correctly changed, run the first integrity check manually and view the contents of the resulting report. See Section 19.5 Running an Integrity Check and Section 19.6.1 Viewing Tripwire Reports for more on doing these tasks.

19.8.1. Tripwire and Email

You can configure Tripwire to send an email to one or more accounts if a specific type of policy is violated. In order to do this, you need to figure out what policy rules should be monitored and who should get the email when those rules are broken. Note that on large systems with multiple administrators, you can have different sets of people notified depending on the types of violations.

Once you have determined who to notify and what rule violations to report to them, edit the /etc/tripwire/twpol.txt file, adding an emailto= line to the rule directive section for each appropriate rule. Do this by adding a comma after the severity= line and putting emailto= on the next line, followed by one or more email addresses. More than one email address can be specified if the addresses are separated by a semi-colon.

For example, if two administrators, Johnray and Bob, need to be notified when a networking program is modified, change the Networking Programs rule directive in the policy file to look like this: 

(
  rulename = "Networking Programs",
  severity = $(SIG_HI),
  emailto = johnray@domain.com;bob@domain.com
)

After changing the policy file, follow the instructions in Section 19.8 Updating the Tripwire Policy File to generate an updated, encrypted, and signed copy of the Tripwire policy file.

19.8.1.1. Sending Test Email Messages

To test Tripwire's email notification configuration, use the following command: 

/usr/sbin/tripwire --test --email your@email.address

A test email will immediately be sent to the email address by the tripwire program.

PrevHomeNext
Updating the Tripwire DatabaseUpUpdating the Tripwire Configuration File
© Copyright 2003-2023 www.php-editors.com. The ultimate PHP Editor and PHP IDE site.