19.8. Updating the Tripwire Policy File

If you want to change the files Tripwire records in its database, change email configuration, or modify the severity at which certain violations are reported, you need to edit your Tripwire policy file.

First, make whatever changes are necessary to the sample policy file /etc/tripwire/twpol.txt. If you deleted this file (as you should whenever you are finished configuring Tripwire), you can regenerate it by issuing the following command:

twadmin --print-polfile > /etc/tripwire/twpol.txt

A common change to this policy file is to comment out any files that do not exist on your system so that they will not generate a file not found error in your Tripwire reports. For example, if your system does not have a /etc/smb.conf file, you can tell Tripwire not to try to look for it by commenting out its line in twpol.txt with the # character as in the following example:

#     /etc/smb.conf                     -> $(SEC_CONFIG) ;

Next, you must generate a new, signed /etc/tripwire/tw.pol file and generate an updated database file based on this policy information. Assuming /etc/tripwire/twpol.txt is the edited policy file, use this command:

/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

You will be asked for the site password. Then, the twpol.txt file will be encrypted and signed.

It is important that you update the Tripwire database after creating a new /etc/tripwire/tw.pol file. The most reliable way to accomplish this is to delete your current Tripwire database and create a new database using the new policy file.

If your Tripwire database file is named bob.domain.com.twd, type this command:

rm /var/lib/tripwire/bob.domain.com.twd

Then type the following command to create a new database using the updated policy file:

/usr/sbin/tripwire --init

To make sure the database was correctly changed, run the first integrity check manually and view the contents of the resulting report. See Section 19.5 Running an Integrity Check and Section 19.6.1 Viewing Tripwire Reports for more on doing these tasks.

19.8.1. Tripwire and Email

You can configure Tripwire to send an email to one or more accounts if a specific type of policy is violated. In order to do this, you need to figure out what policy rules should be monitored and who should get the email when those rules are broken. Note that on large systems with multiple administrators, you can have different sets of people notified depending on the types of violations.

Once you have determined who to notify and what rule violations to report to them, edit the /etc/tripwire/twpol.txt file, adding an emailto= line to the rule directive section for each appropriate rule. Do this by adding a comma after the severity= line and putting emailto= on the next line, followed by one or more email addresses. More than one email address can be specified if the addresses are separated by a semi-colon.

For example, if two administrators, Johnray and Bob, need to be notified when a networking program is modified, change the Networking Programs rule directive in the policy file to look like this:

(
  rulename = "Networking Programs",
  severity = $(SIG_HI),
  emailto = johnray@domain.com;bob@domain.com
)

After changing the policy file, follow the instructions in Section 19.8 Updating the Tripwire Policy File to generate an updated, encrypted, and signed copy of the Tripwire policy file.

19.8.1.1. Sending Test Email Messages

To test Tripwire's email notification configuration, use the following command:

/usr/sbin/tripwire --test --email your@email.address

A test email will immediately be sent to the email address by the tripwire program.