OK, only waited a few months before adding this!
I’d recommend not doing this as root, as if you do, the root directory modification time will change as you modify twpol.txt. Also twpol.txt will change as you modify it.
All of this means you’ll have to run 1-3 before you can run 4. And tripwire takes ages to run. Besides you should be using sudo anyway (you are right?!).
1. Validate current policy
sudo tripwire -m c
2. Find the latest tripwire log
sudo ls -lt /var/lib/tripwire/report/*.twr | head -1
3. Use that to update the database
sudo tripwire -m u -r <above file>
4. Then update policy
sudo tripwire -m p twpol.txt
You should see this:
Parsing policy file: twpol.txt
Please enter your local passphrase:
Please enter your site passphrase:
========
Policy Update: Processing section Unix File System.
========
Step 1: Gathering information for the new policy.
The object: \"/lib/init/rw\" is on a different file system...ignoring.
The object: \"/dev/.static/dev\" is on a different file system...ignoring.
The object: \"/dev/pts\" is on a different file system...ignoring.
The object: \"/dev/shm\" is on a different file system...ignoring.
The object: \"/proc/bus/usb\" is on a different file system...ignoring.
========
Step 2: Updating the database with new objects.
========
Step 3: Pruning unneeded objects from the database.
Wrote policy file: /etc/tripwire/tw.pol
Wrote database file: /var/lib/tripwire/web-proxy.twd
5. After the policy is accepted you need to run steps 1-3
This is because if you don\’t and want to make further changes you\’ll see stuff like this:
========
Policy Update: Processing section Unix File System.
========
Step 1: Gathering information for the new policy.
The object: \"/lib/init/rw\" is on a different file system...ignoring.
The object: \"/dev/.static/dev\" is on a different file system...ignoring.
The object: \"/dev/pts\" is on a different file system...ignoring.
The object: \"/dev/shm\" is on a different file system...ignoring.
The object: \"/proc/bus/usb\" is on a different file system...ignoring.
### Error: Policy Update Added Object.
### An object has been added since the database was last updated.
### Object name: /etc/tripwire/tw.pol.bak
### Error: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object /etc/tripwire
### > Size
### > Modify Time
### Error: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object /etc/tripwire/tw.pol
### > Modify Time ### > CRC32
### > MD5
========
Step 2: Updating the database with new objects.
========
Step 3: Pruning unneeded objects from the database. Policy update failed; policy and database files were not altered.
This is because tripwire hasn\’t capture changes caused by the policy change.
This might also be useful (I login as a normal user to do administration, so I want to do all of these sudo\’d). This script allows me to run a report, and then use that generated report to update the database.
I call the script update_tripwire.bash
#!/bin/bash
sudo tripwire -m c
sudo tripwire -m u -r $(/bin/ls -t /var/lib/tripwire/report/*.twr | head -1)