Hello, i have installed tripwire in ubuntu 8.10 server, all work greatest but, i see violations in the database before 5 days.. I try to update database but if i want clean result only from last day i must remove database and create it again.
I use this commands for database updating but this is no result for me.
root@ubuntu-server:~# tripwire -m -u -Z low -a
root@ubuntu-server:~# tripwire -m -u -Z low
root@ubuntu-server:~# tripwire -m -u
And other what i see is, when i execute this commands in the console i receive mail, i think cuz mail is only when i execute checking, not on update.
I am new to Tripwire myself. But what you do after creating your config file and policy file, is to create your database. Then you are all setup. If you wish to renew frequently then you UPDATE your database from a given REPORT. It's a manual process as you select what items from a given REPORT you wish to update your database with.
I am running a cron job to preform a check, and email that report. After viewing the report I can decide what to do with the data reported.
An update command would be (on a CentOS server)
tripwire -m u -V vim -Z low -r /usr/local/lib/tripwire/report/host.(yoursever)-(date)-(time).twr
Database is updated with the results you chose as listed in the report.
> It's a manual process as you select what items from a given REPORT you wish to update your database with.
Actually, both modes are supported, there is also an unattended option which validates ALL the entries in the report to the database.
I'm not sure why anyone would like to use an IDS tool, and just allow unattended updates. It's not an option to consider.
But I grant you that yes, one can update the database unattended, so the man files state.
Sorry, what i meant by unattended would actually be that you take a good long look at the report and if you are satisfied with it, you do a non interactive update of the database.