Confusing on Tripwire

  • Jeden

    Hello everyone, I seem to be a bit confused when using Tripwire.  After installing fresh on a host, I immediately go and edit the twpol.txt.

    From there, I issue a twadmin -m P twpol.txt to create the new signed copy of the tw.pol file.  Now, here's where I'm confused, after that I issue a tripwire --init to build the database, and then after doing a tripwire -m c to check, I _always_ see modifications to the /usr/local/etc directory where the tw.cfg and tw.pol files live (along with the site.key).  Is this normal behavior?  I don't understand why it's showing me that anything changed in that directory when I haven't even created the database file, nor changed anything during the check.  I guess I could let it continue to gripe at me, but I feel like this makes my results not valid because I can never be sure if something actually changed in that directory or not in doing future checks.

    Can someone help me out?  If you need more information let me know and I'll post anything that you request.  I appreciate any and all help to get me off in the right direction.

    • JSD

      It is normal to see the tripwire configuration files showing up in your first report.  Once you update your database for those violations, you should not see them again until the next time you modify any of your tripwire files.

      Also run the following and check the value for LOOSEDIRECTORYCHECKING

      ./twadmin -m f -c ../etc/tw.cfg

      You can turn LOOSEDIRECTORYCHECKING to true to ignore directories that have violations in them.  So if /usr/local/etc is coming up in your report, by turning this on, you won't see that violation anymore.

      Hope this helps...