For my server I use OpenVZ for virtualisation. This means: my system has a lot of chroot environments under /var/lib/vz/private/* which I want to include into tripwires configuration. The virtual containers themselves should not contain any traces to tripwire - I want to check them from the host file system.
I could do that by extending the policy file by about 10 almost redundant copies of itself. But this is not what a policy file should be. My /etc/tripwire/twpol.txt would look like this:
$ grep -E 'rulename.*Other libraries|/usr/lib' /etc/tripwire/twpol.txt
rulename = "Other libraries",
/usr/lib -> $(SEC_BIN) ;
rulename = "Subsystem 123, Other libraries",
/var/lib/vz/private/123/usr/lib -> $(SEC_BIN) ;
rulename = "Subsystem 125, Other libraries",
/var/lib/vz/private/125/usr/lib -> $(SEC_BIN) ;
rulename = "Subsystem 631, Other libraries",
/var/lib/vz/private/631/usr/lib -> $(SEC_BIN) ;
I'd rather like to create just one policy file for all VMs and let tripwire substitute their paths by using a command line option like --root. Example:
tripwire -m c -p /etc/tripwire/tw-vm.pol -d /var/lib/tripwire/vm-123.twd --root /var/lib/vz/private/123/
tripwire -m c -p /etc/tripwire/tw-vm.pol -d /var/lib/tripwire/vm-125.twd --root /var/lib/vz/private/125/
tripwire -m c -p /etc/tripwire/tw-vm.pol -d /var/lib/tripwire/vm-631.twd --root /var/lib/vz/private/631/
Other examples of programs which support this option (I'm using debian):
-r, --root=DIR root directory to check (default /)
--root=<directory> Install on a different root directory.
The -c, -p, -d options etc. should still be relative to the path of the host system.