17.6. Integrity or Interactive Check Mode

Tripwire has a feature called Integrity Check Mode. Now that our database has been built, we can run this feature to compare the current file system objects with their properties as recorded in the Tripwire database. All violations of files will be printed to stdout, the report-generated file will be saved and can later be accessed by the twprint utility. The syntax for integrity check mode is:

           [root@deep] /#tripwire --check
To run the integrity check mode, use the command:

           [root@deep] /#tripwire --check

Tripwire can also be run in Interactive Check Mode. In this mode you can automatically update your changes via the terminal. To run in interactive check mode, use the command:

           [root@deep] /#tripwire --check --interactive

An email option exists with Tripwire and allows you to send email. This option will specify that reports be emailed to the recipients designated in the policy file. To run in integrity check mode and send email to the recipient, use the command:

           [root@deep] /#tripwire --check --email-report

Updating the database after an integrity check If you have decided to use the Integrity Check Mode of Tripwire instead of the Interactive Check Mode, you must update the Tripwire database with the Database Update Mode feature. This update process allows you to save time by updating the database without having to regenerate it, and it also enables selective updating, which cannot be done through regeneration. The syntax for database update mode is:

           [root@deep] /# tripwire --update -r
To update the database, use the command:

           [root@deep] /#tripwire --update -r /usr/TSS/report/deep.openna.com-200001-021854.twr
Where -r read the specified report file deep.openna.com-200001-021854.twr. This option is required since the REPORTFILE variable in the current configuration file uses $(DATE).

Important: In Database Update Mode or Interactive Check Mode, Tripwire software displays the report in your terminal with a ballot box next to each policy violation. You can approve a change to the file system by leaving the x next to each policy violation or remove the x from the ballot box and the database will not be updated with the new value(s) for that object. After you exit the editor and provide the local pass phrase, Tripwire software will update and save your changes.

Updating the policy file Some times you want to change the rules in your policy file to reflect new file locations or policy rules. A special command exists to do the work and update the database without requiring a complete re-initialization of the policy file. This can save a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for policy update mode is:

           [root@deep] /#tripwire --update-policy /path/to/new/policy/file
To update the policy file, use the command:

           [root@deep] /#tripwire --update-policy /usr/TSS/policy/newtwpol.txt

The policy Update mode runs with the --secure-mode high option by default. You may encounter errors when running with this option if the file system has changed since the last database update, and if the changes cause a violation in the new policy. After determining that all of the violations reported in high security mode are authorized, you can update the policy file in low security mode to solve this situation: To update the policy file in low security mode, use the command:

           [root@deep] /#tripwire --update-policy --secure-mode low /usr/TSS/policy/newtwpol.txt