Generate the active policy file in human-readable format. [Recipe 1.2] Add the given file or directory to the active policy file.
To mark the file /bin/ls for inclusion:
/bin/ls --> $(SEC_BIN) ;
To mark the entire directory tree /etc for inclusion:
/etc --> $(SEC_BIN) ;
To mark /etc and its files, but not recurse into subdirectories:
/etc --> $(SEC_BIN) (recurse=1) ;
To mark only the /etc directory but none of its files or subdirectories:
/etc --> $(SEC_BIN) (recurse=0);
Then reinitialize the database. [Recipe 1.3]
The policy is a list of rules stored in a policy file. A rule looks like:
filename
->rule
;
which means that the given file (or directory) should be considered compromised if the given rule is broken. For instance,
/bin/login -> +pisug ;
means that /bin/login is suspect if its
file permissions (p), inode number (i),
size (s), user (u), or group (g) have changed since the last
snapshot. We won’t document the full policy syntax
because Tripwire’s manual is quite thorough. Our
recipe uses a predefined rule in a global variable,
SEC_BIN
, designating a binary file that should
not change.
The recurse=
n
attribute for a directory tells tripwire to recurse
n
levels deep into the filesystem. Zero
means to consider only the directory file itself.
It’s actually quite likely that you’ll need to modify the policy. The default policy supplied with Tripwire is tailored to a specific type of system or Linux distribution, and contains a number of files not necessarily present on yours.
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.