This command is the lifeblood of Tripwire: has your system changed? It compares the current state of your filesystem against the Tripwire database, according to the rules in your active policy. The results of the comparison are written to standard output and also stored as a timestamped, signed Tripwire report.
You can also perform a limited integrity check against one or more files in the database. If your tripwire policy contains this rule:
( rulename = "My funky files", severity = 50 ) { /sbin/e2fsck -> $(SEC_CRIT) ; /bin/cp -> $(SEC_CRIT) ; /usr/tmp -> $(SEC_INVARIANT) ; /etc/csh.cshrc -> $(SEC_CONFIG) ; }
you can check selected files and directories with:
# tripwire --check /bin/cp /usr/tmp
or all files in the given rule with:
# tripwire --check --rule-name "My funky files"
or all rules with severities greater than or equal to a given value:
# tripwire --check --severity 40
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.