19.7. Updating the Tripwire Database
If you recently installed an application or edited critical system files, Tripwire will correctly report integrity check violations. In this case, you should update your Tripwire database so those changes are no longer reported as violations. However, if unauthorized changes are made to system files that generate integrity check violations, then you should restore the original file from a backup, reinstall the program, or, if the breach is severe enough, completely reinstall the operating system.
file. When updating the database, be sure to use the most recent report.
Use the following command to update the Tripwire database, where name is the name of the most recent report file:
/usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/<name>.twr |
Tripwire will display the report file using the default text editor specified on the EDITOR
 | Important |
|---|---|
It is important that you change only authorized integrity violations in the database. |
All proposed updates to the Tripwire database start with an [x] before the file name, similar to the following example:
Added: [x] "/usr/sbin/longrun" Modified: [x] "/usr/sbin" [x] "/usr/sbin/cpqarrayd" |
If you want to specifically exclude a valid violation from being added to the Tripwire database, remove the x.
To edit files in the default text editor, vi, type
i and press
After the editor closes, enter your local password and the database will be rebuilt and signed.
After a new Tripwire database is written, the newly authorized integrity violations will no longer show up as warnings.
| Главная |