...IMO, that is.
There are several ways to create the policy file needed by Tripwire. First, Tripwire comes with a default policy file and a bunch of sample policy files that can be tweaked and modified. And secondly, there are at least two scripts that I know of that can generate a custom policy file. One of those comes with Tripwire (create_twpol.sh), and the other one by Bill Sharer easily can be found on the Internet (gen_twpol.py).
I've used all of those methods at one time or another, and all of it works. But lately I've settled on the following very simple policy file that seems to work just as well. So far, it's found every file that I've added, deleted, or altered in any of the directories specified for Tripwire to check. It uses only Tripwire's pre-defined property mask variables which don't have to be declared or defined again in a policy file (even though many of the examples do that). The result is not much to look at, but it works...
Code:
# Begin twpol.txt
(
rulename = "Tripwire Data Files",
severity = 100
)
{
/var/lib/tripwire -> $(Dynamic) -i ;
/var/lib/tripwire/report -> $(Dynamic) (recurse=0) ;
}
(
rulename = "Root & Home",
severity = 100
)
{
/ -> $(IgnoreAll) (recurse=1) ;
/home -> $(IgnoreAll) (recurse=1) ;
}
(
rulename = "System Directories",
severity = 100
)
{
/bin -> $(IgnoreNone)-SHa ;
/boot -> $(IgnoreNone)-SHa ;
/etc -> $(IgnoreNone)-SHa ;
/lib -> $(IgnoreNone)-SHa ;
/opt -> $(IgnoreNone)-SHa ;
/root -> $(IgnoreNone)-SHa ;
/sbin -> $(IgnoreNone)-SHa ;
/usr -> $(IgnoreNone)-SHa ;
}
# End twpol.txt
I chose not to check several directories such as /tmp, /var (except for Tripwire's own directories found in there), and the ones with the virtual filesystems (/dev, /proc, /run, /sys). Not much reason to bother with /mnt and /media. For / and /home, I decided to check them only for files and directories added to or deleted from their top levels. There isn't much use in going down into /home because of all the daily activity in there. And there isn't a need to recurse down the / directory because the individual top level sub-directories are treated recursively with their own separate property mask rules.
Anyway, I like doing it this way so far. And I think it works as well as one of those long exhaustive lists of individual files used in the examples or created by the scripts. I run it everyday via fcron which mails me the result.
Or am I missing something here? If someone sees something that I should reconsider, please say it now.