Hi there --

I have tripwire 2.4.1.2 running on one of our servers on a daily basis, and I was curious to know if it is good practice to periodically update the policy file.

The reason for my asking that is while the daily reports that I get indicate there have been changes to files on a daily basis, there are also files that have not been modified for over a month. My thinking is an update of the policy file will establish an updated baseline, and those files that have not been changed for so long will not be reported on until they get changed again.

The idea that I had in mind was to run the update-policy option with tripwire once a week. Feedback and/or suggestions on this approach would be appreciated.

Thanks.

I don't know whether it's good practice, but I used to update the policy regularly just to get rid of the mountain of reports regarding files that always change. It is almost impossible to add them all to the policy at the beginning, so I added them as I went along to reduce the output from tripwire. Gradually you reduce the report down to the truly essential data, which, while still large, is not full of false alarms. Reading the whole report every day was very time consuming initially.

It's the files that *don't normally change* that you want to be checked, they're the ones that you want notification on. Log files and temp files are always changing so they are worthless as a security metric. Of course policies vary according to what the system is and what it is used for.