19.7. Updating the Tripwire Database
If you run an integrity check and Tripwire finds violations, you will
first need to determine whether the violations discovered are actual
security breaches or the product of authorized modifications. If you
recently installed an application or edited critical system files,
Tripwire will correctly report integrity check violations. In this case,
you should update your Tripwire database so those changes are no longer
reported as violations. However, if unauthorized changes are made to
system files that generate integrity check violations, then you should
restore the original file from a backup, reinstall the program, or, if
the breach is severe enough, completely reinstall the operating system.
To update the Tripwire database so it accepts valid policy violations,
Tripwire first cross-references a report file against the database and
then integrates into it valid violations from the report file. When
updating the database, be sure to use the most recent report.
Use the following command to update the Tripwire database, where
name is the name of the most recent report
/usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/<name>.twr
Tripwire will display the report file using the default text editor
specified on the EDITOR line of the
Tripwire configuration file. This gives you an opportunity to deselect
files you do not wish to update in the Tripwire database.
It is important that you change only authorized
integrity violations in the database.
All proposed updates to the Tripwire database start with an
[x] before the file name, similar to the following
If you want to specifically exclude a valid violation from being added
to the Tripwire database, remove the x.
To edit files in the default text editor, vi, type
i and press [Enter] to enter insert
mode and make any necessary changes. When finished, press the
[Esc] key, type :wq, and press
After the editor closes, enter your local password and the database
will be rebuilt and signed.
After a new Tripwire database is written, the newly authorized integrity
violations will no longer show up as warnings.