2

I am trying to create a policy file in Open Source Tripwire where I want to add a rule to ignore all additions and deletions of files within a given directory while still detecting modifications to files within the same directory.

I checked the twpolicy man page and found the property masks to specify which modifications of files to monitor. However I was unable to find a property mask to make Tripwire ignore file additions and/or deletions.

Is what I am trying to do possible in Tripwire (Open source)? If so can someone please show me how to do that?

Nilushan Costa
  • 340
  • 2
  • 13

1 Answers1

2

A simple look at any number of pages on tw policy writing (example here) will tell you how to include a stop point in your policy.

Quoted from the above ref.:

Stop Points: Stop points are used to specify specific files or directories that Tripwire should not scan. The syntax for stop points is: ! object_name ;*

EDIT: If, per yr comment below, you only want to check on file modifications to the exclusion of "creation" & "deletion", there may be a problem of semantics in the interpretation of that specific policy rule, for creation and deletion of a file may be logically considered as "modifications". You might want to check on that. If so, the 1st property mask below may give you false positives in the sense that you will detect file modifications even if those flags are raised as the result of a creation or a deletion. Read on.

Meanwhile, see if the following property masks (as explained in the reference given in the 1st line) do it for you:

/fully/qualified/path/to/object ->  +m-i;

or

/fully/qualified/path/to/object ->  +M;

Explanation, see the man page:

  • m --- Modification timestamp
  • i --- inode's number
  • M --- MD5 hash value (only checks on file content, not permissions, etc.)

where:
+ means "record and check the following property"
- means "ignore the following property"

I assume that you are already familiar with inodes. If not StartPage is your friend... You will probably need to experiment a bit.

HTH.

Cbhihe
  • 2,549
  • 2
  • 21
  • 30
  • Stop points will prevent a directory from being scanned at all. But what I want is to prevent Tripwire from detecting additions and deletions of files within a directory. However, I still want it to detect file modifications within that directory. I will edit my question to make my requirement clearer. – Nilushan Costa Sep 25 '17 at 03:59
  • @Nilushan: 1) what is your use-case ? 2) Did you actually look at the link included in my original answer ? See my expanded answer above. – Cbhihe Sep 25 '17 at 12:45
  • 1) I have an application server. All files and directories (configurations, scripts etc..) of this are in a single directory, say /dir1. This server adds & deletes temporary files inside /dir1 when it is running. I want to ensure that the user ID and group ID of /dir1 and its content (including that of those temporary files) do not change. When tripwire runs a check, "expected values" of UID and GID are blank for newly added temporary files as they were not there when the tripwire database was created. But there is an "observed value" now. [continued in next comment...] – Nilushan Costa Oct 19 '17 at 04:08
  • [continued from above...] As these two are different, tripwire reports this as a violation. Similarly, when temporary files are deleted they too are reported as violations due to the mismatch of "expected value" and "observed value". 2) Yes. I read the twpolicy man page – Nilushan Costa Oct 19 '17 at 04:10