How to update the Tripwire Policy

I finally figured out why I couldn’t update my Tripwire Policy. Tripwire is an amazing tool that checks the integrity of your computer’s filesystem, thereby detecting intrusions. But there are some pitfalls…

Full Article

I write this down as a note to myself, and to help those poor souls who have the same problem.

The Problem
I successfully installed and ran Tripwire on my system. But the policy file I used needed some tuning. When I tried to update the policy (not the database!), I encountered several error messages as follows:

 ... ### Object name: Conflicting properties for object /etc ### > Modify Time ### > Change Time ### Object name: Conflicting properties for object /usr ### > Modify Time ### > Change Time ... 

… and many more. Note that my database was clean – essentially, I first ran

 tripwire -m c 

To check the system, then I ran

 tripwire -m u -r /path/to/report 

to update the database with the changes, just to be sure, I ran again the check again, to make sure that 0 files were affected, and last I ran

 tripwire -m p /path/to/policy 

To update the policy, and I got those nasty errors shown above.

The Solution
I found two extensive Google Group discussion threads about this topic, but none came to a conclusion (Thread 1, Thread 2). The problem was entirely elsewhere: in the tripwire configuration file (twcfg.txt) I set LOOSEDIRECTORYCHECKING = true, because I just wanted to ignore directories. I assume this is a bug (and I’ll report it to the tripwire team): the database update honors this setting, but the policy update does not. Thus, the policy update sees inconsistencies, but the database update does not. Setting it back to false and running the database update again allowed me to update the policy without a problem.

I hope this information is useful to somebody out there 🙂