You want to change the set of files and directories that tripwire examines, or change tripwire's default behavior.
Extract the policy and configuration to plaintext files: [Recipe 1.2]
# cd /etc/tripwire # twadmin --print-polfile > twpol.txt # twadmin --print-cfgfile > twcfg.txt
Modify the policy file twpol.txt and/or the configuration file twcfg.txt with any text editor. Then re-sign the modified files: [Recipe 1.1]
# twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg \ --site-keyfile site_key etc/tripwire/twcfg.txt # twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg \ --site-keyfile site_key etc/tripwire/twpol.txt
and reinitialize the database: [Recipe 1.1]
# tripwire --init # rm twcfg.txt twpol.txt
This is much like setting up Tripwire from scratch [Recipe 1.1], except our existing, cryptographically-signed policy and configuration files are first converted to plaintext. [Recipe 1.2]
You'll want to modify the policy if tripwire complains that a file does not exist:
### Error: File could not be opened.
Edit the policy file and remove or comment out the reference to this file if it does not exist on your system. Then re-sign the policy file.
You don't need to follow this procedure if you're simply updating the database after an integrity check [Recipe 1.11], only if you've modified the policy or configuration.
twadmin(8), tripwire(8).