The Linux Page

tripwire while updating the policy settings: Error: Policy Update Changed Object.

As I was trying to remove some annoying entries in my Tripwire policy, I started getting errors. The first time I did not pay close attention, but the next day the policy had not changed! So I looked at it closer and noticed that if a file changed since the last update, then tripwire refuses to update the policy. That is, if the secure mode is set to high.

So to update my tripwire policy I was running:

sudo tripwire -m p -p /etc/tripwire/tw.pol --secure-mode low /etc/tripwire/twpol.txt

which now (at least since 13.04, maybe in 12.10?) means the secure mode is left alone and is marked as being high by default.

All you have to do is drop the security level to low as in:

sudo tripwire -m p -p /etc/tripwire/tw.pol --secure-mode low /etc/tripwire/twpol.txt

Note that you should then verify that only files that are expected to change (i.e. cups files, your twpol.txt file, maybe the .twpot.txt.swp file if you use gvim) appear in the output.

For example, I just changed the twpol.txt file (duh!) and I get this warning (would be an error with the secure mode set to high):

### Object name: Conflicting properties for object /etc/tripwire/twpol.txt
### > Size
### > Modify Time
### > CRC32
### > MD5
### Continuing...

Assuming that phase 1 worled, you will now see the following few lines:

======== Step 2: Updating the database with new objects.
======== Step 3: Pruning unneeded objects from the database.
Wrote policy file: /etc/tripwire/tw.pol
Wrote database file: /var/lib/tripwire/halk.twd

The "Wrote ..." lines is what proves that it worked. On failure you do not see those two lines, instead you get the following:

======== Step 2: Updating the database with new objects.
======== Step 3: Pruning unneeded objects from the database.
Policy update failed; policy and database files were not altered.

Source for the solution: Trip Wire Security Update