Tripwire can email someone if a specific type
of rule in the policy file is violated. To configure
Tripwire to do this, you first have to know
the email address of the person to be contacted if a particular
integrity violation occurs, plus the name of the rule you would like to
monitor. Note that on large systems with multiple administrators, you
can have different sets of people notified for certain violations and no
one notified for minor violations.
Once you know who to notify and what to notify them about, add an
emailto= line to the rule directive section of each
rule. Do this by adding a comma after the severity= line
and putting emailto= on the next line, followed by
the email addresses to send the violation reports for that
rule. Multiple emails will be sent if more than one email address is
specified and they are separated by a semi-colon.
For example, if you would like two administrators, Sam and Bob, notified
if a networking program is modified, change the Networking Programs rule
directive in the policy file to look like this:
(
rulename = "Networking Programs",
severity = $(SIG_HI),
emailto = bob@domain.com;sam@domain.com
) |
Once a new signed policy file is generated from the
/etc/tripwire/twpol.txt file, the specified email
addresses will be notified upon violations of that particular rule. For
instructions on signing your policy file, see the section called Updating the Policy File.
To make sure that Tripwire's email
notification configuration can actually send email correctly, use the
following command:
/usr/sbin/tripwire --test --email your@email.address |
A test email will immediately be sent to the email address by the
tripwire program.
