1TWADMIN(8) System Manager's Manual TWADMIN(8)
2
6 twadmin - Tripwire administrative and utility tool
7
9 twadmin { -m F | --create-cfgfile } options...
10 configfile.txt
11 twadmin { -m f | --print-cfgfile } [ options... ]
12 twadmin { -m P | --create-polfile } [ options... ]
13 policyfile.txt
14 twadmin { -m p | --print-polfile } [ options... ]
15 twadmin { -m R | --remove-encryption } [ options... ]
16 file1 [ file2... ]
17 twadmin { -m E | --encrypt } [ options... ]
18 file1 [ file2... ]
19 twadmin { -m e | --examine } [ options... ]
20 file1 [ file2... ]
21 twadmin { -m G | --generate-keys } options...
22 twadmin { -m C | --change-passphrases } options...
23
25 The twadmin utility is used to perform certain administrative functions
26 related to Tripwire files and configuration options. Specifically,
27 twadmin allows encoding, decoding, signing, and verification of Trip‐
28 wire files, and provides a means to generate and change local and site
29 keys.
30 Creating a configuration file (--create-cfgfile)
32 This command mode designates an existing text file as the new configu‐
33 ration file for Tripwire. The plain text configuration file must be
34 specified on the command line. Using the site key, the new configura‐
35 tion file is encoded and saved.
36 Printing a configuration file (--print-cfgfile)
38 This command mode prints the specified encoded and signed configuration
39 file in clear-text form to standard output.
40 Replacing a policy file (--create-polfile)
42 This command mode designates an existing text file as the new policy
43 file for Tripwire. The plain text policy file must be specified on the
44 command line. Using the site key, the new policy file is encoded and
45 saved.
46 Printing a policy file (--print-polfile)
48 This command mode prints the specified encoded and signed policy file
49 in clear-text form to standard output.
50 Removing encryption from a file (--remove-encryption)
52 This command mode allows the user to remove signing from signed config‐
53 uration, policy, database, or report files. Multiple files may be
54 specified on the command line. The user will need to enter the appro‐
55 priate local or site keyfile, or both if a combination of files is to
56 be verified. Even with the cryptographic signing removed, these files
57 will be in a binary encoded (non-human-readable) form.
58 Encrypting a file (--encrypt)
60 This command mode allows the user to sign configuration, policy, data‐
61 base files, or reports. Multiple files may be specified on the command
62 line. The files will be signed using either the site or local key, as
63 appropriate for the type of file. To automate the process, the
64 passphrase for the key files can be included on the command line.
65 Examining the signing status of a file (‐‐examine)
67 This command allows the user to examine the listed files and print a
68 report of their signing status. This report displays the filename,
69 file type, whether or not a file is signed, and what key (if any) is
70 used to sign it.
71 Generating keys (--generate-keys)
73 This command mode generates site and/or local key files with names
74 specified by the user.
75 Changing passphrases (--change-passphrases)
77 This command reencrypts the private part of the site and/or local key
78 files using the key filenames and passphrases specified by the user.
79
81 Creating a configuration file:
82 -m F --create-cfgfile
83 -v --verbose
84 -s --silent, --quiet
85 -c cfgfile --cfgfile cfgfile
86 -S sitekey --site-keyfile sitekey
87 -Q passphrase --site-passphrase passphrase
88 -e --no-encryption
89 configfile.txt
90 ‐m F, --create-cfgfile
92 Mode selector.
93 ‐v, --verbose
95 Verbose output mode. Mutually exclusive with (‐s).
96 ‐s, --silent, --quiet
98 Silent output mode. Mutually exclusive with (‐v).
99 ‐c cfgfile, --cfgfile cfgfile
101 Specify the destination of the encoded (and optionally signed)
102 configuration file.
103 ‐S sitekey, --site-keyfile sitekey
105 Use the specified site key file to encode and sign the new con‐
106 figuration file. Exactly one of (‐S) or (‐e) must be specified.
107 ‐Q passphrase, --site-passphrase passphrase
109 Specifies passphrase to be used with site key for configuration
110 file encoding and signing. Valid only in conjunction with (‐S).
111 ‐e, --no-encryption
113 Do not sign the configuration file being stored. The configura‐
114 tion file will still be compressed, and will not be human-read‐
115 able. Mutually exclusive with (‐Q) and (‐S).
116 configfile.txt
118 Specifies the text configuration file that will become the new
119 configuration file.
120______________________________________________________________________________
122 Printing a configuration file:
124 -m f --print-cfgfile
125 -v --verbose
126 -s --silent, --quiet
127 -c cfgfile --cfgfile cfgfile
128 ‐m f, --print-cfgfile
130 Mode selector.
131 ‐v, --verbose
133 Verbose output mode. Mutually exclusive with (‐s).
134 ‐s, --silent, --quiet
136 Silent output mode. Mutually exclusive with (‐v).
137 ‐c cfgfile, --cfgfile cfgfile
139 Print the specified configuration file.
140______________________________________________________________________________
142 Creating a policy file:
144 -m P --create-polfile
145 -v --verbose
146 -s --silent, --quiet
147 -c cfgfile --cfgfile cfgfile
148 -p polfile --polfile polfile
149 -S sitekey --site-keyfile sitekey
150 -Q passphrase --site-passphrase passphrase
151 -e --no-encryption
152 policyfile.txt
153 ‐m P, --create-polfile
155 Mode selector.
156 ‐v, --verbose
158 Verbose output mode. Mutually exclusive with (‐s).
159 ‐s, --silent, --quiet
161 Silent output mode. Mutually exclusive with (‐v).
162 ‐c cfgfile, --cfgfile cfgfile
164 Use the specified configuration file.
165 ‐p polfile, --polfile polfile
167 Specify the destination of the encoded (and optionally signed)
168 policy file.
169 ‐S sitekey, --site-keyfile sitekey
171 Use the specified site key file. Mutually exclusive with (‐e).
172 ‐Q passphrase, --site-passphrase passphrase
174 Specifies passphrase to be used with site key for policy sign‐
175 ing. Mutually exclusive with (‐e).
176 ‐e, --no-encryption
178 Do not sign the policy file being stored. The policy file will
179 still be compressed, and will not be human-readable. Mutually
180 exclusive with (‐Q) and (‐S).
181 policyfile.txt
183 Specifies the text policy file that will become the new policy
184 file.
185______________________________________________________________________________
187 Printing a policy file:
189 -m p --print-polfile
190 -v --verbose
191 -s --silent, --quiet
192 -c cfgfile --cfgfile cfgfile
193 -p polfile --polfile polfile
194 -S sitekey --site-keyfile sitekey
195 ‐m p, --print-polfile
197 Mode selector.
198 ‐v, --verbose
200 Verbose output mode. Mutually exclusive with (‐s).
201 ‐s, --silent, --quiet
203 Silent output mode. Mutually exclusive with (‐v).
204 ‐c cfgfile, --cfgfile cfgfile
206 Use the specified configuration file.
207 ‐p polfile, --polfile polfile
209 Print the specified policy file.
210 ‐S sitekey, --site-keyfile sitekey
212 Use the specified site key file.
213______________________________________________________________________________
215 Removing encryption from a file:
217 -m R --remove-encryption
218 -v --verbose
219 -s --silent, --quiet
220 -c cfgfile --cfgfile cfgfile
221 -L localkey --local-keyfile localkey
222 -S sitekey --site-keyfile sitekey
223 -P passphrase --local-passphrase passphrase
224 -Q passphrase --site-passphrase passphrase
225 file1 [ file2... ]
226 ‐m R, --remove-encryption
228 Mode selector.
229 ‐v, --verbose
231 Verbose output mode. Mutually exclusive with (‐s).
232 ‐s, --silent, --quiet
234 Silent output mode. Mutually exclusive with (‐v).
235 ‐c cfgfile, --cfgfile cfgfile
237 Use the specified configuration file.
238 ‐L localkey, --local-keyfile localkey
240 Specify the local keyfile to use to verify database files and
241 reports.
242 ‐S sitekey, --site-keyfile sitekey
244 Specify the site keyfile to use to verify configuration and pol‐
245 icy files.
246 ‐P passphrase, --local-passphrase passphrase
248 Specify the passphrase to use when verifying with the old local
249 keyfile.
250 ‐Q passphrase, --site-passphrase passphrase
252 Specify the passphrase to use when verifying with the old site
253 keyfile.
254 file1 [ file2... ]
256 List of files from which signing is to be removed.
257______________________________________________________________________________
259 Encrypting a file:
261 -m E --encrypt
262 -v --verbose
263 -s --silent, --quiet
264 -c cfgfile --cfgfile cfgfile
265 -L localkey --local-keyfile localkey
266 -S sitekey --site-keyfile sitekey
267 -P passphrase --local-passphrase passphrase
268 -Q passphrase --site-passphrase passphrase
269 file1 [ file2... ]
270 ‐m E, --encrypt
272 Mode selector.
273 ‐v, --verbose
275 Verbose output mode. Mutually exclusive with (‐s).
276 ‐s, --silent, --quiet
278 Silent output mode. Mutually exclusive with (‐v).
279 ‐c cfgfile, --cfgfile cfgfile
281 Use the specified configuration file.
282 ‐L localkey, --local-keyfile localkey
284 Specify the local keyfile to use to sign database files and re‐
285 ports.
286 ‐S sitekey, --site-keyfile sitekey
288 Specify the site keyfile to use to sign configuration and policy
289 files.
290 ‐P passphrase, --local-passphrase passphrase
292 Specify the passphrase to use when signing with the local key‐
293 file.
294 ‐Q passphrase, --site-passphrase passphrase
296 Specify the passphrase to use when signing with the site key‐
297 file.
298 file1 [ file2... ]
300 List of files to sign using the new key(s).
301______________________________________________________________________________
303 Examining the encryption status of a file:
305 -m e --examine
306 -v --verbose
307 -s --silent, --quiet
308 -c cfgfile --cfgfile cfgfile
309 -L localkey --local-keyfile localkey
310 -S sitekey --site-keyfile sitekey
311 file1 [ file2... ]
312 ‐m e, --examine
314 Mode selector.
315 ‐v, --verbose
317 Verbose output mode. Mutually exclusive with (‐s).
318 ‐s, --silent, --quiet
320 Silent output mode. Mutually exclusive with (‐v).
321 ‐c cfgfile, --cfgfile cfgfile
323 Use the specified configuration file.
324 ‐L localkey, --local-keyfile localkey
326 Specifies the key to use as a local key.
327 ‐S sitekey, --site-keyfile sitekey
329 Specifies the key to use as a site key.
330 file1 [ file2... ]
332 List of files to examine.
333______________________________________________________________________________
335 Generating keys:
337 -m G --generate-keys
338 -v --verbose
339 -s --silent, --quiet
340 -L localkey --local-keyfile localkey
341 -S sitekey --site-keyfile sitekey
342 -P passphrase --local-passphrase passphrase
343 -Q passphrase --site-passphrase passphrase
344 ‐m G, --generate-keys
346 Mode selector.
347 ‐v, --verbose
349 Verbose output mode. Mutually exclusive with (‐s).
350 ‐s, --silent, --quiet
352 Silent output mode. Mutually exclusive with (‐v).
353 ‐L localkey, --local-keyfile localkey
355 Generate the local key into the specified file. At least one of
356 (‐L) or (‐S) must be specified.
357 ‐S sitekey, --site-keyfile sitekey
359 Generate the site key into the specified file. At least one of
360 (‐S) or (‐L) must be specified.
361 ‐P passphrase, --local-passphrase passphrase
363 Specify local passphrase to be used when generating the local
364 key.
365 ‐Q passphrase, --site-passphrase passphrase
367 Specify site passphrase to be used when generating the site key.
368 ‐K size, --key-size size
370 Specify the key size (1024 or 2048 bits) when generating keys.
371 (Default is 1024.)
372______________________________________________________________________________
374 Changing passphrases:
376 -m C --change-passphrases
377 -v --verbose
378 -s --silent, --quiet
379 -L localkey --local-keyfile localkey
380 -S sitekey --site-keyfile sitekey
381 -P passphrase --local-passphrase passphrase
382 -Q passphrase --site-passphrase passphrase
383 --local-passphrase-old passphraseOld
384 --site-passphrase-old passphraseOld
385 ‐m C, --change-passphrases
387 Mode selector.
388 ‐v, --verbose
390 Verbose output mode. Mutually exclusive with (‐s).
391 ‐s, --silent, --quiet
393 Silent output mode. Mutually exclusive with (‐v).
394 ‐L localkey, --local-keyfile localkey
396 Change passphrase used to encrypt the private key in the speci‐
397 fied localkey file. At least one of (‐L) or (‐S) must be speci‐
398 fied.
399 ‐S sitekey, --site-keyfile sitekey
401 Change passphrase used to encrypt the private key in the speci‐
402 fied sitekey file. At least one of (‐L) or (‐S) must be speci‐
403 fied.
404 ‐P passphrase, --local-passphrase passphrase
406 Specify passphrase used to encrypt the private key in the speci‐
407 fied localkey file.
408 ‐Q passphrase, --site-passphrase passphrase
410 Specify passphrase used to encrypt the private key in the speci‐
411 fied sitekey file.
412 --local-passphrase-old passphraseOld
414 Specify passphrase used to decrypt the private key in the speci‐
415 fied localkey file.
416 --site-passphrase-old passphraseOld
418 Specify passphrase used to decrypt the private key in the speci‐
419 fied sitekey file.
420
422 twadmin exits 0 on success, 1 on error.
423
425 This man page describes twadmin version 2.4.
426
428 Tripwire, Inc.
429
431 Permission is granted to make and distribute verbatim copies of this
432 man page provided the copyright notice and this permission notice are
433 preserved on all copies.
434 Permission is granted to copy and distribute modified versions of this
436 man page under the conditions for verbatim copying, provided that the
437 entire resulting derived work is distributed under the terms of a per‐
438 mission notice identical to this one.
439 Permission is granted to copy and distribute translations of this man
441 page into another language, under the above conditions for modified
442 versions, except that this permission notice may be stated in a trans‐
443 lation approved by Tripwire, Inc.
444 Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark
446 of Tripwire, Inc. in the United States and other countries. All rights
447 reserved.
448
450 twintro(8), tripwire(8), twprint(8), siggen(8), twconfig(4), twpoli‐
451 cy(4), twfiles(5)
452Open Source Tripwire 2.4 04 Jan 2018 TWADMIN(8)