1TWCONFIG(4)                Kernel Interfaces Manual                TWCONFIG(4)
2
3
4

NAME

6       twconfig - Tripwire configuration file reference
7

DESCRIPTION

9       The configuration file stores system-specific information, including
10       the location of Tripwire data files, and the settings used to send
11       email notification. The configuration file settings are generated dur‐
12       ing the installation process, but can be changed by the system adminis‐
13       trator at any time.  The configuration file is signed with the site
14       key, and the site passphrase is required to edit the file.
15
16       During installation, a signed Tripwire configuration file tw.cfg will
17       be created in the /etc/tripwire directory, and a plain text copy of
18       this configuration file twcfg.txt will be created in the same direc‐
19       tory.
20
21       The configuration file is modified using the twadmin ‐‐create‐cfgfile
22       command.  With this command, the user can designate an existing plain
23       text file as the current configuration file.  Using the current site
24       key and passphrase, the new configuration file is cryptographically
25       signed and saved with this command.
26
27   Components of the Configuration File
28       The Tripwire configuration file is structured as a list of keyword-
29       value pairs, and may also contain comments and variable definitions.
30       Any lines with "#" in the first column are treated as comments.
31
32       The general syntax for variable definition is:
33           keyword  =  value
34       For example:
35           ROOT = /usr/tripwire
36           EDITOR = /usr/local/bin/jove
37
38       Variable substitution on the right hand side is permitted using the
39       syntax:
40           $(  varname  )
41       For example:
42           DBFILE = $(ROOT)/db/$(HOSTNAME).twd
43
44       Variable names are case-sensitive, and may contain all alphanumeric
45       characters, underscores, the characters "+‐@:", and the period.  Two
46       variables are predefined in the configuration file, and may not be
47       changed.  HOSTNAME is the unqualified hostname that Tripwire is running
48       on, and DATE is a string representation of the date and time.
49
50   Required Variables
51       The following variables must be set in order for Tripwire to operate.
52       The values listed below are assigned during installation.
53
54POLFILE         Default = /etc/tripwire/tw.pol
55DBFILE          Default = /var/lib/tripwire/$(HOSTNAME).twd
56REPORTFILE      Default = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
57SITEKEYFILE     Default = /etc/tripwire/site.key
58LOCALKEYFILE    Default = /etc/tripwire/$(HOSTNAME)-local.key
59
60   Other Variables
61       The following variables are not required to run Tripwire, but some of
62       the program's functionality will be lost without them.  The values
63       assigned during installation are listed.
64
65       EDITOR Specifies an editor to be used in interactive modes.  If EDITOR
66              is not defined, and no editor is specified on the command line,
67              using interactive modes will cause an error.
68              Initial value:  /bin/vi
69
70       TEMPDIRECTORY
71              This variable can be set to the location to which tripwire
72              should write its temporary files. By default it is /tmp, which
73              due to the default permissions can be very insecure. It is rec‐
74              ommended that you use this configuration variable to provide
75              tripwire with a secure place to write temporary files. The
76              directory used should have its permissions set such that only
77              the owning process can read/write to it, i.e. "chmod 700".
78              Initial value: /tmp
79
80       GLOBALEMAIL
81              This variable is set to a list of email addresses separated by
82              either a comma ",", or semi-colon ";". If a report would have
83              normally been sent out, it will also be send to this list of
84              recipients.
85              Initial value:  none
86
87       LATEPROMPTING
88              Prompt for passphrase as late as possible to minimize the amount
89              of time that the passphrase is stored in memory.  If the value
90              is true (case-sensitive), then late prompting is turned on.
91              With any other value, or if the variable is removed from the
92              configuration file, late prompting is turned off.
93              Initial value:  false
94
95       LOOSEDIRECTORYCHECKING
96              When a file is added or removed from a directory, Tripwire
97              reports both the changes to the file itself, and the modifica‐
98              tion to the directory (size, num links, etc.).  This can create
99              redundant entries in Tripwire reports.  With loose directory
100              checking, Tripwire will not check directories for any properties
101              that would change when a file was added or deleted.  This
102              includes: size, number of links, access time, change time, modi‐
103              fication time, number of blocks, growing file, and all hashes.
104
105              If the value for this variable is true (case-sensitive), then
106              loose directory checking is turned on, and these properties will
107              be ignored for all directories.  With any other value, or if the
108              variable is removed from the configuration file, loose directory
109              checking is turned off. Turning loose directory checking on is
110              equivalent to appending the following propertymask to the rules
111              for all directory inodes: ‐snacmblCMSH
112              Initial value:  false
113
114       SYSLOGREPORTING
115              If this variable is set to true, messages are sent to the syslog
116              for four events: database initialization, integrity check com‐
117              pletions, database updates, and policy updates.  The syslog mes‐
118              sages are sent from the "user" facility at the "notice" level.
119              For more information, see the syslogd(1) man page and the sys‐
120              log.conf file.  The following illustrates the information logged
121              in the syslog for each of the four events:
122
123Jun 18 14:09:42 lighthouse tripwire[9444]: Database initialized:
124/var/lib/tripwire/test.twd
125
126Jun 18 14:10:57 lighthouse tripwire[9671]: Integrity Check Complete:
127TWReport lighthouse 20000618141057 V:2 S:90 A:1 R:0 C:1
128
129Jun 18 14:11:19 lighthouse tripwire[9672]: Database Update Complete:
130/var/lib/tripwire/test.twd
131
132Jun 18 14:18:26 lighthouse tripwire[9683]: Policy Update Complete:
133/var/lib/tripwire/test.twd
134
135              The letters in the Integrity Checking log correspond to # of
136              violations, maximum severity level, and # of files added,
137              deleted, and changed, respectively.  With any value other than
138              true, or if this variable is removed from the configuration
139              file, syslog reporting will be turned off.
140              Initial value:  true
141
142       REPORTLEVEL
143              Specifies the default level of report produced by the twprint
144              ‐‐print‐report mode. Valid values for this option are 0 to 4.
145              The report level specified by this option can be overridden with
146              the (‐t or ‐‐report‐level) option on the command line. If this
147              variable is not included in the configuration file, the default
148              report level is 3.  Note that only reports printed using the
149              twprint ‐‐print‐report mode are affected by this parameter;
150              reports displayed by other modes and other commands are not
151              affected.
152              Initial value:  3
153
154   Email Notification Variables
155       MAILMETHOD
156              Specifies the protocol to be used by Tripwire for email notifi‐
157              cation. The only acceptable values for this field are SMTP or
158              SENDMAIL. Any other value will produce an error message.
159              Initial value:  SENDMAIL
160
161       SMTPHOST
162              Specifies the domain name or IP address of the SMTP server used
163              for email notification. Ignored unless MAILMETHOD is set to
164              SMTP.
165              Initial value:  mail.domain.com
166
167       SMTPPORT
168              Specifies the port number used with SMTP. Ignored unless MAIL‐
169              METHOD is set to SMTP.
170              Initial value:  25
171
172       MAILPROGRAM
173              Specifies the program used for email reporting of rule viola‐
174              tions if MAILMETHOD is set to SENDMAIL.  The program must take
175              an RFC822 style mail header, and recipients will be listed in
176              the "To:" field of the mail header.  Some mail programs inter‐
177              pret a line consisting of only a single period character to mean
178              end‐of‐input, and all text after that is ignored.  Since there
179              is a small possibility that a Tripwire report would contain such
180              a line, the mail program specified must be able to ignore lines
181              that consist of a single period (the -oi option to sendmail pro‐
182              duces this behavior).
183              Initial value:  /usr/lib/sendmail -oi -t
184
185       EMAILREPORTLEVEL
186              Specifies the default level of report produced by the tripwire
187              ‐‐check mode email report.  Valid values for this option are 0
188              to 4. The report level specified by this option can be overrid‐
189              den with the (‐t or ‐‐email‐report‐level) option on the command‐
190              line. If this variable is not included in the configuration
191              file, the default report level is 3.
192              Initial value:  3
193
194       MAILNOVIOLATIONS
195              This option controls the way that Tripwire sends email notifica‐
196              tion if no rule violations are found during an integrity check.
197              If MAILNOVIOLATIONS is set to false and no violations are found,
198              Tripwire will not send a report. With any other value, or if the
199              variable is removed from the configuration file, Tripwire will
200              send an email message stating that no violations were found.
201
202              Mailing reports of no violations allows an administrator to dis‐
203              tinguish between unattended integrity checks that are failing to
204              run and integrity checks that are running but are not finding
205              any violations.  However, mailing no violations reports will
206              increase the amount of data that must be processed.
207              Initial value: true
208

VERSION INFORMATION

210       This man page describes Tripwire 2.4.1.
211

AUTHORS

213       Tripwire, Inc.
214

COPYING PERMISSIONS

216       Permission is granted to make and distribute verbatim copies of this
217       man page provided the copyright notice and this permission notice are
218       preserved on all copies.
219
220       Permission is granted to copy and distribute modified versions of this
221       man page under the conditions for verbatim copying, provided that the
222       entire resulting derived work is distributed under the terms of a per‐
223       mission notice identical to this one.
224
225       Permission is granted to copy and distribute translations of this man
226       page into another language, under the above conditions for modified
227       versions, except that this permission notice may be stated in a trans‐
228       lation approved by Tripwire, Inc.
229
230       Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of
231       Tripwire, Inc. in the United States and other countries. All rights
232       reserved.
233

SEE ALSO

235       twintro(8), tripwire(8), twadmin(8), twprint(8), siggen(8), twpol‐
236       icy(4), twfiles(5), sendmail(1), vi(1), syslogd(1)
237
238
239
240                                  1 July 2000                      TWCONFIG(4)
Impressum