1TWCONFIG(4) Kernel Interfaces Manual TWCONFIG(4)
2
3
4
6 twconfig - Tripwire configuration file reference
7
9 The configuration file stores system-specific information, including
10 the location of Tripwire data files, and the settings used to send
11 email notification. The configuration file settings are generated dur‐
12 ing the installation process, but can be changed by the system adminis‐
13 trator at any time. The configuration file is signed with the site
14 key, and the site passphrase is required to edit the file.
15
16 During installation, a signed Tripwire configuration file tw.cfg will
17 be created in the /etc/tripwire directory, and a plain text copy of
18 this configuration file twcfg.txt will be created in the same direc‐
19 tory.
20
21 The configuration file is modified using the twadmin ‐‐create‐cfgfile
22 command. With this command, the user can designate an existing plain
23 text file as the current configuration file. Using the current site
24 key and passphrase, the new configuration file is cryptographically
25 signed and saved with this command.
26
27 Components of the Configuration File
28 The Tripwire configuration file is structured as a list of keyword-
29 value pairs, and may also contain comments and variable definitions.
30 Any lines with "#" in the first column are treated as comments.
31
32 The general syntax for variable definition is:
33 keyword = value
34 For example:
35 ROOT = /usr/tripwire
36 EDITOR = /usr/local/bin/jove
37
38 Variable substitution on the right hand side is permitted using the
39 syntax:
40 $( varname )
41 For example:
42 DBFILE = $(ROOT)/db/$(HOSTNAME).twd
43
44 Variable names are case-sensitive, and may contain all alphanumeric
45 characters, underscores, the characters "+‐@:", and the period. Two
46 variables are predefined in the configuration file, and may not be
47 changed. HOSTNAME is the unqualified hostname that Tripwire is running
48 on, and DATE is a string representation of the date and time.
49
50 Required Variables
51 The following variables must be set in order for Tripwire to operate.
52 The values listed below are assigned during installation.
53
54POLFILE Default = /etc/tripwire/tw.pol
55DBFILE Default = /var/lib/tripwire/$(HOSTNAME).twd
56REPORTFILE Default = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
57SITEKEYFILE Default = /etc/tripwire/site.key
58LOCALKEYFILE Default = /etc/tripwire/$(HOSTNAME)-local.key
59
60 Other Variables
61 The following variables are not required to run Tripwire, but some of
62 the program's functionality will be lost without them. The values
63 assigned during installation are listed.
64
65 EDITOR Specifies an editor to be used in interactive modes. If EDITOR
66 is not defined, and no editor is specified on the command line,
67 using interactive modes will cause an error.
68 Initial value: /bin/vi
69
70 TEMPDIRECTORY
71 This variable can be set to the location to which tripwire
72 should write its temporary files. By default it is /tmp, which
73 due to the default permissions can be very insecure. It is rec‐
74 ommended that you use this configuration variable to provide
75 tripwire with a secure place to write temporary files. The
76 directory used should have its permissions set such that only
77 the owning process can read/write to it, i.e. "chmod 700".
78 Initial value: /tmp
79
80 GLOBALEMAIL
81 This variable is set to a list of email addresses separated by
82 either a comma ",", or semi-colon ";". If a report would have
83 normally been sent out, it will also be send to this list of
84 recipients.
85 Initial value: none
86
87 LATEPROMPTING
88 Prompt for passphrase as late as possible to minimize the amount
89 of time that the passphrase is stored in memory. If the value
90 is true (case-sensitive), then late prompting is turned on.
91 With any other value, or if the variable is removed from the
92 configuration file, late prompting is turned off.
93 Initial value: false
94
95 LOOSEDIRECTORYCHECKING
96 When a file is added or removed from a directory, Tripwire
97 reports both the changes to the file itself, and the modifica‐
98 tion to the directory (size, num links, etc.). This can create
99 redundant entries in Tripwire reports. With loose directory
100 checking, Tripwire will not check directories for any properties
101 that would change when a file was added or deleted. This
102 includes: size, number of links, access time, change time, modi‐
103 fication time, number of blocks, growing file, and all hashes.
104
105 If the value for this variable is true (case-sensitive), then
106 loose directory checking is turned on, and these properties will
107 be ignored for all directories. With any other value, or if the
108 variable is removed from the configuration file, loose directory
109 checking is turned off. Turning loose directory checking on is
110 equivalent to appending the following propertymask to the rules
111 for all directory inodes: ‐snacmblCMSH
112 Initial value: false
113
114 SYSLOGREPORTING
115 If this variable is set to true, messages are sent to the syslog
116 for four events: database initialization, integrity check com‐
117 pletions, database updates, and policy updates. The syslog mes‐
118 sages are sent from the "user" facility at the "notice" level.
119 For more information, see the syslogd(1) man page and the sys‐
120 log.conf file. The following illustrates the information logged
121 in the syslog for each of the four events:
122
123Jun 18 14:09:42 lighthouse tripwire[9444]: Database initialized:
124/var/lib/tripwire/test.twd
125
126Jun 18 14:10:57 lighthouse tripwire[9671]: Integrity Check Complete:
127TWReport lighthouse 20000618141057 V:2 S:90 A:1 R:0 C:1
128
129Jun 18 14:11:19 lighthouse tripwire[9672]: Database Update Complete:
130/var/lib/tripwire/test.twd
131
132Jun 18 14:18:26 lighthouse tripwire[9683]: Policy Update Complete:
133/var/lib/tripwire/test.twd
134
135 The letters in the Integrity Checking log correspond to # of
136 violations, maximum severity level, and # of files added,
137 deleted, and changed, respectively. With any value other than
138 true, or if this variable is removed from the configuration
139 file, syslog reporting will be turned off.
140 Initial value: true
141
142 REPORTLEVEL
143 Specifies the default level of report produced by the twprint
144 ‐‐print‐report mode. Valid values for this option are 0 to 4.
145 The report level specified by this option can be overridden with
146 the (‐t or ‐‐report‐level) option on the command line. If this
147 variable is not included in the configuration file, the default
148 report level is 3. Note that only reports printed using the
149 twprint ‐‐print‐report mode are affected by this parameter;
150 reports displayed by other modes and other commands are not
151 affected.
152 Initial value: 3
153
154 Email Notification Variables
155 MAILMETHOD
156 Specifies the protocol to be used by Tripwire for email notifi‐
157 cation. The only acceptable values for this field are SMTP or
158 SENDMAIL. Any other value will produce an error message.
159 Initial value: SENDMAIL
160
161 SMTPHOST
162 Specifies the domain name or IP address of the SMTP server used
163 for email notification. Ignored unless MAILMETHOD is set to
164 SMTP.
165 Initial value: mail.domain.com
166
167 SMTPPORT
168 Specifies the port number used with SMTP. Ignored unless MAIL‐
169 METHOD is set to SMTP.
170 Initial value: 25
171
172 MAILPROGRAM
173 Specifies the program used for email reporting of rule viola‐
174 tions if MAILMETHOD is set to SENDMAIL. The program must take
175 an RFC822 style mail header, and recipients will be listed in
176 the "To:" field of the mail header. Some mail programs inter‐
177 pret a line consisting of only a single period character to mean
178 end‐of‐input, and all text after that is ignored. Since there
179 is a small possibility that a Tripwire report would contain such
180 a line, the mail program specified must be able to ignore lines
181 that consist of a single period (the -oi option to sendmail pro‐
182 duces this behavior).
183 Initial value: /usr/lib/sendmail -oi -t
184
185 EMAILREPORTLEVEL
186 Specifies the default level of report produced by the tripwire
187 ‐‐check mode email report. Valid values for this option are 0
188 to 4. The report level specified by this option can be overrid‐
189 den with the (‐t or ‐‐email‐report‐level) option on the command‐
190 line. If this variable is not included in the configuration
191 file, the default report level is 3.
192 Initial value: 3
193
194 MAILNOVIOLATIONS
195 This option controls the way that Tripwire sends email notifica‐
196 tion if no rule violations are found during an integrity check.
197 If MAILNOVIOLATIONS is set to false and no violations are found,
198 Tripwire will not send a report. With any other value, or if the
199 variable is removed from the configuration file, Tripwire will
200 send an email message stating that no violations were found.
201
202 Mailing reports of no violations allows an administrator to dis‐
203 tinguish between unattended integrity checks that are failing to
204 run and integrity checks that are running but are not finding
205 any violations. However, mailing no violations reports will
206 increase the amount of data that must be processed.
207 Initial value: true
208
210 This man page describes Tripwire 2.4.1.
211
213 Tripwire, Inc.
214
216 Permission is granted to make and distribute verbatim copies of this
217 man page provided the copyright notice and this permission notice are
218 preserved on all copies.
219
220 Permission is granted to copy and distribute modified versions of this
221 man page under the conditions for verbatim copying, provided that the
222 entire resulting derived work is distributed under the terms of a per‐
223 mission notice identical to this one.
224
225 Permission is granted to copy and distribute translations of this man
226 page into another language, under the above conditions for modified
227 versions, except that this permission notice may be stated in a trans‐
228 lation approved by Tripwire, Inc.
229
230 Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of
231 Tripwire, Inc. in the United States and other countries. All rights
232 reserved.
233
235 twintro(8), tripwire(8), twadmin(8), twprint(8), siggen(8), twpol‐
236 icy(4), twfiles(5), sendmail(1), vi(1), syslogd(1)
237
238
239
240 1 July 2000 TWCONFIG(4)