1TRIPWIRE(8) System Manager's Manual TRIPWIRE(8)
2
3
4
6 tripwire - a file integrity checker for UNIX systems
7
9 tripwire { -m i | --init } [ options... ]
10 tripwire { -m c | --check } [ options... ]
11 [ object1 [ object2... ]]
12 tripwire { -m u | --update } [ options... ]
13 tripwire { -m p | --update-policy } [ options... ]
14 policyfile.txt
15 tripwire { -m t | --test } [ options... ]
16
18 Database Initialization Mode
19 Running tripwire in Database Initialization mode is typically one of
20 the first steps in setting up Tripwire for regular operation. This
21 mode creates a baseline database in the location specified by the
22 DBFILE variable in the Tripwire configuration file. The database is
23 essentially a snapshot of the objects residing on the system. During
24 later Tripwire integrity checks, this database serves as the basis for
25 comparison.
26
27 When run in Database Initialization mode, tripwire reads the policy
28 file, generates a database based on its contents, and then cryptograph‐
29 ically signs the resulting database. Options can be entered on the
30 command line to specify which policy, configuration, and key files are
31 used to create the database. The filename for the database can be
32 specified as well. If no options are specified, the default values
33 from the current configuration file are used.
34
35 Integrity Checking Mode
36 After building the Tripwire database, the next step is typically to run
37 tripwire in Integrity Checking mode. This mode scans the system for
38 violations, as specified in the policy file. Using the policy file
39 rules, Tripwire will compare the state of the current file system
40 against the initial baseline database. An integrity checking report is
41 printed to stdout and is saved in the location specified by the
42 REPORTFILE setting in the Tripwire configuration file.
43
44 The generated report describes each policy file violation in detail,
45 depending on whether the specified file system object was added, delet‐
46 ed, or changed. Each report item lists the properties of the object as
47 it currently resides on the file system, and, if appropriate, the old
48 value stored in the database. If there are differences between the
49 database and the current system, the administrator can either fix the
50 problem by replacing the current file with the correct file (e.g., an
51 intruder replaced /bin/login), or update the database to reflect the
52 new file (e.g., a fellow system administrator installed a new version
53 of /usr/local/bin/emacs). The (‐I or ‐‐interactive) option launches an
54 editor that allows the user to update the database quickly. The Data‐
55 base Update mode of tripwire can also be used.
56
57 Database Update Mode
58 Running tripwire in Database Update mode allows any differences between
59 the database and the current system to be reconciled. This will pre‐
60 vent the violation from showing up in future reports. If the reported
61 change is unexpected and potentially malicious, then the changed file
62 should be replaced with the original version. If there is a valid rea‐
63 son for the change, the database must be changed to match the current
64 files.
65
66 In Database Update mode, the items to be changed are specified in a
67 "ballot box" in the plain text report that is launched in an editor
68 program. The entries to be updated are specified by leaving the "x"
69 next to each policy violation. After the user exits the editor and
70 provides the correct local passphrase, tripwire will update the data‐
71 base. Options to control this operation include the (‐Z or ‐‐secure‐
72 mode) and (‐a or ‐‐accept‐all) flags.
73
74 Policy Update Mode
75 Policy update mode is used by tripwire to change or update the policy
76 file and to synchronize an earlier database with new policy file infor‐
77 mation. The filename of the new clear text version of the policy file
78 is specified on the command line. The new policy file is compared to
79 the existing version, and the database is updated according to the new
80 policy rules. Any changes in the database since the last integrity
81 check will be detected and reported. How these violations are inter‐
82 preted depends on the security mode specified with the (‐Z or ‐‐secure‐
83 mode) option. In high security mode (the default), Tripwire will print
84 a list of violations and exit without making changes to the database.
85 In low security mode, the violations are still reported, but changes to
86 the database are made automatically.
87
88 Because the policy and database files are binary-encoded and crypto‐
89 graphically signed, the user will be prompted for the site and local
90 passphrases to change the policy settings. After the database is suc‐
91 cessfully updated, the database and policy files are re-encoded and
92 signed.
93
94 Test Mode
95 Test mode is used to check the operation of the Tripwire email notifi‐
96 cation system. When run in this mode, Tripwire will use the email noti‐
97 fication settings specified in the configuration file to send a test
98 email message. If MAILMETHOD is set to SMTP, the SMTPHOST and SMTPPORT
99 values will be used to send email. If MAILMETHOD is set to SENDMAIL,
100 the MAILPROGRAM value will be used. If email notification is working
101 correctly, the address specified on the command line will receive the
102 following message:
103
104 To: user@domain.com
105 From: user <user@domain.com>
106 Subject: Test email message from Tripwire
107
108 If you receive this message, email notification
109 from Tripwire is working correctly.
110
111 Test mode only tests email notification for the address specified on
112 the command-line, and does not check for errors in the syntax used with
113 the emailto attribute in the policy file.
114
116 Database Initialization mode:
117 -m i --init
118 -v --verbose
119 -s --silent, --quiet
120 -c cfgfile --cfgfile cfgfile
121 -p polfile --polfile polfile
122 -d database --dbfile database
123 -S sitekey --site-keyfile sitekey
124 -L localkey --local-keyfile localkey
125 -P passphrase --local-passphrase passphrase
126 -e --no-encryption
127
128 ‐m i, --init
129 Mode selector.
130
131 ‐v, --verbose
132 Verbose output mode. Mutually exclusive with (‐s).
133
134 ‐s, --silent, --quiet
135 Silent output mode. Mutually exclusive with (‐v).
136
137 ‐c cfgfile, --cfgfile cfgfile
138 Use the specified configuration file.
139
140 ‐p polfile, --polfile polfile
141 Use the specified policy file.
142
143 ‐d database, --dbfile database
144 Write to the specified database file.
145
146 ‐S sitekey, --site-keyfile sitekey
147 Use the specified site key file to read the configuration and
148 policy files.
149
150 ‐L localkey, --local-keyfile localkey
151 Use the specified local key file to write the new database file.
152 Mutually exclusive with (‐e).
153
154 ‐P passphrase, --local-passphrase passphrase
155 Specifies passphrase to be used with local key to sign the new
156 database. Mutually exclusive with (‐e).
157
158 ‐e, --no-encryption
159 Do not sign the database being stored. The database file will
160 still be compressed and will not be human-readable. Mutually
161 exclusive with (‐L) and (‐P).
162
163______________________________________________________________________________
164
165 Integrity Checking mode:
166 -m c --check
167 -I --interactive
168 -v --verbose
169 -s --silent, --quiet
170 -c cfgfile --cfgfile cfgfile
171 -p polfile --polfile polfile
172 -d database --dbfile database
173 -r report --twrfile report
174 -S sitekey --site-keyfile sitekey
175 -L localkey --local-keyfile localkey
176 -P passphrase --local-passphrase passphrase
177 -n --no-tty-output
178 -V editor --visual editor
179 -E --signed-report
180 -i list --ignore list
181 -l { level | name } --severity { level | name }
182 -R rule --rule-name rule
183 -x section --section section
184 -M --email-report
185 -t { 0|1|2|3|4 } --email-report-level { 0|1|2|3|4 }
186 [ object1 [ object2... ]]
187
188 ‐m c, --check
189 Mode selector.
190
191 ‐I, --interactive
192 At the end of integrity checking, the resulting report is opened
193 in an editor where database updates can be easily specified us‐
194 ing the ballot boxes included in the report.
195
196 ‐v, --verbose
197 Verbose output mode. Mutually exclusive with (‐s).
198
199 ‐s, --silent, --quiet
200 Silent output mode. Mutually exclusive with (‐v).
201
202 ‐c cfgfile, --cfgfile cfgfile
203 Use the specified configuration file.
204
205 ‐p polfile, --polfile polfile
206 Use the specified policy file.
207
208 ‐d database, --dbfile database
209 Use the specified database file.
210
211 ‐r report, --twrfile report
212 Write the specified report file.
213
214 ‐S sitekey, --site-keyfile sitekey
215 Use the specified site key file to read the configuration and
216 policy files.
217
218 ‐L localkey, --local-keyfile localkey
219 Use the specified local key file to read the database file and,
220 if (‐E) is specified, to write the report file.
221
222 ‐P passphrase, --local-passphrase passphrase
223 Specifies passphrase to be used with local key to sign the data‐
224 base when (‐I) is used, and to sign the report when (‐E) is
225 used. Valid only with (‐I) or (‐E).
226
227 ‐n, --no-tty-output
228 Suppress the report from being printed at the console.
229
230 ‐V editor, --visual editor
231 Use the specified editor to edit the update ballot boxes. Mean‐
232 ingful only with (‐I).
233
234 ‐E, --signed-report
235 Specifies that the Tripwire report will be signed. If no
236 passphrase is specified on the command line, tripwire will
237 prompt for the local passphrase.
238
239 ‐i list, --ignore list
240 Do not compute or compare the properties specified in list. Any
241 of the letter codes (abcdgimnprstulCHMS) specified in property‐
242 masks can be excluded. Use of this option overrides information
243 from the policy file. The format to be used for list is a dou‐
244 ble-quoted, comma-delimited list of properties (e.g. --ig‐
245 nore "p,c,m").
246
247 ‐l { level | name }, --severity { level | name }
248 Check only policy rules with severity greater than or equal to
249 the given level. The level may be specified as a number or as a
250 name. Severity names are defined as follows:
251 Low 33
252 Medium 66
253 High 100
254 Mutually exclusive with (‐R).
255
256 ‐R rule, --rule-name rule
257 Check only the specified policy rule. Mutually exclusive with
258 (‐l).
259
260 ‐x section, --section section
261 Only check the rules in the specified section of the policy
262 file. For Tripwire 2.4.1, FS is the only meaningful argument
263 for this flag.
264
265 ‐M, --email-report
266 Specifies that reports be emailed to the recipient(s) designated
267 in the policy file.
268
269 ‐t level, --email-report-level level
270 Specifies the detail level of email reports, overriding the
271 EMAILREPORTLEVEL variable in the configuration file. level must
272 be a number from 0 to 4. Valid only with (‐M).
273
274 [ object1 [ object2... ]]
275 List of files and directories that should be integrity checked.
276 Default is all files. If files are specified for checking, the
277 --severity and --rule-name options will be ignored.
278
279______________________________________________________________________________
280
281 Database Update mode:
282 -m u --update
283 -v --verbose
284 -s --silent, --quiet
285 -c cfgfile --cfgfile cfgfile
286 -p polfile --polfile polfile
287 -d database --dbfile database
288 -r report --twrfile report
289 -S sitekey --site-keyfile sitekey
290 -L localkey --local-keyfile localkey
291 -P passphrase --local-passphrase passphrase
292 -V editor --visual editor
293 -a --accept-all
294 -Z { low | high } --secure-mode { low | high }
295
296 ‐m u, --update
297 Mode selector.
298
299 ‐v, --verbose
300 Verbose output mode. Mutually exclusive with (‐s).
301
302 ‐s, --silent, --quiet
303 Silent output mode. Mutually exclusive with (‐v).
304
305 ‐c cfgfile, --cfgfile cfgfile
306 Use the specified configuration file.
307
308 ‐p polfile, --polfile polfile
309 Use the specified policy file.
310
311 ‐d database, --dbfile database
312 Update the specified database file.
313
314 ‐r report, --twrfile report
315 Read the specified report file.
316
317 ‐S sitekey, --site-keyfile sitekey
318 Use the specified site key file to read the configuration and
319 policy files.
320
321 ‐L localkey, --local-keyfile localkey
322 Use the specified local key file to read the database file and
323 report file, and to re-write the database file.
324
325 ‐P passphrase, --local-passphrase passphrase
326 Specifies passphrase to be used with local key to sign the data‐
327 base.
328
329 ‐V editor, --visual editor
330 Use the specified editor to edit the update ballot boxes. Mutu‐
331 ally exclusive with (‐a).
332
333 ‐a, --accept-all
334 Specifies that all the entries in the report file are updated
335 without prompting. Mutually exclusive with (‐V).
336
337 ‐Z { low | high }, --secure-mode { low | high }
338 Specifies the security level, which affects how certain condi‐
339 tions are handled when inconsistent information is found between
340 the report file and the current database:
341
342 High: In high security mode, if a file does not match the prop‐
343 erties in the report file, Tripwire reports the differences as
344 warnings, and exits without changing the database.
345
346 Low: In low security mode, inconsistencies are reported as
347 warnings, but the changes are still made to the database.
348
349______________________________________________________________________________
350
351 Policy Update mode:
352 -m p --update-policy
353 -v --verbose
354 -s --silent, --quiet
355 -c cfgfile --cfgfile cfgfile
356 -p polfile --polfile polfile
357 -d database --dbfile database
358 -S sitekey --site-keyfile sitekey
359 -L localkey --local-keyfile localkey
360 -P passphrase --local-passphrase passphrase
361 -Q passphrase --site-passphrase passphrase
362 -Z { low | high } --secure-mode { low | high }
363 policyfile.txt
364
365 ‐m p, --update-policy
366 Mode selector.
367
368 ‐v, --verbose
369 Verbose output mode. Mutually exclusive with (‐s).
370
371 ‐s, --silent, --quiet
372 Silent output mode. Mutually exclusive with (‐v).
373
374 ‐c cfgfile, --cfgfile cfgfile
375 Use the specified configuration file.
376
377 ‐p polfile, --polfile polfile
378 Write the specified policy file.
379
380 ‐d database, --dbfile database
381 Use the specified database file.
382
383 ‐S sitekey, --site-keyfile sitekey
384 Use the specified site key file to read the configuration file,
385 and read and write the policy file.
386
387 ‐L localkey, --local-keyfile localkey
388 Use the specified local key file to read and write the database
389 file.
390
391 ‐P passphrase, --local-passphrase passphrase
392 Specifies passphrase to be used with local key to sign the data‐
393 base.
394
395 ‐Q passphrase, --site-passphrase passphrase
396 Specifies passphrase to be used with site key to sign the new
397 policy file.
398
399 ‐Z { low | high }, --secure-mode { low | high }
400 Specifies the security level, which affects how certain condi‐
401 tions are handled when the existing filesystem does not match
402 the database information. Since the database produced at the
403 end of a policy update becomes the baseline for future integrity
404 checks, this consistency-checking ensures that no substantive
405 filesystem changes have occurred since the last integrity check.
406
407 High: In high security mode, if a file on the filesystem does
408 not match the properties in the database file, Tripwire reports
409 the differences as warnings, and exits without changing the
410 database or the policy file.
411
412 Low: In low security mode, inconsistencies are reported as
413 warnings, but the changes are still made to the database and
414 policy file.
415
416 policyfile.txt
417 Specifies the text policy file that will become the new policy
418 file.
419
420______________________________________________________________________________
421
422 Test mode:
423 -m t --test
424 -e user@domain.com --email user@domain.com
425
426 ‐m t, --test
427 Mode selector.
428
429 ‐e user@domain.com, --email user@domain.com
430 Use the specified email address. This parameter must be sup‐
431 plied when test mode is used. Only one address may be specified.
432
434 This man page describes tripwire version 2.4.1
435
437 Tripwire, Inc.
438
440 Permission is granted to make and distribute verbatim copies of this
441 man page provided the copyright notice and this permission notice are
442 preserved on all copies.
443
444 Permission is granted to copy and distribute modified versions of this
445 man page under the conditions for verbatim copying, provided that the
446 entire resulting derived work is distributed under the terms of a per‐
447 mission notice identical to this one.
448
449 Permission is granted to copy and distribute translations of this man
450 page into another language, under the above conditions for modified
451 versions, except that this permission notice may be stated in a trans‐
452 lation approved by Tripwire, Inc.
453
454 Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of
455 Tripwire, Inc. in the United States and other countries. All rights re‐
456 served.
457
459 twintro(8), twadmin(8), twprint(8), siggen(8), twconfig(4), twpoli‐
460 cy(4), twfiles(5)
461
462 The Design and Implementation of Tripwire: A UNIX File Integrity Check‐
463 er by Gene Kim and Eugene Spafford. Purdue Technical Report CSD-
464 TR-93-071.
465
466
467
468 1 July 2000 TRIPWIRE(8)