1TRIPWIRE(8)                 System Manager's Manual                TRIPWIRE(8)
2
3
4

NAME

6       tripwire - a file integrity checker for UNIX systems
7

SYNOPSIS

9       tripwire { -m i | --init } [ options... ]
10       tripwire { -m c | --check } [ options... ]
11            [ object1 [ object2... ]]
12       tripwire { -m u | --update } [ options... ]
13       tripwire { -m p | --update-policy } [ options... ]
14            policyfile.txt
15       tripwire { -m t | --test } [ options... ]
16

DESCRIPTION

18   Database Initialization Mode
19       Running tripwire in Database Initialization mode is typically one of
20       the first steps in setting up Tripwire for regular operation.  This
21       mode creates a baseline database in the location specified by the
22       DBFILE variable in the Tripwire configuration file.  The database is
23       essentially a snapshot of the objects residing on the system.  During
24       later Tripwire integrity checks, this database serves as the basis for
25       comparison.
26
27       When run in Database Initialization mode, tripwire reads the policy
28       file, generates a database based on its contents, and then cryptograph‐
29       ically signs the resulting database.  Options can be entered on the
30       command line to specify which policy, configuration, and key files are
31       used to create the database.  The filename for the database can be
32       specified as well.  If no options are specified, the default values
33       from the current configuration file are used.
34
35   Integrity Checking Mode
36       After building the Tripwire database, the next step is typically to run
37       tripwire in Integrity Checking mode.  This mode scans the system for
38       violations, as specified in the policy file.  Using the policy file
39       rules, Tripwire will compare the state of the current file system
40       against the initial baseline database.  An integrity checking report is
41       printed to stdout and is saved in the location specified by the
42       REPORTFILE setting in the Tripwire configuration file.
43
44       The generated report describes each policy file violation in detail,
45       depending on whether the specified file system object was added, delet‐
46       ed, or changed.  Each report item lists the properties of the object as
47       it currently resides on the file system, and, if appropriate, the old
48       value stored in the database.  If there are differences between the
49       database and the current system, the administrator can either fix the
50       problem by replacing the current file with the correct file (e.g., an
51       intruder replaced /bin/login), or update the database to reflect the
52       new file (e.g., a fellow system administrator installed a new version
53       of /usr/local/bin/emacs).  The (‐I or ‐‐interactive) option launches an
54       editor that allows the user to update the database quickly.  The Data‐
55       base Update mode of tripwire can also be used.
56
57   Database Update Mode
58       Running tripwire in Database Update mode allows any differences between
59       the database and the current system to be reconciled.  This will pre‐
60       vent the violation from showing up in future reports.  If the reported
61       change is unexpected and potentially malicious, then the changed file
62       should be replaced with the original version.  If there is a valid rea‐
63       son for the change, the database must be changed to match the current
64       files.
65
66       In Database Update mode, the items to be changed are specified in a
67       "ballot box" in the plain text report that is launched in an editor
68       program.  The entries to be updated are specified by leaving the "x"
69       next to each policy violation.  After the user exits the editor and
70       provides the correct local passphrase, tripwire will update the data‐
71       base.  Options to control this operation include the (‐Z or ‐‐secure‐
72       mode) and (‐a or ‐‐accept‐all) flags.
73
74   Policy Update Mode
75       Policy update mode is used by tripwire to change or update the policy
76       file and to synchronize an earlier database with new policy file infor‐
77       mation.  The filename of the new clear text version of the policy file
78       is specified on the command line.  The new policy file is compared to
79       the existing version, and the database is updated according to the new
80       policy rules.  Any changes in the database since the last integrity
81       check will be detected and reported.  How these violations are inter‐
82       preted depends on the security mode specified with the (‐Z or ‐‐secure‐
83       mode) option.  In high security mode (the default), Tripwire will print
84       a list of violations and exit without making changes to the database.
85       In low security mode, the violations are still reported, but changes to
86       the database are made automatically.
87
88       Because the policy and database files are binary-encoded and crypto‐
89       graphically signed, the user will be prompted for the site and local
90       passphrases to change the policy settings.  After the database is suc‐
91       cessfully updated, the database and policy files are re-encoded and
92       signed.
93
94   Test Mode
95       Test mode is used to check the operation of the Tripwire email notifi‐
96       cation system. When run in this mode, Tripwire will use the email noti‐
97       fication settings specified in the configuration file to send a test
98       email message. If MAILMETHOD is set to SMTP, the SMTPHOST and SMTPPORT
99       values will be used to send email.  If MAILMETHOD is set to SENDMAIL,
100       the MAILPROGRAM value will be used.  If email notification is working
101       correctly, the address specified on the command line will receive the
102       following message:
103
104            To: user@domain.com
105            From: user <user@domain.com>
106            Subject: Test email message from Tripwire
107
108            If you receive this message, email notification
109            from Tripwire is working correctly.
110
111       Test mode only tests email notification for the address specified on
112       the command-line, and does not check for errors in the syntax used with
113       the emailto attribute in the policy file.
114

OPTIONS

116   Database Initialization mode:
117           -m i            --init
118           -v              --verbose
119           -s              --silent, --quiet
120           -c cfgfile      --cfgfile cfgfile
121           -p polfile      --polfile polfile
122           -d database     --dbfile database
123           -S sitekey      --site-keyfile sitekey
124           -L localkey     --local-keyfile localkey
125           -P passphrase   --local-passphrase passphrase
126           -e              --no-encryption
127
128       ‐m i, --init
129              Mode selector.
130
131       ‐v, --verbose
132              Verbose output mode.  Mutually exclusive with (‐s).
133
134       ‐s, --silent, --quiet
135              Silent output mode.  Mutually exclusive with (‐v).
136
137       ‐c cfgfile, --cfgfile cfgfile
138              Use the specified configuration file.
139
140       ‐p polfile, --polfile polfile
141              Use the specified policy file.
142
143       ‐d database, --dbfile database
144              Write to the specified database file.
145
146       ‐S sitekey, --site-keyfile sitekey
147              Use the specified site key file to read the configuration and
148              policy files.
149
150       ‐L localkey, --local-keyfile localkey
151              Use the specified local key file to write the new database file.
152              Mutually exclusive with (‐e).
153
154       ‐P passphrase, --local-passphrase passphrase
155              Specifies passphrase to be used with local key to sign the new
156              database.  Mutually exclusive with (‐e).
157
158       ‐e, --no-encryption
159              Do not sign the database being stored.  The database file will
160              still be compressed and will not be human-readable.  Mutually
161              exclusive with (‐L) and (‐P).
162
163______________________________________________________________________________
164
165   Integrity Checking mode:
166           -m c                  --check
167           -I                    --interactive
168           -v                    --verbose
169           -s                    --silent, --quiet
170           -c cfgfile            --cfgfile cfgfile
171           -p polfile            --polfile polfile
172           -d database           --dbfile database
173           -r report             --twrfile report
174           -S sitekey            --site-keyfile sitekey
175           -L localkey           --local-keyfile localkey
176           -P passphrase         --local-passphrase passphrase
177           -n                    --no-tty-output
178           -V editor             --visual editor
179           -E                    --signed-report
180           -i list               --ignore list
181           -l { level | name }   --severity { level | name }
182           -R rule               --rule-name rule
183           -x section            --section section
184           -M                    --email-report
185           -t { 0|1|2|3|4 }      --email-report-level { 0|1|2|3|4 }
186           [ object1 [ object2... ]]
187
188       ‐m c, --check
189              Mode selector.
190
191       ‐I, --interactive
192              At the end of integrity checking, the resulting report is opened
193              in an editor where database updates can be easily specified us‐
194              ing the ballot boxes included in the report.
195
196       ‐v, --verbose
197              Verbose output mode.  Mutually exclusive with (‐s).
198
199       ‐s, --silent, --quiet
200              Silent output mode.  Mutually exclusive with (‐v).
201
202       ‐c cfgfile, --cfgfile cfgfile
203              Use the specified configuration file.
204
205       ‐p polfile, --polfile polfile
206              Use the specified policy file.
207
208       ‐d database, --dbfile database
209              Use the specified database file.
210
211       ‐r report, --twrfile report
212              Write the specified report file.
213
214       ‐S sitekey, --site-keyfile sitekey
215              Use the specified site key file to read the configuration and
216              policy files.
217
218       ‐L localkey, --local-keyfile localkey
219              Use the specified local key file to read the database file and,
220              if (‐E) is specified, to write the report file.
221
222       ‐P passphrase, --local-passphrase passphrase
223              Specifies passphrase to be used with local key to sign the data‐
224              base when (‐I) is used, and to sign the report when (‐E) is
225              used.  Valid only with (‐I) or (‐E).
226
227       ‐n, --no-tty-output
228              Suppress the report from being printed at the console.
229
230       ‐V editor, --visual editor
231              Use the specified editor to edit the update ballot boxes.  Mean‐
232              ingful only with (‐I).
233
234       ‐E, --signed-report
235              Specifies that the Tripwire report will be signed.  If no
236              passphrase is specified on the command line, tripwire will
237              prompt for the local passphrase.
238
239       ‐i list, --ignore list
240              Do not compute or compare the properties specified in list.  Any
241              of the letter codes (abcdgimnprstulCHMS) specified in property‐
242              masks can be excluded.  Use of this option overrides information
243              from the policy file.  The format to be used for list is a dou‐
244              ble-quoted, comma-delimited list of properties (e.g. --ig‐
245              nore "p,c,m").
246
247       ‐l { level | name }, --severity { level | name }
248              Check only policy rules with severity greater than or equal to
249              the given level.  The level may be specified as a number or as a
250              name.  Severity names are defined as follows:
251                   Low          33
252                   Medium       66
253                   High        100
254              Mutually exclusive with (‐R).
255
256       ‐R rule, --rule-name rule
257              Check only the specified policy rule.  Mutually exclusive with
258              (‐l).
259
260       ‐x section, --section section
261              Only check the rules in the specified section of the policy
262              file.  For Tripwire 2.4.1, FS is the only meaningful argument
263              for this flag.
264
265       ‐M, --email-report
266              Specifies that reports be emailed to the recipient(s) designated
267              in the policy file.
268
269       ‐t level, --email-report-level level
270              Specifies the detail level of email reports, overriding the
271              EMAILREPORTLEVEL variable in the configuration file. level must
272              be a number from 0 to 4.  Valid only with (‐M).
273
274       [ object1 [ object2... ]]
275              List of files and directories that should be integrity checked.
276              Default is all files.  If files are specified for checking, the
277              --severity and --rule-name options will be ignored.
278
279______________________________________________________________________________
280
281   Database Update mode:
282           -m u                --update
283           -v                  --verbose
284           -s                  --silent, --quiet
285           -c cfgfile          --cfgfile cfgfile
286           -p polfile          --polfile polfile
287           -d database         --dbfile database
288           -r report           --twrfile report
289           -S sitekey          --site-keyfile sitekey
290           -L localkey         --local-keyfile localkey
291           -P passphrase       --local-passphrase passphrase
292           -V editor           --visual editor
293           -a                  --accept-all
294           -Z { low | high }   --secure-mode { low | high }
295
296       ‐m u, --update
297              Mode selector.
298
299       ‐v, --verbose
300              Verbose output mode.  Mutually exclusive with (‐s).
301
302       ‐s, --silent, --quiet
303              Silent output mode.  Mutually exclusive with (‐v).
304
305       ‐c cfgfile, --cfgfile cfgfile
306              Use the specified configuration file.
307
308       ‐p polfile, --polfile polfile
309              Use the specified policy file.
310
311       ‐d database, --dbfile database
312              Update the specified database file.
313
314       ‐r report, --twrfile report
315              Read the specified report file.
316
317       ‐S sitekey, --site-keyfile sitekey
318              Use the specified site key file to read the configuration and
319              policy files.
320
321       ‐L localkey, --local-keyfile localkey
322              Use the specified local key file to read the database file and
323              report file, and to re-write the database file.
324
325       ‐P passphrase, --local-passphrase passphrase
326              Specifies passphrase to be used with local key to sign the data‐
327              base.
328
329       ‐V editor, --visual editor
330              Use the specified editor to edit the update ballot boxes.  Mutu‐
331              ally exclusive with (‐a).
332
333       ‐a, --accept-all
334              Specifies that all the entries in the report file are updated
335              without prompting.  Mutually exclusive with (‐V).
336
337       ‐Z { low | high }, --secure-mode { low | high }
338              Specifies the security level, which affects how certain condi‐
339              tions are handled when inconsistent information is found between
340              the report file and the current database:
341
342              High:  In high security mode, if a file does not match the prop‐
343              erties in the report file, Tripwire reports the differences as
344              warnings, and exits without changing the database.
345
346              Low:  In low security mode, inconsistencies are reported as
347              warnings, but the changes are still made to the database.
348
349______________________________________________________________________________
350
351   Policy Update mode:
352           -m p                --update-policy
353           -v                  --verbose
354           -s                  --silent, --quiet
355           -c cfgfile          --cfgfile cfgfile
356           -p polfile          --polfile polfile
357           -d database         --dbfile database
358           -S sitekey          --site-keyfile sitekey
359           -L localkey         --local-keyfile localkey
360           -P passphrase       --local-passphrase passphrase
361           -Q passphrase       --site-passphrase passphrase
362           -Z { low | high }   --secure-mode { low | high }
363           policyfile.txt
364
365       ‐m p, --update-policy
366              Mode selector.
367
368       ‐v, --verbose
369              Verbose output mode.  Mutually exclusive with (‐s).
370
371       ‐s, --silent, --quiet
372              Silent output mode.  Mutually exclusive with (‐v).
373
374       ‐c cfgfile, --cfgfile cfgfile
375              Use the specified configuration file.
376
377       ‐p polfile, --polfile polfile
378              Write the specified policy file.
379
380       ‐d database, --dbfile database
381              Use the specified database file.
382
383       ‐S sitekey, --site-keyfile sitekey
384              Use the specified site key file to read the configuration file,
385              and read and write the policy file.
386
387       ‐L localkey, --local-keyfile localkey
388              Use the specified local key file to read and write the database
389              file.
390
391       ‐P passphrase, --local-passphrase passphrase
392              Specifies passphrase to be used with local key to sign the data‐
393              base.
394
395       ‐Q passphrase, --site-passphrase passphrase
396              Specifies passphrase to be used with site key to sign the new
397              policy file.
398
399       ‐Z { low | high }, --secure-mode { low | high }
400              Specifies the security level, which affects how certain condi‐
401              tions are handled when the existing filesystem does not match
402              the database information.  Since the database produced at the
403              end of a policy update becomes the baseline for future integrity
404              checks, this consistency-checking ensures that no substantive
405              filesystem changes have occurred since the last integrity check.
406
407              High:  In high security mode, if a file on the filesystem does
408              not match the properties in the database file, Tripwire reports
409              the differences as warnings, and exits without changing the
410              database or the policy file.
411
412              Low:  In low security mode, inconsistencies are reported as
413              warnings, but the changes are still made to the database and
414              policy file.
415
416       policyfile.txt
417              Specifies the text policy file that will become the new policy
418              file.
419
420______________________________________________________________________________
421
422   Test mode:
423           -m t                 --test
424           -e user@domain.com   --email user@domain.com
425
426       ‐m t, --test
427              Mode selector.
428
429       ‐e user@domain.com, --email user@domain.com
430              Use the specified email address.  This parameter must be sup‐
431              plied when test mode is used. Only one address may be specified.
432

VERSION INFORMATION

434       This man page describes tripwire version 2.4.1
435

AUTHORS

437       Tripwire, Inc.
438

COPYING PERMISSIONS

440       Permission is granted to make and distribute verbatim copies of this
441       man page provided the copyright notice and this permission notice are
442       preserved on all copies.
443
444       Permission is granted to copy and distribute modified versions of this
445       man page under the conditions for verbatim copying, provided that the
446       entire resulting derived work is distributed under the terms of a per‐
447       mission notice identical to this one.
448
449       Permission is granted to copy and distribute translations of this man
450       page into another language, under the above conditions for modified
451       versions, except that this permission notice may be stated in a trans‐
452       lation approved by Tripwire, Inc.
453
454       Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of
455       Tripwire, Inc. in the United States and other countries. All rights re‐
456       served.
457

SEE ALSO

459       twintro(8), twadmin(8), twprint(8), siggen(8), twconfig(4), twpoli‐
460       cy(4), twfiles(5)
461
462       The Design and Implementation of Tripwire: A UNIX File Integrity Check‐
463       er by Gene Kim and Eugene Spafford.  Purdue Technical Report CSD-
464       TR-93-071.
465
466
467
468                                  1 July 2000                      TRIPWIRE(8)
Impressum