1TRIPWIRE(8)                 System Manager's Manual                TRIPWIRE(8)
2
3
4

NAME

6       tripwire - a file integrity checker for UNIX-like systems
7

SYNOPSIS

9       tripwire { -m i | --init } [ options... ]
10       tripwire { -m c | --check } [ options... ]
11            [ object1 [ object2... ]]
12       tripwire { -m u | --update } [ options... ]
13       tripwire { -m p | --update-policy } [ options... ]
14            policyfile.txt
15       tripwire { -m t | --test } [ options... ]
16

DESCRIPTION

18   Database Initialization Mode
19       Running tripwire in Database Initialization mode is typically one of
20       the first steps in setting up Tripwire for regular operation.  This
21       mode creates a baseline database in the location specified by the
22       DBFILE variable in the Tripwire configuration file.  The database is
23       essentially a snapshot of the objects residing on the system.  During
24       later Tripwire integrity checks, this database serves as the basis for
25       comparison.
26
27       When run in Database Initialization mode, tripwire reads the policy
28       file, generates a database based on its contents, and then cryptograph‐
29       ically signs the resulting database.  Options can be entered on the
30       command line to specify which policy, configuration, and key files are
31       used to create the database.  The filename for the database can be
32       specified as well.  If no options are specified, the default values
33       from the current configuration file are used.
34
35   Integrity Checking Mode
36       After building the Tripwire database, the next step is typically to run
37       tripwire in Integrity Checking mode.  This mode scans the system for
38       violations, as specified in the policy file.  Using the policy file
39       rules, Tripwire will compare the state of the current file system
40       against the initial baseline database.  An integrity checking report is
41       printed to stdout and is saved in the location specified by the
42       REPORTFILE setting in the Tripwire configuration file.
43
44       The generated report describes each policy file violation in detail,
45       depending on whether the specified file system object was added, delet‐
46       ed, or changed.  Each report item lists the properties of the object as
47       it currently resides on the file system, and, if appropriate, the old
48       value stored in the database.  If there are differences between the
49       database and the current system, the administrator can either fix the
50       problem by replacing the current file with the correct file (e.g., an
51       intruder replaced /bin/login), or update the database to reflect the
52       new file (e.g., a fellow system administrator installed a new version
53       of /usr/local/bin/emacs).  The (‐I or ‐‐interactive) option launches an
54       editor that allows the user to update the database quickly.  The Data‐
55       base Update mode of tripwire can also be used.
56
57   Database Update Mode
58       Running tripwire in Database Update mode allows any differences between
59       the database and the current system to be reconciled.  This will pre‐
60       vent the violation from showing up in future reports.  If the reported
61       change is unexpected and potentially malicious, then the changed file
62       should be replaced with the original version.  If there is a valid rea‐
63       son for the change, the database must be changed to match the current
64       files.
65
66       In Database Update mode, the items to be changed are specified in a
67       "ballot box" in the plain text report that is launched in an editor
68       program.  The entries to be updated are specified by leaving the "x"
69       next to each policy violation.  After the user exits the editor and
70       provides the correct local passphrase, tripwire will update the data‐
71       base.  Options to control this operation include the (‐Z or ‐‐secure‐
72       mode) and (‐a or ‐‐accept‐all) flags.
73
74   Policy Update Mode
75       Policy update mode is used by tripwire to change or update the policy
76       file and to synchronize an earlier database with new policy file infor‐
77       mation.  The filename of the new clear text version of the policy file
78       is specified on the command line.  The new policy file is compared to
79       the existing version, and the database is updated according to the new
80       policy rules.  Any changes in the database since the last integrity
81       check will be detected and reported.  How these violations are inter‐
82       preted depends on the security mode specified with the (‐Z or ‐‐secure‐
83       mode) option.  In high security mode (the default), Tripwire will print
84       a list of violations and exit without making changes to the database.
85       In low security mode, the violations are still reported, but changes to
86       the database are made automatically.
87
88       Because the policy and database files are binary-encoded and crypto‐
89       graphically signed, the user will be prompted for the site and local
90       passphrases to change the policy settings.  After the database is suc‐
91       cessfully updated, the database and policy files are re-encoded and
92       signed.
93
94   Test Mode
95       Test mode is used to check the operation of the Tripwire email notifi‐
96       cation system. When run in this mode, Tripwire will use the email noti‐
97       fication settings specified in the configuration file to send a test
98       email message. If MAILMETHOD is set to SMTP, the SMTPHOST and SMTPPORT
99       values will be used to send email.  If MAILMETHOD is set to SENDMAIL,
100       the MAILPROGRAM value will be used.  If email notification is working
101       correctly, the address specified on the command line will receive the
102       following message:
103
104            To: user@domain.com
105            From: user <user@domain.com>
106            Subject: Test email message from Tripwire
107
108            If you receive this message, email notification
109            from Tripwire is working correctly.
110
111       Test mode only tests email notification for the address specified on
112       the command-line, and does not check for errors in the syntax used with
113       the emailto attribute in the policy file.
114

OPTIONS

116   Database Initialization mode:
117           -m i            --init
118           -v              --verbose
119           -s              --silent, --quiet
120           -c cfgfile      --cfgfile cfgfile
121           -p polfile      --polfile polfile
122           -d database     --dbfile database
123           -S sitekey      --site-keyfile sitekey
124           -L localkey     --local-keyfile localkey
125           -P passphrase   --local-passphrase passphrase
126           -e              --no-encryption
127
128       ‐m i, --init
129              Mode selector.
130
131       ‐v, --verbose
132              Verbose output mode.  Mutually exclusive with (‐s).
133
134       ‐s, --silent, --quiet
135              Silent output mode.  Mutually exclusive with (‐v).
136
137       ‐c cfgfile, --cfgfile cfgfile
138              Use the specified configuration file.
139
140       ‐p polfile, --polfile polfile
141              Use the specified policy file.
142
143       ‐d database, --dbfile database
144              Write to the specified database file.
145
146       ‐S sitekey, --site-keyfile sitekey
147              Use the specified site key file to read the configuration and
148              policy files.
149
150       ‐L localkey, --local-keyfile localkey
151              Use the specified local key file to write the new database file.
152              Mutually exclusive with (‐e).
153
154       ‐P passphrase, --local-passphrase passphrase
155              Specifies passphrase to be used with local key to sign the new
156              database.  Mutually exclusive with (‐e).
157
158       ‐e, --no-encryption
159              Do not sign the database being stored.  The database file will
160              still be compressed and will not be human-readable.  Mutually
161              exclusive with (‐L) and (‐P).
162
163______________________________________________________________________________
164
165   Integrity Checking mode:
166           -m c                  --check
167           -I                    --interactive
168           -v                    --verbose
169           -s                    --silent, --quiet
170           -c cfgfile            --cfgfile cfgfile
171           -p polfile            --polfile polfile
172           -d database           --dbfile database
173           -r report             --twrfile report
174           -S sitekey            --site-keyfile sitekey
175           -L localkey           --local-keyfile localkey
176           -P passphrase         --local-passphrase passphrase
177           -n                    --no-tty-output
178           -V editor             --visual editor
179           -E                    --signed-report
180           -i list               --ignore list
181           -l { level | name }   --severity { level | name }
182           -R rule               --rule-name rule
183           -x section            --section section
184           -M                    --email-report
185           -t { 0|1|2|3|4 }      --email-report-level { 0|1|2|3|4 }
186           -h                    --hexadecimal
187           [ object1 [ object2... ]]
188
189       ‐m c, --check
190              Mode selector.
191
192       ‐I, --interactive
193              At the end of integrity checking, the resulting report is opened
194              in an editor where database updates can be easily specified us‐
195              ing the ballot boxes included in the report.
196
197       ‐v, --verbose
198              Verbose output mode.  Mutually exclusive with (‐s).
199
200       ‐s, --silent, --quiet
201              Silent output mode.  Mutually exclusive with (‐v).
202
203       ‐c cfgfile, --cfgfile cfgfile
204              Use the specified configuration file.
205
206       ‐p polfile, --polfile polfile
207              Use the specified policy file.
208
209       ‐d database, --dbfile database
210              Use the specified database file.
211
212       ‐r report, --twrfile report
213              Write the specified report file.
214
215       ‐S sitekey, --site-keyfile sitekey
216              Use the specified site key file to read the configuration and
217              policy files.
218
219       ‐L localkey, --local-keyfile localkey
220              Use the specified local key file to read the database file and,
221              if (‐E) is specified, to write the report file.
222
223       ‐P passphrase, --local-passphrase passphrase
224              Specifies passphrase to be used with local key to sign the data‐
225              base when (‐I) is used, and to sign the report when (‐E) is
226              used.  Valid only with (‐I) or (‐E).
227
228       ‐n, --no-tty-output
229              Suppress the report from being printed at the console.
230
231       ‐V editor, --visual editor
232              Use the specified editor to edit the update ballot boxes.  Mean‐
233              ingful only with (‐I).
234
235       ‐E, --signed-report
236              Specifies that the Tripwire report will be signed.  If no
237              passphrase is specified on the command line, tripwire will
238              prompt for the local passphrase.
239
240       ‐i list, --ignore list
241              Do not compute or compare the properties specified in list.  Any
242              of the letter codes (abcdgimnprstulCHMS) specified in property‐
243              masks can be excluded.  Use of this option overrides information
244              from the policy file.  The format to be used for list is a dou‐
245              ble-quoted, comma-delimited list of properties (e.g. --ig‐
246              nore "p,c,m").
247
248       ‐l { level | name }, --severity { level | name }
249              Check only policy rules with severity greater than or equal to
250              the given level.  The level may be specified as a number or as a
251              name.  Severity names are defined as follows:
252                   Low          33
253                   Medium       66
254                   High        100
255              Mutually exclusive with (‐R).
256
257       ‐R rule, --rule-name rule
258              Check only the specified policy rule.  Mutually exclusive with
259              (‐l).
260
261       ‐x section, --section section
262              Only check the rules in the specified section of the policy
263              file.  For Tripwire 2.4, FS is the only meaningful argument for
264              this flag.
265
266       ‐M, --email-report
267              Specifies that reports be emailed to the recipient(s) designated
268              in the policy file.
269
270       ‐t level, --email-report-level level
271              Specifies the detail level of email reports, overriding the
272              EMAILREPORTLEVEL variable in the configuration file. level must
273              be a number from 0 to 4.  Valid only with (‐M).
274
275       ‐h, --hexadecimal
276              Display hash values as hexadecimal in email reports
277
278       [ object1 [ object2... ]]
279              List of files and directories that should be integrity checked.
280              Default is all files.  If files are specified for checking, the
281              --severity and --rule-name options will be ignored.
282
283______________________________________________________________________________
284
285   Database Update mode:
286           -m u                --update
287           -v                  --verbose
288           -s                  --silent, --quiet
289           -c cfgfile          --cfgfile cfgfile
290           -p polfile          --polfile polfile
291           -d database         --dbfile database
292           -r report           --twrfile report
293           -S sitekey          --site-keyfile sitekey
294           -L localkey         --local-keyfile localkey
295           -P passphrase       --local-passphrase passphrase
296           -V editor           --visual editor
297           -a                  --accept-all
298           -Z { low | high }   --secure-mode { low | high }
299
300       ‐m u, --update
301              Mode selector.
302
303       ‐v, --verbose
304              Verbose output mode.  Mutually exclusive with (‐s).
305
306       ‐s, --silent, --quiet
307              Silent output mode.  Mutually exclusive with (‐v).
308
309       ‐c cfgfile, --cfgfile cfgfile
310              Use the specified configuration file.
311
312       ‐p polfile, --polfile polfile
313              Use the specified policy file.
314
315       ‐d database, --dbfile database
316              Update the specified database file.
317
318       ‐r report, --twrfile report
319              Read the specified report file.
320
321       ‐S sitekey, --site-keyfile sitekey
322              Use the specified site key file to read the configuration and
323              policy files.
324
325       ‐L localkey, --local-keyfile localkey
326              Use the specified local key file to read the database file and
327              report file, and to re-write the database file.
328
329       ‐P passphrase, --local-passphrase passphrase
330              Specifies passphrase to be used with local key to sign the data‐
331              base.
332
333       ‐V editor, --visual editor
334              Use the specified editor to edit the update ballot boxes.  Mutu‐
335              ally exclusive with (‐a).
336
337       ‐a, --accept-all
338              Specifies that all the entries in the report file are updated
339              without prompting.  Mutually exclusive with (‐V).
340
341       ‐Z { low | high }, --secure-mode { low | high }
342              Specifies the security level, which affects how certain condi‐
343              tions are handled when inconsistent information is found between
344              the report file and the current database:
345
346              High:  In high security mode, if a file does not match the prop‐
347              erties in the report file, Tripwire reports the differences as
348              warnings, and exits without changing the database.
349
350              Low:  In low security mode, inconsistencies are reported as
351              warnings, but the changes are still made to the database.
352
353______________________________________________________________________________
354
355   Policy Update mode:
356           -m p                --update-policy
357           -v                  --verbose
358           -s                  --silent, --quiet
359           -c cfgfile          --cfgfile cfgfile
360           -p polfile          --polfile polfile
361           -d database         --dbfile database
362           -S sitekey          --site-keyfile sitekey
363           -L localkey         --local-keyfile localkey
364           -P passphrase       --local-passphrase passphrase
365           -Q passphrase       --site-passphrase passphrase
366           -Z { low | high }   --secure-mode { low | high }
367           policyfile.txt
368
369       ‐m p, --update-policy
370              Mode selector.
371
372       ‐v, --verbose
373              Verbose output mode.  Mutually exclusive with (‐s).
374
375       ‐s, --silent, --quiet
376              Silent output mode.  Mutually exclusive with (‐v).
377
378       ‐c cfgfile, --cfgfile cfgfile
379              Use the specified configuration file.
380
381       ‐p polfile, --polfile polfile
382              Write the specified policy file.
383
384       ‐d database, --dbfile database
385              Use the specified database file.
386
387       ‐S sitekey, --site-keyfile sitekey
388              Use the specified site key file to read the configuration file,
389              and read and write the policy file.
390
391       ‐L localkey, --local-keyfile localkey
392              Use the specified local key file to read and write the database
393              file.
394
395       ‐P passphrase, --local-passphrase passphrase
396              Specifies passphrase to be used with local key to sign the data‐
397              base.
398
399       ‐Q passphrase, --site-passphrase passphrase
400              Specifies passphrase to be used with site key to sign the new
401              policy file.
402
403       ‐Z { low | high }, --secure-mode { low | high }
404              Specifies the security level, which affects how certain condi‐
405              tions are handled when the existing filesystem does not match
406              the database information.  Since the database produced at the
407              end of a policy update becomes the baseline for future integrity
408              checks, this consistency-checking ensures that no substantive
409              filesystem changes have occurred since the last integrity check.
410
411              High:  In high security mode, if a file on the filesystem does
412              not match the properties in the database file, Tripwire reports
413              the differences as warnings, and exits without changing the
414              database or the policy file.
415
416              Low:  In low security mode, inconsistencies are reported as
417              warnings, but the changes are still made to the database and
418              policy file.
419
420       policyfile.txt
421              Specifies the text policy file that will become the new policy
422              file.
423
424______________________________________________________________________________
425
426   Test mode:
427           -m t                 --test
428           -e user@domain.com   --email user@domain.com
429
430       ‐m t, --test
431              Mode selector.
432
433       ‐e user@domain.com, --email user@domain.com
434              Use the specified email address.  This parameter must be sup‐
435              plied when test mode is used. Only one address may be specified.
436

EXIT STATUS

438   Integrity Checking Mode
439       tripwire exits 0 if no changes are detected. Otherwise the exit value
440       is a bit mask:
441
442       1 At least one file or directory has been added.
443
444       2 At least one file or directory has been modified.
445
446       4 At least one file or directory has been modified.
447
448       8 Error(s) occurred during the check.
449
450   All Other Modes
451       tripwire exits 0 on success, 8 on error.
452

VERSION INFORMATION

454       This man page describes tripwire version 2.4
455

AUTHORS

457       Tripwire, Inc.
458

COPYING PERMISSIONS

460       Permission is granted to make and distribute verbatim copies of this
461       man page provided the copyright notice and this permission notice are
462       preserved on all copies.
463
464       Permission is granted to copy and distribute modified versions of this
465       man page under the conditions for verbatim copying, provided that the
466       entire resulting derived work is distributed under the terms of a per‐
467       mission notice identical to this one.
468
469       Permission is granted to copy and distribute translations of this man
470       page into another language, under the above conditions for modified
471       versions, except that this permission notice may be stated in a trans‐
472       lation approved by Tripwire, Inc.
473
474       Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark
475       of Tripwire, Inc. in the United States and other countries. All rights
476       reserved.
477

SEE ALSO

479       twintro(8), twadmin(8), twprint(8), siggen(8), twconfig(4), twpoli‐
480       cy(4), twfiles(5)
481
482       The Design and Implementation of Tripwire: A UNIX File Integrity Check‐
483       er by Gene Kim and Eugene Spafford.  Purdue Technical Report CSD-
484       TR-93-071.
485
486
487
488Open Source Tripwire 2.4          04 Jan 2018                      TRIPWIRE(8)
Impressum