1TWCONFIG(4) Kernel Interfaces Manual TWCONFIG(4)
2
3
4
6 twconfig - Tripwire configuration file reference
7
9 The configuration file stores system-specific information, including
10 the location of Tripwire data files, and the settings used to send
11 email notification. The configuration file settings are generated dur‐
12 ing the installation process, but can be changed by the system adminis‐
13 trator at any time. The configuration file is signed with the site
14 key, and the site passphrase is required to edit the file.
15
16 During installation, a signed Tripwire configuration file tw.cfg will
17 be created in the /etc/tripwire directory, and a plain text copy of
18 this configuration file twcfg.txt will be created in the same direc‐
19 tory.
20
21 The configuration file is modified using the twadmin ‐‐create‐cfgfile
22 command. With this command, the user can designate an existing plain
23 text file as the current configuration file. Using the current site
24 key and passphrase, the new configuration file is cryptographically
25 signed and saved with this command.
26
27 Components of the Configuration File
28 The Tripwire configuration file is structured as a list of keyword-
29 value pairs, and may also contain comments and variable definitions.
30 Any lines with "#" in the first column are treated as comments.
31
32 The general syntax for variable definition is:
33 keyword = value
34 For example:
35 ROOT = /usr/tripwire
36 EDITOR = /usr/local/bin/jove
37
38 Variable substitution on the right hand side is permitted using the
39 syntax:
40 $( varname )
41 For example:
42 DBFILE = $(ROOT)/db/$(HOSTNAME).twd
43
44 Variable names are case-sensitive, and may contain all alphanumeric
45 characters, underscores, the characters "+‐@:", and the period. Two
46 variables are predefined in the configuration file, and may not be
47 changed. HOSTNAME is the unqualified hostname that Tripwire is running
48 on, and DATE is a string representation of the date and time.
49
50 Required Variables
51 The following variables must be set in order for Tripwire to operate.
52 The values listed below are assigned during installation.
53
54POLFILE Default = /etc/tripwire/tw.pol
55DBFILE Default = /var/lib/tripwire/$(HOSTNAME).twd
56REPORTFILE Default = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
57SITEKEYFILE Default = /etc/tripwire/site.key
58LOCALKEYFILE Default = /etc/tripwire/$(HOSTNAME)-local.key
59
60 Other Variables
61 The following variables are not required to run Tripwire, but some of
62 the program's functionality will be lost without them. The values
63 assigned during installation are listed.
64
65 EDITOR Specifies an editor to be used in interactive modes. If EDITOR
66 is not defined, and no editor is specified on the command line,
67 using interactive modes will cause an error.
68 Initial value: /bin/vi
69
70 TEMPDIRECTORY
71 This variable can be set to the location to which tripwire
72 should write its temporary files. By default it is /tmp, which
73 due to the default permissions can be very insecure. It is rec‐
74 ommended that you use this configuration variable to provide
75 tripwire with a secure place to write temporary files. The
76 directory used should have its permissions set such that only
77 the owning process can read/write to it, i.e. "chmod 700".
78 Initial value: /tmp
79
80 GLOBALEMAIL
81 This variable is set to a list of email addresses separated by
82 either a comma ",", or semi-colon ";". If a report would have
83 normally been sent out, it will also be send to this list of
84 recipients.
85 Initial value: none
86
87 LATEPROMPTING
88 Prompt for passphrase as late as possible to minimize the amount
89 of time that the passphrase is stored in memory. If the value
90 is true (case-sensitive), then late prompting is turned on.
91 With any other value, or if the variable is removed from the
92 configuration file, late prompting is turned off.
93 Initial value: false
94
95 LOOSEDIRECTORYCHECKING
96 When a file is added or removed from a directory, Tripwire
97 reports both the changes to the file itself, and the modifica‐
98 tion to the directory (size, num links, etc.). This can create
99 redundant entries in Tripwire reports. With loose directory
100 checking, Tripwire will not check directories for any properties
101 that would change when a file was added or deleted. This
102 includes: size, number of links, access time, change time, modi‐
103 fication time, number of blocks, growing file, and all hashes.
104
105 If the value for this variable is true (case-sensitive), then
106 loose directory checking is turned on, and these properties will
107 be ignored for all directories. With any other value, or if the
108 variable is removed from the configuration file, loose directory
109 checking is turned off. Turning loose directory checking on is
110 equivalent to appending the following propertymask to the rules
111 for all directory inodes: ‐snacmblCMSH
112 Initial value: false
113
114 SYSLOGREPORTING
115 If this variable is set to true, messages are sent to the syslog
116 for four events: database initialization, integrity check com‐
117 pletions, database updates, and policy updates. The syslog mes‐
118 sages are sent from the "user" facility at the "notice" level.
119 For more information, see the syslogd(1) man page and the sys‐
120 log.conf file. The following illustrates the information logged
121 in the syslog for each of the four events:
122
123Jun 18 14:09:42 lighthouse tripwire[9444]: Database initialized:
124/var/lib/tripwire/test.twd
125
126Jun 18 14:10:57 lighthouse tripwire[9671]: Integrity Check Complete:
127TWReport lighthouse 20000618141057 V:2 S:90 A:1 R:0 C:1
128
129Jun 18 14:11:19 lighthouse tripwire[9672]: Database Update Complete:
130/var/lib/tripwire/test.twd
131
132Jun 18 14:18:26 lighthouse tripwire[9683]: Policy Update Complete:
133/var/lib/tripwire/test.twd
134
135 The letters in the Integrity Checking log correspond to # of
136 violations, maximum severity level, and # of files added,
137 deleted, and changed, respectively. With any value other than
138 true, or if this variable is removed from the configuration
139 file, syslog reporting will be turned off.
140 Initial value: true
141
142 REPORTLEVEL
143 Specifies the default level of report produced by the twprint
144 ‐‐print‐report mode. Valid values for this option are 0 to 4.
145 The report level specified by this option can be overridden with
146 the (‐t or ‐‐report‐level) option on the command line. If this
147 variable is not included in the configuration file, the default
148 report level is 3. Note that only reports printed using the
149 twprint ‐‐print‐report mode are affected by this parameter;
150 reports displayed by other modes and other commands are not
151 affected.
152 Initial value: 3
153
154 DBPRINTLEVEL
155 Specifies the default level of report produced by the twprint
156 ‐‐print‐dbfile mode. Valid values for this option are 0 to 2.
157 The output level specified by this option can be overridden with
158 the (‐t or ‐‐output‐level) option on the command line. If this
159 variable is not included in the configuration file, the default
160 output level is 2.
161 Initial value: 2
162
163 HASH_DIRECT_IO
164 Use direct i/o when hashing files. (Linux-only as of OST
165 2.4.3.2)
166 Initial value: false
167
168 RESOLVE_IDS_TO_NAMES
169 Specifies whether to resolve uid/gid values to user & group
170 names. Static binaries may segfault while calling getpwuid/get‐
171 grgid in certain nsswitch.conf configurations, and setting this
172 to false will bypass the name resolution step and prevent the
173 segfault.
174 Initial value: true
175
176 Email Notification Variables
177 MAILMETHOD
178 Specifies the protocol to be used by Tripwire for email notifi‐
179 cation. The only acceptable values for this field are SMTP or
180 SENDMAIL. Any other value will produce an error message.
181 Initial value: SENDMAIL
182
183 SMTPHOST
184 Specifies the domain name or IP address of the SMTP server used
185 for email notification. Ignored unless MAILMETHOD is set to
186 SMTP.
187 Initial value: mail.domain.com
188
189 SMTPPORT
190 Specifies the port number used with SMTP. Ignored unless MAIL‐
191 METHOD is set to SMTP.
192 Initial value: 25
193
194 MAILPROGRAM
195 Specifies the program used for email reporting of rule viola‐
196 tions if MAILMETHOD is set to SENDMAIL. The program must take
197 an RFC822 style mail header, and recipients will be listed in
198 the "To:" field of the mail header. Some mail programs inter‐
199 pret a line consisting of only a single period character to mean
200 end‐of‐input, and all text after that is ignored. Since there
201 is a small possibility that a Tripwire report would contain such
202 a line, the mail program specified must be able to ignore lines
203 that consist of a single period (the -oi option to sendmail pro‐
204 duces this behavior).
205 Initial value: /usr/lib/sendmail -oi -t
206
207 EMAILREPORTLEVEL
208 Specifies the default level of report produced by the tripwire
209 ‐‐check mode email report. Valid values for this option are 0
210 to 4. The report level specified by this option can be overrid‐
211 den with the (‐t or ‐‐email‐report‐level) option on the command‐
212 line. If this variable is not included in the configuration
213 file, the default report level is 3.
214 Initial value: 3
215
216 MAILNOVIOLATIONS
217 This option controls the way that Tripwire sends email notifica‐
218 tion if no rule violations are found during an integrity check.
219 If MAILNOVIOLATIONS is set to false and no violations are found,
220 Tripwire will not send a report. With any other value, or if the
221 variable is removed from the configuration file, Tripwire will
222 send an email message stating that no violations were found.
223
224 Mailing reports of no violations allows an administrator to dis‐
225 tinguish between unattended integrity checks that are failing to
226 run and integrity checks that are running but are not finding
227 any violations. However, mailing no violations reports will
228 increase the amount of data that must be processed.
229 Initial value: true
230
231 MAILFROMADDRESS
232 Specifies the value of the "From:" field in email reports.
233 Initial value: tripwire@hostname, where 'hostname' is the local
234 machine name.
235
237 This man page describes Tripwire 2.4.
238
240 Tripwire, Inc.
241
243 Permission is granted to make and distribute verbatim copies of this
244 man page provided the copyright notice and this permission notice are
245 preserved on all copies.
246
247 Permission is granted to copy and distribute modified versions of this
248 man page under the conditions for verbatim copying, provided that the
249 entire resulting derived work is distributed under the terms of a per‐
250 mission notice identical to this one.
251
252 Permission is granted to copy and distribute translations of this man
253 page into another language, under the above conditions for modified
254 versions, except that this permission notice may be stated in a trans‐
255 lation approved by Tripwire, Inc.
256
257 Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark
258 of Tripwire, Inc. in the United States and other countries. All rights
259 reserved.
260
262 twintro(8), tripwire(8), twadmin(8), twprint(8), siggen(8), twpol‐
263 icy(4), twfiles(5), sendmail(1), vi(1), syslogd(1)
264
265
266
267Open Source Tripwire 2.4 04 Jan 2018 TWCONFIG(4)