1TWCONFIG(4)                Kernel Interfaces Manual                TWCONFIG(4)
2
3
4

NAME

6       twconfig - Tripwire configuration file reference
7

DESCRIPTION

9       The configuration file stores system-specific information, including
10       the location of Tripwire data files, and the settings used to send
11       email notification. The configuration file settings are generated dur‐
12       ing the installation process, but can be changed by the system adminis‐
13       trator at any time.  The configuration file is signed with the site
14       key, and the site passphrase is required to edit the file.
15
16       During installation, a signed Tripwire configuration file tw.cfg will
17       be created in the /etc/tripwire directory, and a plain text copy of
18       this configuration file twcfg.txt will be created in the same direc‐
19       tory.
20
21       The configuration file is modified using the twadmin ‐‐create‐cfgfile
22       command.  With this command, the user can designate an existing plain
23       text file as the current configuration file.  Using the current site
24       key and passphrase, the new configuration file is cryptographically
25       signed and saved with this command.
26
27   Components of the Configuration File
28       The Tripwire configuration file is structured as a list of keyword-
29       value pairs, and may also contain comments and variable definitions.
30       Any lines with "#" in the first column are treated as comments.
31
32       The general syntax for variable definition is:
33           keyword  =  value
34       For example:
35           ROOT = /usr/tripwire
36           EDITOR = /usr/local/bin/jove
37
38       Variable substitution on the right hand side is permitted using the
39       syntax:
40           $(  varname  )
41       For example:
42           DBFILE = $(ROOT)/db/$(HOSTNAME).twd
43
44       Variable names are case-sensitive, and may contain all alphanumeric
45       characters, underscores, the characters "+‐@:", and the period.  Two
46       variables are predefined in the configuration file, and may not be
47       changed.  HOSTNAME is the unqualified hostname that Tripwire is running
48       on, and DATE is a string representation of the date and time.
49
50   Required Variables
51       The following variables must be set in order for Tripwire to operate.
52       The values listed below are assigned during installation.
53
54POLFILE         Default = /etc/tripwire/tw.pol
55DBFILE          Default = /var/lib/tripwire/$(HOSTNAME).twd
56REPORTFILE      Default = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
57SITEKEYFILE     Default = /etc/tripwire/site.key
58LOCALKEYFILE    Default = /etc/tripwire/$(HOSTNAME)-local.key
59
60   Other Variables
61       The following variables are not required to run Tripwire, but some of
62       the program's functionality will be lost without them.  The values
63       assigned during installation are listed.
64
65       EDITOR Specifies an editor to be used in interactive modes.  If EDITOR
66              is not defined, and no editor is specified on the command line,
67              using interactive modes will cause an error.
68              Initial value:  /bin/vi
69
70       TEMPDIRECTORY
71              This variable can be set to the location to which tripwire
72              should write its temporary files. By default it is /tmp, which
73              due to the default permissions can be very insecure. It is rec‐
74              ommended that you use this configuration variable to provide
75              tripwire with a secure place to write temporary files. The
76              directory used should have its permissions set such that only
77              the owning process can read/write to it, i.e. "chmod 700".
78              Initial value: /tmp
79
80       GLOBALEMAIL
81              This variable is set to a list of email addresses separated by
82              either a comma ",", or semi-colon ";". If a report would have
83              normally been sent out, it will also be send to this list of
84              recipients.
85              Initial value:  none
86
87       LATEPROMPTING
88              Prompt for passphrase as late as possible to minimize the amount
89              of time that the passphrase is stored in memory.  If the value
90              is true (case-sensitive), then late prompting is turned on.
91              With any other value, or if the variable is removed from the
92              configuration file, late prompting is turned off.
93              Initial value:  false
94
95       LOOSEDIRECTORYCHECKING
96              When a file is added or removed from a directory, Tripwire
97              reports both the changes to the file itself, and the modifica‐
98              tion to the directory (size, num links, etc.).  This can create
99              redundant entries in Tripwire reports.  With loose directory
100              checking, Tripwire will not check directories for any properties
101              that would change when a file was added or deleted.  This
102              includes: size, number of links, access time, change time, modi‐
103              fication time, number of blocks, growing file, and all hashes.
104
105              If the value for this variable is true (case-sensitive), then
106              loose directory checking is turned on, and these properties will
107              be ignored for all directories.  With any other value, or if the
108              variable is removed from the configuration file, loose directory
109              checking is turned off. Turning loose directory checking on is
110              equivalent to appending the following propertymask to the rules
111              for all directory inodes: ‐snacmblCMSH
112              Initial value:  false
113
114       SYSLOGREPORTING
115              If this variable is set to true, messages are sent to the syslog
116              for four events: database initialization, integrity check com‐
117              pletions, database updates, and policy updates.  The syslog mes‐
118              sages are sent from the "user" facility at the "notice" level.
119              For more information, see the syslogd(1) man page and the sys‐
120              log.conf file.  The following illustrates the information logged
121              in the syslog for each of the four events:
122
123Jun 18 14:09:42 lighthouse tripwire[9444]: Database initialized:
124/var/lib/tripwire/test.twd
125
126Jun 18 14:10:57 lighthouse tripwire[9671]: Integrity Check Complete:
127TWReport lighthouse 20000618141057 V:2 S:90 A:1 R:0 C:1
128
129Jun 18 14:11:19 lighthouse tripwire[9672]: Database Update Complete:
130/var/lib/tripwire/test.twd
131
132Jun 18 14:18:26 lighthouse tripwire[9683]: Policy Update Complete:
133/var/lib/tripwire/test.twd
134
135              The letters in the Integrity Checking log correspond to # of
136              violations, maximum severity level, and # of files added,
137              deleted, and changed, respectively.  With any value other than
138              true, or if this variable is removed from the configuration
139              file, syslog reporting will be turned off.
140              Initial value:  true
141
142       REPORTLEVEL
143              Specifies the default level of report produced by the twprint
144              ‐‐print‐report mode. Valid values for this option are 0 to 4.
145              The report level specified by this option can be overridden with
146              the (‐t or ‐‐report‐level) option on the command line. If this
147              variable is not included in the configuration file, the default
148              report level is 3.  Note that only reports printed using the
149              twprint ‐‐print‐report mode are affected by this parameter;
150              reports displayed by other modes and other commands are not
151              affected.
152              Initial value:  3
153
154       DBPRINTLEVEL
155              Specifies the default level of report produced by the twprint
156              ‐‐print‐dbfile mode. Valid values for this option are 0 to 2.
157              The output level specified by this option can be overridden with
158              the (‐t or ‐‐output‐level) option on the command line. If this
159              variable is not included in the configuration file, the default
160              output level is 2.
161              Initial value:  2
162
163       HASH_DIRECT_IO
164              Use direct i/o when hashing files. (Linux-only as of OST
165              2.4.3.2)
166              Initial value:  false
167
168       RESOLVE_IDS_TO_NAMES
169              Specifies whether to resolve uid/gid values to user & group
170              names.  Static binaries may segfault while calling getpwuid/get‐
171              grgid in certain nsswitch.conf configurations, and setting this
172              to false will bypass the name resolution step and prevent the
173              segfault.
174              Initial value:  true
175
176   Email Notification Variables
177       MAILMETHOD
178              Specifies the protocol to be used by Tripwire for email notifi‐
179              cation. The only acceptable values for this field are SMTP or
180              SENDMAIL. Any other value will produce an error message.
181              Initial value:  SENDMAIL
182
183       SMTPHOST
184              Specifies the domain name or IP address of the SMTP server used
185              for email notification. Ignored unless MAILMETHOD is set to
186              SMTP.
187              Initial value:  mail.domain.com
188
189       SMTPPORT
190              Specifies the port number used with SMTP. Ignored unless MAIL‐
191              METHOD is set to SMTP.
192              Initial value:  25
193
194       MAILPROGRAM
195              Specifies the program used for email reporting of rule viola‐
196              tions if MAILMETHOD is set to SENDMAIL.  The program must take
197              an RFC822 style mail header, and recipients will be listed in
198              the "To:" field of the mail header.  Some mail programs inter‐
199              pret a line consisting of only a single period character to mean
200              end‐of‐input, and all text after that is ignored.  Since there
201              is a small possibility that a Tripwire report would contain such
202              a line, the mail program specified must be able to ignore lines
203              that consist of a single period (the -oi option to sendmail pro‐
204              duces this behavior).
205              Initial value:  /usr/lib/sendmail -oi -t
206
207       EMAILREPORTLEVEL
208              Specifies the default level of report produced by the tripwire
209              ‐‐check mode email report.  Valid values for this option are 0
210              to 4. The report level specified by this option can be overrid‐
211              den with the (‐t or ‐‐email‐report‐level) option on the command‐
212              line. If this variable is not included in the configuration
213              file, the default report level is 3.
214              Initial value:  3
215
216       MAILNOVIOLATIONS
217              This option controls the way that Tripwire sends email notifica‐
218              tion if no rule violations are found during an integrity check.
219              If MAILNOVIOLATIONS is set to false and no violations are found,
220              Tripwire will not send a report. With any other value, or if the
221              variable is removed from the configuration file, Tripwire will
222              send an email message stating that no violations were found.
223
224              Mailing reports of no violations allows an administrator to dis‐
225              tinguish between unattended integrity checks that are failing to
226              run and integrity checks that are running but are not finding
227              any violations.  However, mailing no violations reports will
228              increase the amount of data that must be processed.
229              Initial value: true
230
231       MAILFROMADDRESS
232              Specifies the value of the "From:" field in email reports.
233              Initial value:  tripwire@hostname, where 'hostname' is the local
234              machine name.
235

VERSION INFORMATION

237       This man page describes Tripwire 2.4.
238

AUTHORS

240       Tripwire, Inc.
241

COPYING PERMISSIONS

243       Permission is granted to make and distribute verbatim copies of this
244       man page provided the copyright notice and this permission notice are
245       preserved on all copies.
246
247       Permission is granted to copy and distribute modified versions of this
248       man page under the conditions for verbatim copying, provided that the
249       entire resulting derived work is distributed under the terms of a per‐
250       mission notice identical to this one.
251
252       Permission is granted to copy and distribute translations of this man
253       page into another language, under the above conditions for modified
254       versions, except that this permission notice may be stated in a trans‐
255       lation approved by Tripwire, Inc.
256
257       Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark
258       of Tripwire, Inc. in the United States and other countries. All rights
259       reserved.
260

SEE ALSO

262       twintro(8), tripwire(8), twadmin(8), twprint(8), siggen(8), twpol‐
263       icy(4), twfiles(5), sendmail(1), vi(1), syslogd(1)
264
265
266
267Open Source Tripwire 2.4          04 Jan 2018                      TWCONFIG(4)
Impressum