1TRIPWIRE(8) System Manager's Manual TRIPWIRE(8)
2
6 tripwire - a file integrity checker for UNIX-like systems
7
9 tripwire { -m i | --init } [ options... ]
10 tripwire { -m c | --check } [ options... ]
11 [ object1 [ object2... ]]
12 tripwire { -m u | --update } [ options... ]
13 tripwire { -m p | --update-policy } [ options... ]
14 policyfile.txt
15 tripwire { -m t | --test } [ options... ]
16
18 Database Initialization Mode
19 Running tripwire in Database Initialization mode is typically one of
20 the first steps in setting up Tripwire for regular operation. This
21 mode creates a baseline database in the location specified by the
22 DBFILE variable in the Tripwire configuration file. The database is
23 essentially a snapshot of the objects residing on the system. During
24 later Tripwire integrity checks, this database serves as the basis for
25 comparison.
26 When run in Database Initialization mode, tripwire reads the policy
28 file, generates a database based on its contents, and then cryptograph‐
29 ically signs the resulting database. Options can be entered on the
30 command line to specify which policy, configuration, and key files are
31 used to create the database. The filename for the database can be
32 specified as well. If no options are specified, the default values
33 from the current configuration file are used.
34 Integrity Checking Mode
36 After building the Tripwire database, the next step is typically to run
37 tripwire in Integrity Checking mode. This mode scans the system for
38 violations, as specified in the policy file. Using the policy file
39 rules, Tripwire will compare the state of the current file system
40 against the initial baseline database. An integrity checking report is
41 printed to stdout and is saved in the location specified by the
42 REPORTFILE setting in the Tripwire configuration file.
43 The generated report describes each policy file violation in detail,
45 depending on whether the specified file system object was added, delet‐
46 ed, or changed. Each report item lists the properties of the object as
47 it currently resides on the file system, and, if appropriate, the old
48 value stored in the database. If there are differences between the
49 database and the current system, the administrator can either fix the
50 problem by replacing the current file with the correct file (e.g., an
51 intruder replaced /bin/login), or update the database to reflect the
52 new file (e.g., a fellow system administrator installed a new version
53 of /usr/local/bin/emacs). The (‐I or ‐‐interactive) option launches an
54 editor that allows the user to update the database quickly. The Data‐
55 base Update mode of tripwire can also be used.
56 Database Update Mode
58 Running tripwire in Database Update mode allows any differences between
59 the database and the current system to be reconciled. This will pre‐
60 vent the violation from showing up in future reports. If the reported
61 change is unexpected and potentially malicious, then the changed file
62 should be replaced with the original version. If there is a valid rea‐
63 son for the change, the database must be changed to match the current
64 files.
65 In Database Update mode, the items to be changed are specified in a
67 "ballot box" in the plain text report that is launched in an editor
68 program. The entries to be updated are specified by leaving the "x"
69 next to each policy violation. After the user exits the editor and
70 provides the correct local passphrase, tripwire will update the data‐
71 base. Options to control this operation include the (‐Z or ‐‐secure‐
72 mode) and (‐a or ‐‐accept‐all) flags.
73 Policy Update Mode
75 Policy update mode is used by tripwire to change or update the policy
76 file and to synchronize an earlier database with new policy file infor‐
77 mation. The filename of the new clear text version of the policy file
78 is specified on the command line. The new policy file is compared to
79 the existing version, and the database is updated according to the new
80 policy rules. Any changes in the database since the last integrity
81 check will be detected and reported. How these violations are inter‐
82 preted depends on the security mode specified with the (‐Z or ‐‐secure‐
83 mode) option. In high security mode (the default), Tripwire will print
84 a list of violations and exit without making changes to the database.
85 In low security mode, the violations are still reported, but changes to
86 the database are made automatically.
87 Because the policy and database files are binary-encoded and crypto‐
89 graphically signed, the user will be prompted for the site and local
90 passphrases to change the policy settings. After the database is suc‐
91 cessfully updated, the database and policy files are re-encoded and
92 signed.
93 Test Mode
95 Test mode is used to check the operation of the Tripwire email notifi‐
96 cation system. When run in this mode, Tripwire will use the email noti‐
97 fication settings specified in the configuration file to send a test
98 email message. If MAILMETHOD is set to SMTP, the SMTPHOST and SMTPPORT
99 values will be used to send email. If MAILMETHOD is set to SENDMAIL,
100 the MAILPROGRAM value will be used. If email notification is working
101 correctly, the address specified on the command line will receive the
102 following message:
103 To: user@domain.com
105 From: user <user@domain.com>
106 Subject: Test email message from Tripwire
107 If you receive this message, email notification
109 from Tripwire is working correctly.
110 Test mode only tests email notification for the address specified on
112 the command-line, and does not check for errors in the syntax used with
113 the emailto attribute in the policy file.
114
116 Database Initialization mode:
117 -m i --init
118 -v --verbose
119 -s --silent, --quiet
120 -c cfgfile --cfgfile cfgfile
121 -p polfile --polfile polfile
122 -d database --dbfile database
123 -S sitekey --site-keyfile sitekey
124 -L localkey --local-keyfile localkey
125 -P passphrase --local-passphrase passphrase
126 -e --no-encryption
127 ‐m i, --init
129 Mode selector.
130 ‐v, --verbose
132 Verbose output mode. Mutually exclusive with (‐s).
133 ‐s, --silent, --quiet
135 Silent output mode. Mutually exclusive with (‐v).
136 ‐c cfgfile, --cfgfile cfgfile
138 Use the specified configuration file.
139 ‐p polfile, --polfile polfile
141 Use the specified policy file.
142 ‐d database, --dbfile database
144 Write to the specified database file.
145 ‐S sitekey, --site-keyfile sitekey
147 Use the specified site key file to read the configuration and
148 policy files.
149 ‐L localkey, --local-keyfile localkey
151 Use the specified local key file to write the new database file.
152 Mutually exclusive with (‐e).
153 ‐P passphrase, --local-passphrase passphrase
155 Specifies passphrase to be used with local key to sign the new
156 database. Mutually exclusive with (‐e).
157 ‐e, --no-encryption
159 Do not sign the database being stored. The database file will
160 still be compressed and will not be human-readable. Mutually
161 exclusive with (‐L) and (‐P).
162______________________________________________________________________________
164 Integrity Checking mode:
166 -m c --check
167 -I --interactive
168 -v --verbose
169 -s --silent, --quiet
170 -c cfgfile --cfgfile cfgfile
171 -p polfile --polfile polfile
172 -d database --dbfile database
173 -r report --twrfile report
174 -S sitekey --site-keyfile sitekey
175 -L localkey --local-keyfile localkey
176 -P passphrase --local-passphrase passphrase
177 -n --no-tty-output
178 -V editor --visual editor
179 -E --signed-report
180 -i list --ignore list
181 -l { level | name } --severity { level | name }
182 -R rule --rule-name rule
183 -x section --section section
184 -M --email-report
185 -t { 0|1|2|3|4 } --email-report-level { 0|1|2|3|4 }
186 -h --hexadecimal
187 [ object1 [ object2... ]]
188 ‐m c, --check
190 Mode selector.
191 ‐I, --interactive
193 At the end of integrity checking, the resulting report is opened
194 in an editor where database updates can be easily specified us‐
195 ing the ballot boxes included in the report.
196 ‐v, --verbose
198 Verbose output mode. Mutually exclusive with (‐s).
199 ‐s, --silent, --quiet
201 Silent output mode. Mutually exclusive with (‐v).
202 ‐c cfgfile, --cfgfile cfgfile
204 Use the specified configuration file.
205 ‐p polfile, --polfile polfile
207 Use the specified policy file.
208 ‐d database, --dbfile database
210 Use the specified database file.
211 ‐r report, --twrfile report
213 Write the specified report file.
214 ‐S sitekey, --site-keyfile sitekey
216 Use the specified site key file to read the configuration and
217 policy files.
218 ‐L localkey, --local-keyfile localkey
220 Use the specified local key file to read the database file and,
221 if (‐E) is specified, to write the report file.
222 ‐P passphrase, --local-passphrase passphrase
224 Specifies passphrase to be used with local key to sign the data‐
225 base when (‐I) is used, and to sign the report when (‐E) is
226 used. Valid only with (‐I) or (‐E).
227 ‐n, --no-tty-output
229 Suppress the report from being printed at the console.
230 ‐V editor, --visual editor
232 Use the specified editor to edit the update ballot boxes. Mean‐
233 ingful only with (‐I).
234 ‐E, --signed-report
236 Specifies that the Tripwire report will be signed. If no
237 passphrase is specified on the command line, tripwire will
238 prompt for the local passphrase.
239 ‐i list, --ignore list
241 Do not compute or compare the properties specified in list. Any
242 of the letter codes (abcdgimnprstulCHMS) specified in property‐
243 masks can be excluded. Use of this option overrides information
244 from the policy file. The format to be used for list is a dou‐
245 ble-quoted, comma-delimited list of properties (e.g. --ig‐
246 nore "p,c,m").
247 ‐l { level | name }, --severity { level | name }
249 Check only policy rules with severity greater than or equal to
250 the given level. The level may be specified as a number or as a
251 name. Severity names are defined as follows:
252 Low 33
253 Medium 66
254 High 100
255 Mutually exclusive with (‐R).
256 ‐R rule, --rule-name rule
258 Check only the specified policy rule. Mutually exclusive with
259 (‐l).
260 ‐x section, --section section
262 Only check the rules in the specified section of the policy
263 file. For Tripwire 2.4, FS is the only meaningful argument for
264 this flag.
265 ‐M, --email-report
267 Specifies that reports be emailed to the recipient(s) designated
268 in the policy file.
269 ‐t level, --email-report-level level
271 Specifies the detail level of email reports, overriding the
272 EMAILREPORTLEVEL variable in the configuration file. level must
273 be a number from 0 to 4. Valid only with (‐M).
274 ‐h, --hexadecimal
276 Display hash values as hexadecimal in email reports
277 [ object1 [ object2... ]]
279 List of files and directories that should be integrity checked.
280 Default is all files. If files are specified for checking, the
281 --severity and --rule-name options will be ignored.
282______________________________________________________________________________
284 Database Update mode:
286 -m u --update
287 -v --verbose
288 -s --silent, --quiet
289 -c cfgfile --cfgfile cfgfile
290 -p polfile --polfile polfile
291 -d database --dbfile database
292 -r report --twrfile report
293 -S sitekey --site-keyfile sitekey
294 -L localkey --local-keyfile localkey
295 -P passphrase --local-passphrase passphrase
296 -V editor --visual editor
297 -a --accept-all
298 -Z { low | high } --secure-mode { low | high }
299 ‐m u, --update
301 Mode selector.
302 ‐v, --verbose
304 Verbose output mode. Mutually exclusive with (‐s).
305 ‐s, --silent, --quiet
307 Silent output mode. Mutually exclusive with (‐v).
308 ‐c cfgfile, --cfgfile cfgfile
310 Use the specified configuration file.
311 ‐p polfile, --polfile polfile
313 Use the specified policy file.
314 ‐d database, --dbfile database
316 Update the specified database file.
317 ‐r report, --twrfile report
319 Read the specified report file.
320 ‐S sitekey, --site-keyfile sitekey
322 Use the specified site key file to read the configuration and
323 policy files.
324 ‐L localkey, --local-keyfile localkey
326 Use the specified local key file to read the database file and
327 report file, and to re-write the database file.
328 ‐P passphrase, --local-passphrase passphrase
330 Specifies passphrase to be used with local key to sign the data‐
331 base.
332 ‐V editor, --visual editor
334 Use the specified editor to edit the update ballot boxes. Mutu‐
335 ally exclusive with (‐a).
336 ‐a, --accept-all
338 Specifies that all the entries in the report file are updated
339 without prompting. Mutually exclusive with (‐V).
340 ‐Z { low | high }, --secure-mode { low | high }
342 Specifies the security level, which affects how certain condi‐
343 tions are handled when inconsistent information is found between
344 the report file and the current database:
345 High: In high security mode, if a file does not match the prop‐
347 erties in the report file, Tripwire reports the differences as
348 warnings, and exits without changing the database.
349 Low: In low security mode, inconsistencies are reported as
351 warnings, but the changes are still made to the database.
352______________________________________________________________________________
354 Policy Update mode:
356 -m p --update-policy
357 -v --verbose
358 -s --silent, --quiet
359 -c cfgfile --cfgfile cfgfile
360 -p polfile --polfile polfile
361 -d database --dbfile database
362 -S sitekey --site-keyfile sitekey
363 -L localkey --local-keyfile localkey
364 -P passphrase --local-passphrase passphrase
365 -Q passphrase --site-passphrase passphrase
366 -Z { low | high } --secure-mode { low | high }
367 policyfile.txt
368 ‐m p, --update-policy
370 Mode selector.
371 ‐v, --verbose
373 Verbose output mode. Mutually exclusive with (‐s).
374 ‐s, --silent, --quiet
376 Silent output mode. Mutually exclusive with (‐v).
377 ‐c cfgfile, --cfgfile cfgfile
379 Use the specified configuration file.
380 ‐p polfile, --polfile polfile
382 Write the specified policy file.
383 ‐d database, --dbfile database
385 Use the specified database file.
386 ‐S sitekey, --site-keyfile sitekey
388 Use the specified site key file to read the configuration file,
389 and read and write the policy file.
390 ‐L localkey, --local-keyfile localkey
392 Use the specified local key file to read and write the database
393 file.
394 ‐P passphrase, --local-passphrase passphrase
396 Specifies passphrase to be used with local key to sign the data‐
397 base.
398 ‐Q passphrase, --site-passphrase passphrase
400 Specifies passphrase to be used with site key to sign the new
401 policy file.
402 ‐Z { low | high }, --secure-mode { low | high }
404 Specifies the security level, which affects how certain condi‐
405 tions are handled when the existing filesystem does not match
406 the database information. Since the database produced at the
407 end of a policy update becomes the baseline for future integrity
408 checks, this consistency-checking ensures that no substantive
409 filesystem changes have occurred since the last integrity check.
410 High: In high security mode, if a file on the filesystem does
412 not match the properties in the database file, Tripwire reports
413 the differences as warnings, and exits without changing the
414 database or the policy file.
415 Low: In low security mode, inconsistencies are reported as
417 warnings, but the changes are still made to the database and
418 policy file.
419 policyfile.txt
421 Specifies the text policy file that will become the new policy
422 file.
423______________________________________________________________________________
425 Test mode:
427 -m t --test
428 -e user@domain.com --email user@domain.com
429 ‐m t, --test
431 Mode selector.
432 ‐e user@domain.com, --email user@domain.com
434 Use the specified email address. This parameter must be sup‐
435 plied when test mode is used. Only one address may be specified.
436
438 Integrity Checking Mode
439 tripwire exits 0 if no changes are detected. Otherwise the exit value
440 is a bit mask:
441 1 At least one file or directory has been added.
443 2 At least one file or directory has been modified.
445 4 At least one file or directory has been modified.
447 8 Error(s) occurred during the check.
449 All Other Modes
451 tripwire exits 0 on success, 8 on error.
452
454 This man page describes tripwire version 2.4
455
457 Tripwire, Inc.
458
460 Permission is granted to make and distribute verbatim copies of this
461 man page provided the copyright notice and this permission notice are
462 preserved on all copies.
463 Permission is granted to copy and distribute modified versions of this
465 man page under the conditions for verbatim copying, provided that the
466 entire resulting derived work is distributed under the terms of a per‐
467 mission notice identical to this one.
468 Permission is granted to copy and distribute translations of this man
470 page into another language, under the above conditions for modified
471 versions, except that this permission notice may be stated in a trans‐
472 lation approved by Tripwire, Inc.
473 Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark
475 of Tripwire, Inc. in the United States and other countries. All rights
476 reserved.
477
479 twintro(8), twadmin(8), twprint(8), siggen(8), twconfig(4), twpoli‐
480 cy(4), twfiles(5)
481 The Design and Implementation of Tripwire: A UNIX File Integrity Check‐
483 er by Gene Kim and Eugene Spafford. Purdue Technical Report CSD-
484 TR-93-071.
485Open Source Tripwire 2.4 04 Jan 2018 TRIPWIRE(8)