Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
TWCONFIG(5)		      File Formats Manual		   TWCONFIG(5)

       twconfig	- Tripwire configuration file reference

       The configuration file stores system-specific information, including
       the location of Tripwire	data files, and	the settings used to send
       email notification. The configuration file settings are generated dur-
       ing the installation process, but can be	changed	by the system adminis-
       trator at any time.  The	configuration file is signed with the site
       key, and	the site passphrase is required	to edit	the file.

       During installation, a signed Tripwire configuration file tw.cfg	will
       be created in the /usr/local/etc/tripwire directory, and	a plain	text
       copy of this configuration file twcfg.txt will be created in the	same

       The configuration file is modified using	the twadmin --create-cfgfile
       command.	 With this command, the	user can designate an existing plain
       text file as the	current	configuration file.  Using the current site
       key and passphrase, the new configuration file is cryptographically
       signed and saved	with this command.

   Components of the Configuration File
       The Tripwire configuration file is structured as	a list of keyword-
       value pairs, and	may also contain comments and variable definitions.
       Any lines with "#" in the first column are treated as comments.

       The general syntax for variable definition is:
	   keyword  =  value
       For example:
	   ROOT	= /usr/tripwire
	   EDITOR = /usr/local/bin/jove

       Variable	substitution on	the right hand side is permitted using the
	   $(  varname	)
       For example:
	   DBFILE = $(ROOT)/db/$(HOSTNAME).twd

       Variable	names are case-sensitive, and may contain all alphanumeric
       characters, underscores,	the characters "+-@:", and the period.	Two
       variables are predefined	in the configuration file, and may not be
       changed.	 HOSTNAME is the unqualified hostname that Tripwire is running
       on, and DATE is a string	representation of the date and time.

   Required Variables
       The following variables must be set in order for	Tripwire to operate.
       The values listed below are assigned during installation.

POLFILE		Default	= /usr/local/etc/tripwire/tw.pol
DBFILE		Default	= /var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE	Default	= /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE	Default	= /usr/local/etc/tripwire/site.key
LOCALKEYFILE	Default	= /usr/local/etc/tripwire/$(HOSTNAME)-local.key

   Other Variables
       The following variables are not required	to run Tripwire, but some of
       the program's functionality will	be lost	without	them.  The values as-
       signed during installation are listed.

       EDITOR Specifies	an editor to be	used in	interactive modes.  If EDITOR
	      is not defined, and no editor is specified on the	command	line,
	      using interactive	modes will cause an error.
	      Initial value:  /bin/vi

	      This variable can	be set to the location to which	tripwire
	      should write its temporary files.	By default it is /tmp, which
	      due to the default permissions can be very insecure. It is rec-
	      ommended that you	use this configuration variable	to provide
	      tripwire with a secure place to write temporary files. The di-
	      rectory used should have its permissions set such	that only the
	      owning process can read/write to it, i.e.	"chmod 700".
	      Initial value: /tmp

	      This variable is set to a	list of	email addresses	separated by
	      either a comma ",", or semi-colon	";". If	a report would have
	      normally been sent out, it will also be send to this list	of re-
	      Initial value:  none

	      Prompt for passphrase as late as possible	to minimize the	amount
	      of time that the passphrase is stored in memory.	If the value
	      is true (case-sensitive),	then late prompting is turned on.
	      With any other value, or if the variable is removed from the
	      configuration file, late prompting is turned off.
	      Initial value:  false

	      When a file is added or removed from a directory,	Tripwire re-
	      ports both the changes to	the file itself, and the modification
	      to the directory (size, num links, etc.).	 This can create re-
	      dundant entries in Tripwire reports.  With loose directory
	      checking,	Tripwire will not check	directories for	any properties
	      that would change	when a file was	added or deleted.  This	in-
	      cludes: size, number of links, access time, change time, modifi-
	      cation time, number of blocks, growing file, and all hashes.

	      If the value for this variable is	true (case-sensitive), then
	      loose directory checking is turned on, and these properties will
	      be ignored for all directories.  With any	other value, or	if the
	      variable is removed from the configuration file, loose directory
	      checking is turned off. Turning loose directory checking on is
	      equivalent to appending the following propertymask to the	rules
	      for all directory	inodes:	-snacmblCMSH
	      Initial value:  false

	      If this variable is set to true, messages	are sent to the	syslog
	      for four events: database	initialization,	integrity check	com-
	      pletions,	database updates, and policy updates.  The syslog mes-
	      sages are	sent from the "user" facility at the "notice" level.
	      For more information, see	the syslogd(1) man page	and the	sys-
	      log.conf file.  The following illustrates	the information	logged
	      in the syslog for	each of	the four events:

Jun 18 14:09:42	lighthouse tripwire[9444]: Database initialized:

Jun 18 14:10:57	lighthouse tripwire[9671]: Integrity Check Complete:
TWReport lighthouse 20000618141057 V:2 S:90 A:1	R:0 C:1

Jun 18 14:11:19	lighthouse tripwire[9672]: Database Update Complete:

Jun 18 14:18:26	lighthouse tripwire[9683]: Policy Update Complete:

	      The letters in the Integrity Checking log	correspond to #	of vi-
	      olations,	maximum	severity level,	and # of files added, deleted,
	      and changed, respectively.  With any value other than true, or
	      if this variable is removed from the configuration file, syslog
	      reporting	will be	turned off.
	      Initial value:  true

	      Specifies	the default level of report produced by	the twprint
	      --print-report mode. Valid values	for this option	are 0 to 4.
	      The report level specified by this option	can be overridden with
	      the (-t or --report-level) option	on the command line. If	this
	      variable is not included in the configuration file, the default
	      report level is 3.  Note that only reports printed using the tw-
	      print --print-report mode	are affected by	this parameter;	re-
	      ports displayed by other modes and other commands	are not	af-
	      Initial value:  3

	      Specifies	the default level of report produced by	the twprint
	      --print-dbfile mode. Valid values	for this option	are 0 to 2.
	      The output level specified by this option	can be overridden with
	      the (-t or --output-level) option	on the command line. If	this
	      variable is not included in the configuration file, the default
	      output level is 2.
	      Initial value:  2

	      Use direct i/o when hashing files. (Linux-only as	of OST
	      Initial value:  false

	      Specifies	whether	to resolve uid/gid values to user & group
	      names.  Static binaries may segfault while calling getpwuid/get-
	      grgid in certain nsswitch.conf configurations, and setting this
	      to false will bypass the name resolution step and	prevent	the
	      Initial value:  true

   Email Notification Variables
	      Specifies	the protocol to	be used	by Tripwire for	email notifi-
	      cation. The only acceptable values for this field	are SMTP or
	      SENDMAIL.	Any other value	will produce an	error message.
	      Initial value:  SENDMAIL

	      Specifies	the domain name	or IP address of the SMTP server used
	      for email	notification. Ignored unless MAILMETHOD	is set to
	      Initial value:

	      Specifies	the port number	used with SMTP.	Ignored	unless MAIL-
	      METHOD is	set to SMTP.
	      Initial value:  25

	      Specifies	the program used for email reporting of	rule viola-
	      tions if MAILMETHOD is set to SENDMAIL.  The program must	take
	      an RFC822	style mail header, and recipients will be listed in
	      the "To:"	field of the mail header.  Some	mail programs inter-
	      pret a line consisting of	only a single period character to mean
	      end-of-input, and	all text after that is ignored.	 Since there
	      is a small possibility that a Tripwire report would contain such
	      a	line, the mail program specified must be able to ignore	lines
	      that consist of a	single period (the -oi option to sendmail pro-
	      duces this behavior).
	      Initial value:  /usr/lib/sendmail	-oi -t

	      Specifies	the default level of report produced by	the tripwire
	      --check mode email report.  Valid	values for this	option are 0
	      to 4. The	report level specified by this option can be overrid-
	      den with the (-t or --email-report-level)	option on the command-
	      line. If this variable is	not included in	the configuration
	      file, the	default	report level is	3.
	      Initial value:  3

	      This option controls the way that	Tripwire sends email notifica-
	      tion if no rule violations are found during an integrity check.
	      If MAILNOVIOLATIONS is set to false and no violations are	found,
	      Tripwire will not	send a report. With any	other value, or	if the
	      variable is removed from the configuration file, Tripwire	will
	      send an email message stating that no violations were found.

	      Mailing reports of no violations allows an administrator to dis-
	      tinguish between unattended integrity checks that	are failing to
	      run and integrity	checks that are	running	but are	not finding
	      any violations.  However,	mailing	no violations reports will in-
	      crease the amount	of data	that must be processed.
	      Initial value: true

	      Specifies	the value of the "From:" field in email	reports.
	      Initial value:  tripwire@hostname, where 'hostname' is the local
	      machine name.

       This man	page describes Tripwire	2.4.

       Tripwire, Inc.

       Permission is granted to	make and distribute verbatim copies of this
       man page	provided the copyright notice and this permission notice are
       preserved on all	copies.

       Permission is granted to	copy and distribute modified versions of this
       man page	under the conditions for verbatim copying, provided that the
       entire resulting	derived	work is	distributed under the terms of a per-
       mission notice identical	to this	one.

       Permission is granted to	copy and distribute translations of this man
       page into another language, under the above conditions for modified
       versions, except	that this permission notice may	be stated in a trans-
       lation approved by Tripwire, Inc.

       Copyright 2000-2018 Tripwire, Inc. Tripwire is a	registered trademark
       of Tripwire, Inc. in the	United States and other	countries. All rights

       twintro(8), tripwire(8),	twadmin(8), twprint(8),	siggen(8), twpol-
       icy(5), twfiles(5), sendmail(1),	vi(1), syslogd(1)

Open Source Tripwire 2.4	  04 Jan 2018			   TWCONFIG(5)


Want to link to this manual page? Use this URL:

home | help