colin
/
tripwire-open-source
mirror of https://github.com/Tripwire/tripwire-open-source.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
tripwire-open-source/man/man4/twconfig.4

317 lines
12 KiB
Groff
Raw Blame History

.\" Macros added by addw@phcomp.co.uk for those systems where the an
.\" troff macro package doesn't know about .Ps & .Pe.
.\" Note it is assumed that CW is a constant width font.
.\" Ps - Start display text
.de Ps
.nf
.in +0.5i
.ft CW
..
.\" Pe - end of display text
.de Pe
.fi
.in -0.5i
.ft 1
..
.\"
.\" Macros added by TSS.
.\" Nf - no fill, use constant width font
.\" Fi - fill, restore previous font
.\" Register Ni holds indent to use for Nf sections in points.
.nr Ni 30
.de Nf
.nr OF \\n(.f
.nr OS \\n(.s
.ps \\n(.s-1
.ft CW
.in +\\n(Nip
.nf
..
.de Fi
.fi
.ft \\n(OF
.ps \\n(OS
.in -\\n(Nip
..
.nh
.ad l
.TH TWCONFIG 4 "04 Jan 2018" "Open Source Tripwire 2.4"
.SH NAME
twconfig \- \fITripwire\fP configuration file reference
.SH DESCRIPTION
.PP
The configuration file stores system-specific information, including the
location of \fITripwire\fP data files, and the settings used to send
email notification. The configuration file settings are
generated during the installation process, but can be changed by the system
administrator at any time. The configuration file is
signed with the site key, and the site passphrase is
required to edit the file.
.PP
During installation, a signed \fITripwire\fP configuration file \fItw.cfg\fP will be created in the \fI/etc/tripwire\fP directory, and a plain text copy of this configuration file \fItwcfg.txt\fP will be created in the same directory.
.PP
The configuration file is modified using the
.B twadmin\ \(hy\(hycreate\(hycfgfile
command. With this command, the user can designate
an existing plain text file as the current configuration file.
Using the current site key and passphrase, the new configuration file
is cryptographically signed and saved with this command.
.\"
.SS Components of the Configuration File
The \fITripwire\fP configuration file is structured as a list of
keyword-value pairs, and may also contain comments and variable
definitions. Any lines with "#" in the first column are treated as
comments.
.PP
The general syntax for variable definition is:
.br
.in +\n(Nip
.nf
\fIkeyword\fP = \fIvalue\fP
.fi
.in
For example:
.Nf
ROOT = /usr/tripwire
EDITOR = /usr/local/bin/jove
.Fi
.PP
Variable substitution on the right hand side is permitted using the syntax:
.br
.in +\n(Nip
.nf
$(\fI varname \fP)
.fi
.in
For example:
.Nf
DBFILE = $(ROOT)/db/$(HOSTNAME).twd
.Fi
.PP
Variable names are case-sensitive, and may contain all alphanumeric
characters, underscores, the characters "+\(hy@:", and the period.
Two variables are predefined in the configuration file, and may
not be changed. \f(CWHOSTNAME\fP is the
unqualified hostname that \fITripwire\fP is running on, and
\fR\f(CWDATE\fP
is a string representation of the date and time.
.SS Required Variables
The following variables must be set in order for \fITripwire\fP to
operate. The values listed below are assigned during installation.
.PP
.if n .nr Ti \n(.i
.Nf
.if n .in 0
POLFILE Default = /etc/tripwire/tw.pol
DBFILE Default = /var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE Default = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE Default = /etc/tripwire/site.key
LOCALKEYFILE Default = /etc/tripwire/$(HOSTNAME)-local.key
.Fi
.if n .in +\n(Tiu
.SS Other Variables
The following variables are not required to run \fITripwire\fP, but
some of the program's functionality will be lost without them. The
values assigned during installation are listed.
.IP \f(CWEDITOR\fP
Specifies an editor to be used in interactive modes. If \fIEDITOR\fP
is not defined, and no editor is specified on the command line, using
interactive modes will cause an error.
.br
Initial value: \fI/bin/vi\fP
.IP \f(CWTEMPDIRECTORY\fP
This variable can be set to the location to which tripwire should write
its temporary files. By default it is /tmp, which due to the default
permissions can be very insecure. It is recommended that you use this
configuration variable to provide tripwire with a secure place to write
temporary files. The directory used should have its permissions set such
that only the owning process can read/write to it, i.e. "chmod 700".
.br
Initial value: \fI/tmp\fP
.IP \f(CWGLOBALEMAIL\fP
This variable is set to a list of email addresses separated by either
a comma ",", or semi-colon ";". If a report would have normally been
sent out, it will also be send to this list of recipients.
.br
Initial value: \fInone\fP
.IP \f(CWLATEPROMPTING\fP
Prompt for passphrase as late as possible to minimize the amount of
time that the passphrase is stored in memory. If the value is
\fItrue\fP (case-sensitive), then late prompting is turned on. With
any other value, or if the variable is removed from the configuration
file, late prompting is turned off.
.br
Initial value: \fIfalse\fP
.IP \f(CWLOOSEDIRECTORYCHECKING\fP
When a file is added or removed from a directory, \fITripwire\fP
reports both the changes to the file itself, and the modification to
the directory (size, num links, etc.). This can create redundant
entries in \fITripwire\fP reports. With loose directory checking,
Tripwire will not check directories for any properties that would
change when a file was added or deleted. This includes: size, number
of links, access time, change time, modification time, number of blocks,
growing file, and all hashes.
.IP \ \ \
If the value for this variable is \fItrue\fP (case-sensitive),
then loose directory checking is turned on, and these
properties will be ignored for all directories. With any other value,
or if the variable is removed from the configuration file, loose
directory checking is turned off. Turning loose directory checking
on is equivalent to appending the following propertymask to
the rules for all directory inodes:
.ft CW
.ps \n(.s-1
\(hysnacmblCMSH
.ps \n(.s+1
.ft R
.br
Initial value: \fIfalse\fP
.IP \f(CWSYSLOGREPORTING\fP
If this variable is set to \fItrue\fR, messages are sent
to the syslog for four events: database initialization,
integrity check completions, database updates, and policy updates.
The syslog messages are sent from the "user" facility at
the "notice" level. For more information, see the
.BR syslogd (1)
man page and the
.I syslog.conf
file. The following illustrates the information logged
in the syslog for each of the four events:
.if n .nr Ti \n(.i
.Nf
.if n .in 0
Jun 18 14:09:42 lighthouse tripwire[9444]: Database initialized:
/var/lib/tripwire/test.twd
Jun 18 14:10:57 lighthouse tripwire[9671]: Integrity Check Complete:
TWReport lighthouse 20000618141057 V:2 S:90 A:1 R:0 C:1
Jun 18 14:11:19 lighthouse tripwire[9672]: Database Update Complete:
/var/lib/tripwire/test.twd
Jun 18 14:18:26 lighthouse tripwire[9683]: Policy Update Complete:
/var/lib/tripwire/test.twd
.Fi
.if n .in +\n(Tiu
The letters in the Integrity Checking log correspond to # of
violations, maximum severity level, and # of files added,
deleted, and changed,
respectively. With any value other than \fItrue\fR, or if this
variable is removed from the configuration file, syslog reporting will
be turned off.
.br
Initial value: \fItrue\fP
.IP \f(CWREPORTLEVEL\fP
Specifies the default level of report produced by the \fBtwprint
\(hy\(hyprint\(hyreport\fP mode. Valid values for this option are 0 to
4. The report
level specified by this option can be overridden with the (\fB\(hyt\fP\ or\ \fB\(hy\(hyreport\(hylevel\fP) option on the command line. If
this variable is not included in the configuration file, the default
report level is 3. Note that only reports printed using the
\fBtwprint\ \(hy\(hyprint\(hyreport\fP mode are affected by this
parameter; reports displayed by other modes and other commands
are not affected.
.br
Initial value: \fI3\fP
.IP \f(CWHASH_DIRECT_IO\fP
Use direct i/o when hashing files. (Linux-only as of OST 2.4.3.2)
.br
Initial value: \fIfalse\fP
.IP \f(CWRESOLVE_IDS_TO_NAMES\fP
Specifies whether to resolve uid/gid values to user & group names. Static
binaries may segfault while calling getpwuid/getgrgid in certain
nsswitch.conf configurations, and setting this to false will bypass
the name resolution step and prevent the segfault.
.br
Initial value: \fItrue\fP
.SS Email Notification Variables
.IP \f(CWMAILMETHOD
Specifies the protocol to be used by \fITripwire\fR for email
notification. The only acceptable values for this field are
\fR\f(CWSMTP\fP or \f(CWSENDMAIL\fP. Any other value will
produce an error message.
.br
Initial value: \fISENDMAIL\fP
.IP \f(CWSMTPHOST
Specifies the domain name or IP address of the SMTP server used for
email notification. Ignored unless \f(CWMAILMETHOD\fP is set to
\f(CWSMTP\fP.
.br
Initial value: \fImail.domain.com\fP
.IP \f(CWSMTPPORT
Specifies the port number used with SMTP. Ignored unless
\f(CWMAILMETHOD\fP is set to \f(CWSMTP\fP.
.br
Initial value: \fI25\fP
.IP \f(CWMAILPROGRAM\fP
Specifies the program used for email reporting of rule violations if
\f(CWMAILMETHOD\fP is set to \f(CWSENDMAIL\fP. The program must take
an RFC822 style mail header, and recipients will be listed in the "To:"
field of the mail header. Some mail programs interpret a line
consisting of only a single period character to mean
end\(hyof\(hyinput, and all text after that is ignored. Since there is
a small possibility that a
.I Tripwire
report would contain such a line, the mail program specified must be
able to ignore lines that consist of a single period (the \fB-oi\fP
option to sendmail produces this behavior).
.br
Initial value: \fI/usr/lib/sendmail -oi -t\fP
.IP \f(CWEMAILREPORTLEVEL\fP
Specifies the default level of report produced by the \fBtripwire
\(hy\(hycheck\fP mode email report. Valid values for this option are 0
to 4. The
report level specified by this option can be overridden with the
(\fB\(hyt\fP\ or\ \fB\(hy\(hyemail\(hyreport\(hylevel\fP) option on the
command\(hyline. If this variable is not included in the configuration
file, the default report level is 3.
.br
Initial value: \fI3\fP
.IP \f(CWMAILNOVIOLATIONS\fP
This option controls the way that \fITripwire\fR sends email
notification if no rule violations are found during an integrity check.
If \fR\f(CWMAILNOVIOLATIONS\fP is set to \fIfalse\fP and no violations
are found, \fITripwire\fR will not send a report. With any other value,
or if the variable is removed from the configuration file,
\fITripwire\fR will send an email message stating that no violations
were found.
.IP \ \ \
Mailing reports of no violations allows an administrator to distinguish
between unattended integrity checks that are failing to run and
integrity checks that are running but are not finding any violations.
However, mailing no violations reports will increase the amount of data
that must be processed.
.br
Initial value: \fItrue\fR
.IP \f(CWMAILFROMADDRESS\fP
Specifies the value of the "From:" field in email reports.
.br
Initial value: \fItripwire@hostname\fP, where 'hostname' is the local
machine name.
.SH VERSION INFORMATION
This man page describes
.IR "Tripwire 2.4" "."
.SH AUTHORS
Tripwire, Inc.
.SH COPYING PERMISSIONS
Permission is granted to make and distribute verbatim copies of this man page provided the copyright notice and this permission notice are preserved on all copies.
.PP
Permission is granted to copy and distribute modified versions of this man page under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
.PP
Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
.PP
Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
.SH SEE ALSO
.BR twintro (8),
.BR tripwire (8),
.BR twadmin (8),
.BR twprint (8),
.BR siggen (8),
.BR twpolicy (4),
.BR twfiles (5),
.BR sendmail (1),
.BR vi (1),
.BR syslogd (1)
Reference in New Issue View Git Blame Copy Permalink