Copyright (C) 2000-2012 |
Manpages TW.CONFIGSection: File Formats (5)Updated: October 5, 1992 Index Return to Main Contents NAMEtw.config - configuration file for TripwireSYNOPSIStw.configDESCRIPTIONThe tw.config file contains the list of files and directories to be scanned by Tripwire. Information on these files is collected and stored in the tw.db database file. Stored with each tw.config entry is a selection-mask that describes what changes Tripwire can safely ignore without reporting to the user (e.g., access timestamp).The first section in this manual page describes the entry format in tw.config for the files monitored by Tripwire. The second section describes the proprocessing directives that Tripwire provides. These directives, which provide functionality similar to the C preprocessor and M4 macro processor, allow Tripwire to make bindings at run-time. This allows system administrators to use common tw.config files across multiple machines - or even across an entire site. ENTRY FORMATEach entry in tw.config is a single line in the following form:
The following templates have been pre-defined to make these long select-masks descriptions unnecessary.
By default, Tripwire uses the R template. Because it applies the set of select-flags {+pinugsm12-a3456789}, Tripwire ignores those changed files where only the access timestamp changed. You can combine the use of templates with select-flag modifiers. The following entry monitors only changes in user-id and group-id information.
ENTRY EXAMPLESThe following entry will scan all the files in /etc, and report any changes in mode bits, inode number, reference count, uid, gid, modification and creation timestamp, and the signatures. However, it will ignore any changes in the access timestamp.
It is equivalent to:
The following example shows a very simple tw.config file that monitors selected directories.
Note the difference between pruning (via "!") and ignoring everything (via "N" template): ignoring everything in a directory still monitors for added and deleted files, but pruning a directory will prevent Tripwire from even looking in the specified directory for any changes. Hint: Is Tripwire running too slowly? Modify your tw.config entries to use only a few signatures (e.g., signatures 1 and 5) when this computationally-exorbitant protection is not needed. (See README and design document for further details.) PREPROCESSORTripwire incorporates a general purpose preprocessor that parses the tw.config file in one-pass. Available preprocessing directives include file inclusion, macro defines, conditionals based upon hostname or macros, and on-the-fly macro substitution. These directives provide C-preprocessor and m4-like capabilities.
The Tripwire preprocessor was included to allow its scalable use at
large sites, allowing system administrators to reuse tw.config files
by either including component files or having multiple machines share a
common tw.config file.
hostname matches the specified HOSTNAME. Remember that you must use the exact hostname that uname(1) or hostname(1) returns. This usually implies that you must use the fully qualified hostname (e.g., mentor.cc.purdue.edu). Example: A host-dependent inclusion can be specified many ways so tw.config files can be shared among multiple machines. So, if the machine "mentor.cc.purdue.edu" is the only machine that has a certain file, you could use:
CAVEATSAlthough Tripwire provides hooks for ten different signature routines, using all ten would certainly be overkill in almost any imaginable situation. However, having up to ten signature routines in your signature arsenal allows system administrators considerable flexibility in finding the balance between performance and security for their specific site. This is the reason for supplying CRC-16 and CRC-32, which are trivially simple to spoof. These routines are not secure, but they are faster than the message-digesting routines. DATABASE VERSIONSTripwire v1.0 used database version 1. Database version 2 changed the base-64 alphabet so that ``0'' retained its traditional value. Database version 3 changed the base-64 encoding so that all the bits were packed, reducing the size of 160-bit signatures from 30 characters to 27 characters. Tripwire v1.1 used database version 3. The program twconvert is provided to convert from the older database formats to version 3. Tripwire v1.2 uses database version 4, supporting signatures for symbolic links and more consistent handling of entry numbers. (Note that twconvert cannot convert older database versions to database version 4. These databases will have to be regenerated.) SEE ALSOtripwire(8), twconvert(8)AUTHORGene Kim Purdue University gkim@cs.purdue.edu Eugene Spafford Purdue University spaf@cs.purdue.edu
Index
This document was created by man2html, using the manual pages. Time: 03:43:14 GMT, September 21, 2024 |