Customizing Tripwire
After you have installed the Tripwire RPM, you need to complete the following steps to initialize the software:
Edit /etc/tripwire/twcfg.txt
Although you are not required to edit this sample Tripwire configuration file, you may find it necessary for your situation. For instance you may want to alter the location of Tripwire files, customize email settings, or customize the level of detail for reports.
Below is a list of required user configurable variables in the /etc/tripwire/twcfg.txt file:
POLFILE — Specifies the location of the policy file; /etc/tripwire/tw.pol is the default value.
DBFILE — Specifies the location of the database file; /var/lib/tripwire/$(HOSTNAME).twd is the default value.
REPORTFILE — Specifies the location of the report files. By default this value is set to /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr.
SITEKEYFILE — Specifies the location of the site key file; /etc/tripwire/site.key is the default value.
LOCALKEYFILE — Specifies the location of the local key file; /etc/tripwire/$(HOSTNAME)-local.key is the default value.
 | Important |
|---|---|
If you edit the configuration file and leave any of the above variables undefined, the configuration file will be invalid. If this occurs, when you execute the tripwire command it will report an error and exit. |
The rest of the configurable variables in the sample /etc/tripwire/twcfg.txt file are optional. These include the following:
EDITOR — Specifies the text editor called by Tripwire. The default value is /bin/vi.
LATEPROMPTING — If set to true this variable configures Tripwire to wait as long as possible before prompting the user for a password, thereby minimizing the amount of time the password is in memory. The default value is false.
LOOSEDIRECTORYCHECKING — If set to true this variable configures Tripwire to report if a file within a watched directory changes and not to report the change for the directory itself. This limits redundancy in Tripwire reports. The default value is false.
SYSLOGREPORTING — If set to true, this variable configures Tripwire to report information to the syslog daemon via the "user" facility. The log level is set to notice. See the syslogd man page for more information. The default value is false.
MAILNOVIOLATIONS — If set to true this variable configures Tripwire to email a report at a regular interval regardless of whether or not any violations have occurred. The default value is true.
EMAILREPORTLEVEL — Specifies the level detail for emailed reports. Valid values for this variable are 0 through 4. The default value is 3.
REPORTLEVEL — Specifies the level detail for reports generated by the twprint command. This value can be overridden on the command line, but is set to 3 by default.
MAILMETHOD — Specifies which mail protocol Tripwire should use. Valid values are SMTP and SENDMAIL. The default value is SENDMAIL.
MAILPROGRAM — Specifies which mail program Tripwire should use. The default value is /usr/sbin/sendmail -oi -t.
After editing the sample configuration file, you will need to configure the sample policy file.
 | Warning |
|---|---|
For security purposes, you should either delete or store in a secure location any copies of the plain text /etc/tripwire/twcfg.txt file after running the installation script or regenerating a signed configuration file. Alternatively, you can change the permissions so that it is not world readable. |
Edit /etc/tripwire/twpol.txt
Although it is not required, you should edit this heavily commented sample Tripwire policy file to take into account the specific applications, files, and directories on your system. Relying on the unaltered sample configuration from the RPM may not adequately protect your system.
Modifying the policy file also increases the usefulness of Tripwire reports by minimizing false alerts for files and programs you are not using and by adding functionality, such as email notification.
 | Note |
|---|---|
Notification via email is not configured by default. See the Section called Tripwire and Email for more on configuring this feature. |
If you modify the sample policy file after running the configuration script, see the Section called Updating the Tripwire Policy File for instructions on regenerating a signed policy file.
| Warning |
|---|---|
For security purposes, you should either delete or store in a secure location any copies of the plain text /etc/tripwire/twpol.txt file after running the installation script or regenerating a signed configuration file. Alternatively, you can change the permissions so that it is not world readable. |
Run the twinstall.sh Script
As the root user, type /etc/tripwire/twinstall.sh at the shell prompt to run the configuration script. The twinstall.sh script will ask you for site and local passwords. These passwords are used to generate cryptographic keys for protecting Tripwire files. The script then creates and signs these files.
When selecting the site and local passwords, you should consider the following guidelines:
Use at least eight alphanumeric and symbolic characters, but for each password do not exceed 1023.
Do not use quotes in a password.
Make the Tripwire passwords completely different from the root or any other password for the system.
Use unique passwords for both the site key and the local key.
The site key password protects the Tripwire configuration and policy files. The local key password protects the Tripwire database and report files.
| Warning |
|---|---|
There is no way to decrypt a signed file if you forget your password. If you forget the passwords, the files are unusable and you will have to run the configuration script again. |
By encrypting its configuration, policy, database, and report files, Tripwire protects them from being viewed by anyone who does not know the site and local passwords. This means that, even if an intruder obtains root access to your system, they will not be able to alter the Tripwire files to hide their tracks.
Once encrypted and signed, the configuration and policy files generated by running the twinstall.sh script should not be renamed or moved.