Table of Contents
Advertisement
172
Chapter 11:Installing and Configuring Tripwire
11.4 Tripwire Components
The Tripwire policy file is a text file containing comments, rules, directives, and variables. This file
dictates the way Tripwire checks your system. Each rule in the policy file specifies a system object to
be monitored. Rules also describe which changes to the object to report and which to ignore.
System objects are the files and directories you wish to monitor. Each object is identified by an object
name. A property refers to a single characteristic of an object that Tripwire software can monitor.
Directives control conditional processing of sets of rules in a policy file. During installation, the text
policy file (/etc/tripwire/twpol.txt) is encrypted and renamed, becoming the active policy
file (/etc/tripwire/tw.pol).
When first initialized, Tripwire uses the signed policy file rules to create the database file
(/var/lib/tripwire/ host_name .twd). The database file is a baseline snapshot of the
system in a known secure state. Tripwire compares this baseline against the current system to
determine what changes have occurred. This comparison is called an integrity check.
When you perform an integrity check, Tripwire produces report files in the /var/lib/trip-
wire/report directory. The report files summarize any file changes that violated the policy file
rules during the integrity check.
The Tripwire configuration file (/etc/tripwire/tw.cfg) stores system-specific information,
such as the location of Tripwire data files. Tripwire generates the necessary configuration file infor-
mation during installation, but the system administrator can change parameters in the configuration
file at any time after that point. Note that the altered configuration file must be signed in the same way
as the policy file in order for it to be used by default.
The configuration file variables
POLFILE
,
DBFILE
,
REPORTFILE
,
SITEKEYFILE
, and
LOCALKEY-
specify the locations of the policy file, database file, report files, and site and local key files.
FILE
These variables are defined by default at the time of installation. If you edit the configuration file and
leave any of them undefined, the configuration file will be considered invalid by Tripwire. This causes
an error on the execution of tripwire, making the program exit.
Note that the altered configuration file must be signed in the same way as the policy file in order for it
to be used by Tripwire. See Section 11.11.1, Signing the Configuration File for instructions on signing
the configuration file.
11.5 Modifying the Policy File
You can specify how Tripwire checks your system by modifying the Tripwire policy file (tw-
pol.txt). Modifying the policy file to your particular system configuration increases the usefulness
of Tripwire reports by minimizing false alerts for files or programs you aren't using but Tripwire
is still reporting as altered or missing.
Advertisement
Table of Contents
