twconfig - Tripwire configuration file reference
The configuration file stores system-specific information, including
the location of Tripwire data files, and the settings used to send
email notification. The configuration file settings are generated
during the installation process, but can be changed by the system
administrator at any time. The configuration file is signed with the
site key, and the site passphrase is required to edit the file.
During installation, a signed Tripwire configuration file tw.cfg will
be created in the /etc/tripwire directory, and a plain text copy of
this configuration file twcfg.txt will be created in the same
The configuration file is modified using the twadmin --create-cfgfile
command. With this command, the user can designate an existing plain
text file as the current configuration file. Using the current site
key and passphrase, the new configuration file is cryptographically
signed and saved with this command.
Components of the Configuration File
The Tripwire configuration file is structured as a list of keyword-
value pairs, and may also contain comments and variable definitions.
Any lines with "#" in the first column are treated as comments.
The general syntax for variable definition is:
keyword = value
ROOT = /usr/tripwire
EDITOR = /usr/local/bin/jove
Variable substitution on the right hand side is permitted using the
$( varname )
DBFILE = $(ROOT)/db/$(HOSTNAME).twd
Variable names are case-sensitive, and may contain all alphanumeric
characters, underscores, the characters "+-@:", and the period. Two
variables are predefined in the configuration file, and may not be
changed. HOSTNAME is the unqualified hostname that Tripwire is running
on, and DATE is a string representation of the date and time.
The following variables must be set in order for Tripwire to operate.
The values listed below are assigned during installation.
The following variables are not required to run Tripwire, but some of
the program’s functionality will be lost without them. The values
assigned during installation are listed.
EDITOR Specifies an editor to be used in interactive modes. If EDITOR
is not defined, and no editor is specified on the command line,
using interactive modes will cause an error.
Initial value: /bin/vi
This variable can be set to the location to which tripwire
should write its temporary files. By default it is /tmp, which
due to the default permissions can be very insecure. It is
recommended that you use this configuration variable to provide
tripwire with a secure place to write temporary files. The
directory used should have its permissions set such that only
the owning process can read/write to it, i.e. "chmod 700".
Initial value: /tmp
This variable is set to a list of email addresses separated by
either a comma ",", or semi-colon ";". If a report would have
normally been sent out, it will also be send to this list of
Initial value: none
Prompt for passphrase as late as possible to minimize the amount
of time that the passphrase is stored in memory. If the value
is true (case-sensitive), then late prompting is turned on.
With any other value, or if the variable is removed from the
configuration file, late prompting is turned off.
Initial value: false
When a file is added or removed from a directory, Tripwire
reports both the changes to the file itself, and the
modification to the directory (size, num links, etc.). This can
create redundant entries in Tripwire reports. With loose
directory checking, Tripwire will not check directories for any
properties that would change when a file was added or deleted.
This includes: size, number of links, access time, change time,
modification time, number of blocks, growing file, and all
If the value for this variable is true (case-sensitive), then
loose directory checking is turned on, and these properties will
be ignored for all directories. With any other value, or if the
variable is removed from the configuration file, loose directory
checking is turned off. Turning loose directory checking on is
equivalent to appending the following propertymask to the rules
for all directory inodes: -snacmblCMSH
Initial value: false
If this variable is set to true, messages are sent to the syslog
for four events: database initialization, integrity check
completions, database updates, and policy updates. The syslog
messages are sent from the "user" facility at the "notice"
level. For more information, see the syslogd(1) man page and
the syslog.conf file. The following illustrates the information
logged in the syslog for each of the four events:
The letters in the Integrity Checking log correspond to # of
violations, maximum severity level, and # of files added,
deleted, and changed, respectively. With any value other than
true, or if this variable is removed from the configuration
file, syslog reporting will be turned off.
Initial value: true
Specifies the default level of report produced by the twprint
--print-report mode. Valid values for this option are 0 to 4.
The report level specified by this option can be overridden with
the (-t or --report-level) option on the command line. If this
variable is not included in the configuration file, the default
report level is 3. Note that only reports printed using the
twprint --print-report mode are affected by this parameter;
reports displayed by other modes and other commands are not
Initial value: 3
Email Notification Variables
Specifies the protocol to be used by Tripwire for email
notification. The only acceptable values for this field are SMTP
or SENDMAIL. Any other value will produce an error message.
Initial value: SENDMAIL
Specifies the domain name or IP address of the SMTP server used
for email notification. Ignored unless MAILMETHOD is set to
Initial value: mail.domain.com
Specifies the port number used with SMTP. Ignored unless
MAILMETHOD is set to SMTP.
Initial value: 25
Specifies the program used for email reporting of rule
violations if MAILMETHOD is set to SENDMAIL. The program must
take an RFC822 style mail header, and recipients will be listed
in the "To:" field of the mail header. Some mail programs
interpret a line consisting of only a single period character to
mean end‐of‐input, and all text after that is ignored. Since
there is a small possibility that a Tripwire report would
contain such a line, the mail program specified must be able to
ignore lines that consist of a single period (the -oi option to
sendmail produces this behavior).
Initial value: /usr/lib/sendmail -oi -t
Specifies the default level of report produced by the tripwire
--check mode email report. Valid values for this option are 0
to 4. The report level specified by this option can be
overridden with the (-t or --email-report-level) option on the
command‐line. If this variable is not included in the
configuration file, the default report level is 3.
Initial value: 3
This option controls the way that Tripwire sends email
notification if no rule violations are found during an integrity
check. If MAILNOVIOLATIONS is set to false and no violations
are found, Tripwire will not send a report. With any other
value, or if the variable is removed from the configuration
file, Tripwire will send an email message stating that no
violations were found.
Mailing reports of no violations allows an administrator to
distinguish between unattended integrity checks that are failing
to run and integrity checks that are running but are not finding
any violations. However, mailing no violations reports will
increase the amount of data that must be processed.
Initial value: true
This man page describes Tripwire 2.3.1.
Permission is granted to make and distribute verbatim copies of this
man page provided the copyright notice and this permission notice are
preserved on all copies.
Permission is granted to copy and distribute modified versions of this
man page under the conditions for verbatim copying, provided that the
entire resulting derived work is distributed under the terms of a
permission notice identical to this one.
Permission is granted to copy and distribute translations of this man
page into another language, under the above conditions for modified
versions, except that this permission notice may be stated in a
translation approved by Tripwire, Inc.
Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of
Tripwire, Inc. in the United States and other countries. All rights
twintro(8), tripwire(8), twadmin(8), twprint(8), siggen(8),
twpolicy(4), twfiles(5), sendmail(1), vi(1), syslogd(1)
1 July 2000