twfiles - overview of files used by Tripwire and file backup process
The configuration file stores system-specific information, such as the
location of Tripwire data files. The configuration settings are
generated during the installation process, but can be changed by the
system administrator at any time. See the twconfig(4) man page for a
more complete discussion.
The policy file consists of a series of rules specifying the system
objects that Tripwire should monitor, and the data for each object that
should be collected and stored in the database file. Should unexpected
changes occur, the policy file can describe the person to be notified
and the severity of the violation. See the policyguide.txt file in the
policy directory and the twpolicy(4) man page for a more complete
The database file serves as the baseline for integrity checking. After
installation, Tripwire creates the initial database file, a "snapshot"
of the filesystem in a known secure state. Later, when an integrity
check is run, Tripwire compares each system object described in the
policy file against its corresponding entry in the database. A report
is created, and if an object has changed outside of constraints defined
in the policy file, a violation is reported. See the tripwire(8) and
twprint(8) man pages for more information on creating and maintaining
Once the above three files have been created, Tripwire can run an
integrity check and search for any differences between the current
system and the data stored in the "baseline" Tripwire database. This
information is archived into report files, a collection of rule
violations discovered during an integrity check. With the appropriate
settings, a report can also be emailed to one or more recipients. See
the tripwire(8) and twprint(8) man pages for information on creating
and printing report files.
defaults: /etc/tripwire/site.key and
It is critical that Tripwire files be protected from unauthorized
access‐‐an attacker who is able to modify these files can subvert
Tripwire operation. For this reason, all of the above files are signed
using public key cryptography to prevent unauthorized modification.
Two separate sets of keys protect critical Tripwire data files. One or
both of these key sets is necessary for performing almost every
The site key is used to protect files that could be used across several
systems. This includes the policy and configuration files. The local
key is used to protect files specific to the local machine, such as the
Tripwire database. The local key may also be used for signing
integrity check reports. See the twadmin(8) man page for more
information on keys.
To prevent the accidental deletion of important data, Tripwire
automatically creates backup files whenever any Tripwire file is
overwritten. The existing file will be renamed with a .bak extension,
and the new version of the file will take its place. Only one backup
copy for each filename can exist at any time. If a backup copy of a
file already exists, the older backup file will be deleted and replaced
with the newer one.
File backup is an integral part of Tripwire, and cannot be removed or
This man page describes Tripwire 2.3.1.
Permission is granted to make and distribute verbatim copies of this
man page provided the copyright notice and this permission notice are
preserved on all copies.
Permission is granted to copy and distribute modified versions of this
man page under the conditions for verbatim copying, provided that the
entire resulting derived work is distributed under the terms of a
permission notice identical to this one.
Permission is granted to copy and distribute translations of this man
page into another language, under the above conditions for modified
versions, except that this permission notice may be stated in a
translation approved by Tripwire, Inc.
Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of
Tripwire, Inc. in the United States and other countries. All rights
twintro(8), tripwire(8), twadmin(8), twprint(8), siggen(8),
1 July 2000