19.3. Customizing Tripwire
After you have installed the Tripwire RPM, you must complete the following steps to initialize the software:
19.3.1. Edit /etc/tripwire/twcfg.txt
customize email settings, or customize the level of detail for reports.
Below is a list of required user configurable variables in the /etc/tripwire/twcfg.txt file:
POLFILE — Specifies the location of the policy file; /etc/tripwire/tw.pol is the default value.
DBFILE — Specifies the location of the database file; /var/lib/tripwire/$(HOSTNAME).twd is the default value.
REPORTFILE — Specifies the location of the report files. By default this value is set to /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr.
SITEKEYFILE — Specifies the location of the site key file; /etc/tripwire/site.key is the default value.
LOCALKEYFILE — Specifies the location of the local key file; /etc/tripwire/$(HOSTNAME)-local.key is the default value.
 | Important |
|---|---|
If you edit the configuration file and leave any of the above variables undefined, the configuration file will be invalid. If this occurs, when you execute the tripwire command it will report an error and exit. |
The rest of the configurable variables in the sample /etc/tripwire/twcfg.txt file are optional. These include the following:
EDITOR — Specifies the text editor called by Tripwire. The default value is /bin/vi.
LATEPROMPTING — If set to true value is false.
LOOSEDIRECTORYCHECKING — If set to true reports. The default value is false.
SYSLOGREPORTING — If set to true, this variable configures Tripwire to report information to the syslog daemon via the "user" facility. The log level is set to notice. See the syslogd man page for more information. The default value is false.
MAILNOVIOLATIONS — If set to true, this variable configures Tripwire to email a report at a regular interval regardless of whether any violations have occurred. The default value is true.
EMAILREPORTLEVEL — Specifies the level detail for emailed reports. Valid values for this variable are 0 through 4. The default value is 3.
REPORTLEVEL — Specifies the level detail for reports generated by the twprint command. This value can be overridden on the command line, but is set to 3 by default.
MAILMETHOD — Specifies which mail protocol Tripwire should use. Valid values are SMTP and SENDMAIL. The default value is SENDMAIL.
MAILPROGRAM — Specifies which mail program Tripwire should use. The default value is /usr/sbin/sendmail -oi -t.
After editing the sample configuration file, you will need to configure the sample policy file.
 | Warning |
|---|---|
For security purposes, you should either delete or store in a secure location any copies of the plain text /etc/tripwire/twcfg.txt file after running the installation script or regenerating a signed configuration file. Alternatively, you can change the permissions so that it is not world readable. |
19.3.2. Edit /etc/tripwire/twpol.txt
on the unaltered sample configuration from the RPM may not adequately protect your system.
Modifying the policy file also increases the usefulness of Tripwire reports by minimizing false alerts for files and programs you are not using and by adding functionality, such as email notification.
 | Note |
|---|---|
Notification via email is not configured by default. See Section 19.8.1 Tripwire and Email for more on configuring this feature. |
If you modify the sample policy file after running the configuration script, see Section 19.8 Updating the Tripwire Policy File for instructions on regenerating a signed policy file.
| Warning |
|---|---|
For security purposes, you should either delete or store in a secure location any copies of the plain text /etc/tripwire/twpol.txt file after running the installation script or regenerating a signed configuration file. Alternatively, you can change the permissions so that it is not world readable. |
19.3.3. Run the twinstall.sh Script
As the root user, type /etc/tripwire/twinstall.sh at the shell prompt to run the configuration script. The twinstall.sh
When selecting the site and local passwords, you should consider the following guidelines:
Use at least eight alphanumeric and symbolic characters for each unique password, but no more than 1023 total characters.
Do not use quotes in a password.
Make the Tripwire passwords completely different from the root or any other password for the system.
Use unique passwords for both the site key and the local key.
The site key password protects the Tripwire configuration and policy files. The local key password protects the Tripwire database and report files.
| Warning |
|---|---|
if an intruder obtains root access to your system, they will not be able to alter the Tripwire files to hide their tracks.
Once encrypted and signed, the configuration and policy files generated by running the twinstall.sh script should not be renamed or moved.
| Главная |