Партнёры:
Хостинг:
NAME
tw.config - configuration file for Tripwire
DESCRIPTION
The tw.config file contains the list of files and
directories to be scanned by Tripwire. Information on these
files is collected and stored in the tw.db database file.
Each tw.config entry has an associated selection-mask that
describes the properties for that object that Tripwire
should monitor and the properties that can be ignored.
The first section in this manual page describes the format
for the entries in tw.config that specify the files to be
monitored by Tripwire. The second section describes the
preprocessing directives that Tripwire provides. These
directives provide functionality similar to the C
preprocessor and M4 macro processor, allowing Tripwire to
interpret the configuration file conditionally. This allows
system administrators to use common tw.config files across
multiple machines - or even across an entire site.
ENTRY FORMAT
Each entry in tw.config is a single line with the following
form:
[!|=] entry [ select-flags | template ] [# comment ]
entry An entry is the absolute pathname of a
file or a directory. Without any
prefixes, the entry is added to the list
of files to be scanned.
Note that directories listed in the
tw.config file are recursively
descended. However, filesystems are
never crossed. For instance, if /usr
and /usr/local are separate filesystems,
a /usr entry in tw.config will not scan
files that reside in the /usr/local
filesystem.
! Inclusive prune. Prunes entry from the
list of files to be scanned. If entry
is a file, the file is removed from the
list of files. If entry is a directory,
the directory and all of its children
are removed from the list of files.
= Exclusive prune. Does not prune entry,
but does prune its children. This has
no effect if entry is a file. This
option is useful for monitoring
directories with transient files (/tmp
and /var/tmp, for example).
select-flags select-flags describe inode and file
attributes, and direct Tripwire to
report changes in a specific attribute,
or to ignore them. select-flags are
provided in the form:
[+|- ][pinugsamc123456789]
- ignore the following attributes
+ record and check the following
attributes
p permission and file mode bits
i inode number
n number of links (i.e., inode
reference count)
u user id of owner
g group id of owner
s size of file
a access timestamp
m modification timestamp
c inode creation/modification
timestamp
0 signature 0 - null signature
1 signature 1 - MD5, the RSA Data
Security, Inc. (R) Message Digesting
Algorithm
2 signature 2 - Snefru, the Xerox
Secure Hash Function
3 signature 3 - CRC-32, POSIX 1003.2
compliant 32-bit Cyclic Redundancy
Check
4 signature 4 - CRC-16, the standard
(non-CCITT) 16-bit Cyclic Redundancy
Check
5 signature 5 - MD4, the RSA Data
Security, Inc. (R) Message Digesting
Algorithm
6 signature 6 - MD2, the RSA Data
Security, Inc. (R) Message Digesting
Algorithm
7 signature 7 - SHA, the NIST Secure
Hash Algorithm (NIST FIPS 180)
8 signature 8 - Haval, a strong 128-
bit signature algorithm
9 signature 9 - null signature
(reserved for future expansion)
templates templates are predefined sets of
select-flags that are commonly used by
system administrators. The following
templates have been pre-defined to
replace long select-masks descriptions.
R
[R]ead-only (+pinugsm12-ac3456789) (default)
L
[L]og file (+pinug-samc123456789)
N
ignore [N]othing (+pinugsamc123456789)
E
ignore [E]verything (-pinugsamc123456789)
> growing file (+pinug-
samc123456789) - file changes are
reported only when the file is
smaller than the last recorded
size. This is useful for
monitoring log files that are
expected to grow.
Templates can be used with select-flag modifiers. For
example, the following entry monitors only changes in
user-id and group-id information.
/etc/lp E+ug
If no select-flags or template are specified for an
entry, Tripwire will use the R template. Note that
because of the set of select-flags (+pinugsm12-
a3456789) it uses, the R template will ignore changed
files where only the access timestamp has changed.
ENTRY EXAMPLES
The following entry will scan all the files in /etc, and
report any changes to the mode bits, inode number, reference
count, uid, gid, modification and creation timestamps, or
the specified signatures. It will ignore any changes to the
access timestamp.
/etc +pinugsm12-a
The entry above is equivalent to:
/etc R
The following example shows a very simple tw.config file
that monitors selected directories.
/etc R # all system files
!/etc/lp R # ...but not those logs
=/tmp N # just the directory, not its files
Note the difference between pruning (via "!") and ignoring
everything (via "N" template): ignoring everything in a
directory still monitors for added and deleted files, but
pruning a directory will prevent Tripwire from even looking
in the specified directory for any changes.
Hint: If Tripwire is running too slowly, modify your
tw.config entries to use only a few signatures (signatures 1
and 5, for instance) when this computationally-exorbitant
protection is not needed. (See the README file or the
Tripwire design document designdoc.ps for further details.)
PREPROCESSOR
Tripwire incorporates a general purpose preprocessor that
parses the tw.config file in one-pass. Available
preprocessing directives include file inclusion, macro
defines, conditionals based upon hostname or macros, and
on-the-fly macro substitution.
The Tripwire preprocessor was included to allow scalable use
at large sites, allowing system administrators to reuse
tw.config files by including component files or by having
multiple machines share a common tw.config file.
@@ifhost HOSTNAME includes text until matching
@@endif if the machine
hostname matches the specified
HOSTNAME. Remember that you
must use the exact hostname
that uname(1) or hostname(1)
returns. This usually implies
that you must use the fully
qualified hostname
(mentor.cc.purdue.edu, for
example).
@@ifnhost HOSTNAME includes text until matching
@@endif if the machine
hostname does not match the
specified HOSTNAME.
@@else provides if-else semantics to
preprocessor.
@@define VAR STRING defines variable VAR to
STRING. If the second
argument is not provided, then
a null-string is assigned to
VAR.
@@undef VAR clears the definition
associated with variable VAR.
@@ifdef VAR includes text until the
matching @@endif or @@else if
the variable VAR has been
defined.
@@ifndef VAR includes text until matching
@@endif or @@else if the
variable VAR has not been
defined.
@@endif closes up @@ifhost, @@ifnhost,
@@ifdef, and @@ifndef.
@@include ''PATHNAME'' reads in the specified source
file. The double-quotes are
only required if a space is
included in the PATHNAME
string.
@@VAR substitutes the definition of
VAR with the @@define'ed
value.
@@{VAR} substitutes the definition of
VAR with the @@define'ed
value.
A host-dependent inclusion can be specified in many ways to
allow tw.config files to be shared among multiple machines.
So, if the machine "mentor.cc.purdue.edu" is the only
machine with a certain file, you could use:
@@ifhost mentor.cc.purdue.edu
/etc/tw.log.mentor R
@@endif
@@define ARCHIVE R
/etc/tw.log @@ARCHIVE
CAVEATS
Although Tripwire provides hooks for ten different signature
routines, using all ten would certainly be overkill in
almost any situation. However, having ten signature
routines in the signature arsenal allows system
administrators considerable flexibility in striking a
balance between performance and security for their site.
This is the reason for supplying CRC-16 and CRC-32, which
are trivially simple to spoof. These routines are not
secure, but they are faster than the message-digesting
routines.
DATABASE VERSIONS
Tripwire v1.0 used database version 1. Database version 2
changed the base-64 alphabet so that ``0'' retained its
traditional value.
Database version 3 changed the base-64 encoding so that all
the bits were packed, reducing the size of 160-bit
signatures from 30 characters to 27 characters. Tripwire
v1.1 used database version 3. The program twconvert is
provided to convert from the older database formats to
version 3.
Tripwire v1.2 used database version 4, supporting signatures
for symbolic links and more consistent handling of entry
numbers. (Note that twconvert cannot convert older database
versions to database version 4. These databases will have
to be regenerated.)
SEE ALSO
tripwire(8)
AUTHOR
Gene Kim
Tripwire Security Systems, Inc.
genek@tripwiresecurity.com
Eugene Spafford
Purdue University
spaf@cs.purdue.edu
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |