Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All rights reserved.

Transcription

1

2

3 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. All other brand or product names may be trademarks or registered trademarks of their respective companies or organizations. Tripwire, Inc. 326 SW Broadway, 3rd Floor Portland, OR US Toll-free: TRIPWIRE main: fax: tripwire@tripwire.com TW

4

5 About This Guide

6 About This Guide Document List The Tripwire License Authorization Card (LAC) provides the access code used to obtain your Tripwire software license from the Tripwire Licensing website. The Tripwire for Servers Installation Guide describes installation procedures for Tripwire for Servers software. The Tripwire for Servers User Guide describes configuration and operation of Tripwire for Servers software. The Tripwire Manager Quick Start helps you to quickly install and configure Tripwire Manager software. The Tripwire Manager User Guide describes configuration and operation of Tripwire Manager software. The Tripwire Manager and Tripwire for Servers Reference Guide contains detailed reference information about Tripwire for Servers. You can access PDF versions of the documents from the docs directory on the Tripwire Manager and Tripwire for Servers CDs. You can access online help from the Tripwire Manager interface. iv Tripwire Manager and Tripwire for Servers Reference Guide

7 About This Guide Conventions Convention Applied to... Examples Bold Italics Sans Serif... the labels of buttons, menus, fields, drop-down lists, and check boxes... menu paths... introductory sentences for procedures... book or manual titles... chapter or section titles... URLs... addresses... directory paths... filenames... command-line entries Select the Activate check box. Select File > Save. To run an integrity check: Tripwire Manager User Guide Adding a Machine admin@example.com C:\Program Files\ ReadMe.txt tripwire -m i Sans Serif Italics Brackets Note: In file or command-line text, the # character indicates a comment.... placeholders in examples for user-entered values... a set of possible user-entered options; individual options are separated by the character object1 object2 [ ] Angle brackets... placeholders for user-entered values <password> W U... sections of the text that apply only to Windows installations of Tripwire software.... sections of the text that apply only to UNIX installations of Tripwire software. W The file is saved to c:\temp. U The file is saved to /tmp. Unless otherwise specified, command-line examples assume that the Tripwire bin directory is the current working directory. Tripwire Manager and Tripwire for Servers Reference Guide v

8 About This Guide Support Contact Information Tripwire Support Web site: Tripwire Technical Support: toll-free: TWSUPPORT (6am-6pm Pacific) phone: General information: international: Tripwire Professional Services Tripwire Professional Services provides flexible service and support to meet your specific technical and deployment needs. If you would like Tripwire software deployment and implementation assistance, or additional training in using Tripwire software products, visit or contact your Tripwire sales representative. Tripwire Educational Services Tripwire Educational Services provides hands-on technical training in installing, configuring, and maintaining Tripwire software. Courses are taught by Tripwire Certified Instructors. For more information about technical training, visit or contact your Tripwire sales representative. vi Tripwire Manager and Tripwire for Servers Reference Guide

9

10

11 Contents About This Guide iii Chapter 1. Configuration Reference Files Parameters Policy File Database File Report File Site Key File Local Key File emporary Directory Data File Permissions Policy Rights Database Rights Report Rights Configuration Rights Checking Parameters Loose Directory Checking Reset Access Time raverse Mount Points Enable Event Tracking Event Tracking Flags Politeness Allow Command Execution Execute As User Global On Violation Tripwire Manager and Tripwire for Servers Reference Guide ix

12 Contents Maximum Command Processes Always Run Once Parameters Mail Method SMTP Host SMTP Port Mail Program From Address Character Encoding Report Level Mail No Violations Reports Localize Global Logging Parameters Syslog Reporting Syslog Host Syslog Report Level Syslog No Violations Syslog Const Localize Syslog Audit Log Syslog Facility Syslog Priority SNMP Parameters SNMP Host SNMP Port SNMP Community SNMP on No Violations SNMP IP Address x Tripwire Manager and Tripwire for Servers Reference Guide

13 Contents Other Parameters Editor Machine Report Level Machine Report Format Database Printing Format Database Printing Level Late Prompting Agent Configuration File PORTNUMBER IPADDRESS TWCFGFILE SITEKEYFILE TRIPWIRE TWADMIN TWPRINT AUTHKEYFILE AUTHKEYFILERIGHTS SCHEDULEFILE SCHEDULEFILERIGHTS TASKFILE TASKFILERIGHTS LOGFILE LOGFILERIGHTS AGENTCFGRIGHTS AGENTLOGGING VERBOSE Tripwire Manager and Tripwire for Servers Reference Guide xi

14 Contents Chapter 2. Policy File Reference Introduction to the Policy File Default Policy Files Policy File Resources Policy File Components Policy File Sections How to Section a Policy File Rules Object Names UNIX File System Object Names Windows File System Object Names Windows Registry Object Names Handling Special Characters in Object Names Restricted Characters in UNIX Object Names Restricted Characters in Windows Object Names Nonprintable Characters in UNIX Object Names Hexadecimal, Octal, and Unicode Characters Double-byte Characters Wildcards in Object Names White Space Properties Properties for UNIX File System Objects Properties for Windows File System Objects Properties for Windows Registry Key Objects Properties for Windows Registry Value Objects Property Issues xii Tripwire Manager and Tripwire for Servers Reference Guide

15 Contents Rule Attributes Specifying Rule Names Specifying Severity Levels Default Severity How Severity Shows Up in Tripwire Manager Specifying Recursion Turning Recursion Off Numerical Recursion Levels Executing Commands After a Violation Sample Commands Using onviolation Sending Reports Specifying Addresses Sending Global Reports Pattern Matching with Wildcards Matching Special Characters for Windows Registry Objects Filesystem Matching Examples Windows Registry Matching Examples Windows File Dependency Suppressing or Overriding Pattern Matching When Tripwire Applies Wildcard Pattern Matching Using Rule Attributes to Construct Rule Blocks Individual Rule Attributes in Rule Blocks Nesting Rule Blocks Tripwire Manager and Tripwire for Servers Reference Guide xiii

16 Contents Variables Predefined Variables Predefined Variables for UNIX File System (FS) Predefined Variables for Windows File System (NTFS). 90 Predefined Variables for Windows Registry (NTREG) Predefined Variables for Windows Registry Values User-Defined Variables Variable Substitution Exclusions Directives Directive Issues Declaring Sections Conditional Logic Nested Conditional Logic Debugging and Diagnostics Logical End of the Policy File Comments Appendices Appendix A: Windows Security Attributes Appendix B: Viewing Exit Codes Glossary xiv Tripwire Manager and Tripwire for Servers Reference Guide

17

18

19 1 Configuration Reference This section describes the Tripwire for Servers configuration file and Agent configuration file and explains how to customize them for your environment. The configuration file (tw.cfg) controls Tripwire for Servers operation on each local machine. Types of configuration file parameters include the following: Files Parameters (page 2) Checking Parameters (page 8) Parameters (page 16) Logging Parameters (page 21) SNMP Parameters (page 26) Other Parameters (page 28) Note: The Agent configuration file (agent.cfg) controls Tripwire for Servers communication with Tripwire Manager. If you run Tripwire for Servers without Tripwire Manager, this file is unused. For information on the Agent configuration file, see Agent Configuration File on page 32.

20 Chapter 1. Configuration Reference Files Parameters The file parameters specify absolute paths to Tripwire for Servers data files. These parameters are required. Tripwire for Servers does not allow you to save a configuration file if these parameters are incomplete. Caution: We strongly recommend that you use fully-qualified paths for all path values. Relative paths are a security risk and may cause unpredictable behavior on some locales. U The default values for these parameters in UNIX configuration files are identical to those shown in this section, except in UNIX, paths are delimited by / characters, not \ characters. All UNIX paths are case-sensitive. W In Windows you can use Universal Naming Convention (UNC) names (\\machine\share) for data file paths. The Tripwire Manager Files tab also contains parameters that control the access permissions for Tripwire for Servers data files. For more information on these parameters, see Data File Permissions on page 6. 2 Tripwire Manager and Tripwire for Servers Reference Guide

21 Chapter 1. Configuration Reference Policy File Specifies the path to the policy file used for integrity checking. Parameter name: Default value: POLFILE <TFS_root>\policy\tw.pol Database File Specifies the path to the database file used for integrity checking. Parameter name: Default value: DBFILE <TFS_root>\db\database.twd Tripwire Manager and Tripwire for Servers Reference Guide 3

22 Chapter 1. Configuration Reference Report File Specifies the location and naming scheme for Tripwire report files. Parameter name: Default value: Valid values: REPORTFILE <TFS_root>\report\$(HOSTNAME)-$(DATE).twr Static text and variables (see table below) You can use REPORTFILE variables, and (optionally) static text, in any combination to create a report naming scheme that works best for you. For example, if you often run partial integrity checks by rule name, you may want to use the $(RULENAME) variable. $(RULENAME) causes the software to insert rule names specified on the command line into a report file name. When $(RULENAME) is present but you do not specify rule names on the command line, the software inserts the word global into a report file name. That way you can tell a full (global) integrity check report apart from a partial (rule-specific) integrity check report. Table 1. Report file parameter variables REPORTFILE variable $(HOSTNAME) $(DATE) $(USER) $(RULENAME)* $(SECTION)* $(SEVERITY)* $(OBJECTNAME)* Report file name contains DNS hostname of integrity-checked machine year, month, date, time integrity check was initiated user account Tripwire for Servers is running as list of rules specified with the integrity check option -R (--rule-name). section specified with integrity check option -x (--section). severity level specified with integrity check option -l (--severity). list of objects as specified on the command line <object1 object2 >. * Tripwire for Servers inserts the word global in place of this variable when no corresponding values are specified on the command line. 4 Tripwire Manager and Tripwire for Servers Reference Guide

23 Chapter 1. Configuration Reference Site Key File Specifies the path to the site key file that signs the Tripwire configuration and policy files. Parameter name: Default value: SITEKEYFILE <TFS_root>\key\site.key Local Key File Specifies the path to the local key file that signs the Tripwire database file and (optionally) report files. Parameter name: Default value: LOCALKEYFILE <TFS_root>\key\local.key Temporary Directory Specifies a directory for storing Tripwire for Servers temporary files. Parameter name: Default value: TEMPDIRECTORY /tmp on UNIX systems, system default temp directory on Windows systems Tripwire Manager and Tripwire for Servers Reference Guide 5

24 Chapter 1. Configuration Reference Data File Permissions Tripwire for Servers data file permissions specify Read/Write/Execute permissions for the software s data files. The three octal digit value represents Read/Write/Execute permissions for the file s Owner, the Owner s Group, and all Others. Tripwire for Servers sets these permissions at file creation time. All Tripwire data file permissions revert to 600 (Read and write permissions only for the Owner) by default when data files permissions are not specified. Table 2. Data file permission values 1st Digit (Owner) 2nd Digit (Group) 3rd Digit (Others) Read (4) Write (2) Execute (1) sum: U In UNIX, the default value of 600 gives Read and Write permission to the Owner In UNIX, you cannot change these permissions via the system umask. W In Windows, the 2 for Owner Write permission in the first digit sum turns the file s Read-only flag on or off. A first digit of 7, 6, 3 or 2 turns OFF the Read-only flag because these digit sums contain a 2. A first digit of 5, 4 or 1 turns ON the Read-only flag because these digit sums do not contain a 2. Tripwire for Servers ignores the second and third digit in Windows. 6 Tripwire Manager and Tripwire for Servers Reference Guide

25 Chapter 1. Configuration Reference Policy Rights Specifies UNIX-style Read/Write/Execute permissions for the policy file. Parameter name: POLICYRIGHTS Default value: 600 Valid values: <3 octal digits> Database Rights Specifies UNIX-style Read/Write/Execute permissions for the database file. Parameter name: DBRIGHTS Default value: 600 Valid values: <3 octal digits> Report Rights Specifies UNIX-style Read/Write/Execute permissions for report files. Parameter name: REPORTRIGHTS Default value: 600 Valid values: <3 octal digits> Configuration Rights Specifies UNIX-style Read/Write/Execute permissions for configuration files. Parameter name: CFGRIGHTS Default value: 600 Valid values: <3 octal digits> Tripwire Manager and Tripwire for Servers Reference Guide 7

26 Chapter 1. Configuration Reference Checking Parameters Loose Directory Checking Suppresses the software s checking of some directory and registry key properties. Reduces duplicate violations (one for the change to an object and one for the change to its parent directory or registry key). Parameter name: Default value: Valid values: LOOSEDIRECTORYCHECKING true true or false If false, Tripwire for Servers reports two violations for some changes to files and subkeys (one for the file or subkey and one for its parent directory or registry key). If true, Tripwire for Servers ignores the following properties so that the change to a parent directory or registry key is not reported. Caution: Setting this parameter to true may introduce a security risk because Tripwire for Servers does not report some changes to directories and keys. Table 3. Loose Directory Checking behavior Monitored Object UNIX directories Windows directories Windows registry keys Properties Ignored File size, number of links, access time, change time, modification time, number of blocks allocated, growing files, and all hashes Last write time, and last access time Number of subkeys, maximum length of subkey name, number of values, maximum length of value name, maximum length of data for any value in the key, and last write time 8 Tripwire Manager and Tripwire for Servers Reference Guide

27 Chapter 1. Configuration Reference W Reset Access Time Causes Tripwire for Servers to reset the access time of a file system object to the value it was when the software accessed the object. During integrity checks, Tripwire for Servers accessing of file system objects changes their access time value. This can cause false-positive violations when monitoring objects for access time change. To retain original access times for data forensics, set this parameter to true. Parameter name: Default value: Valid values: RESETACCESSTIME true true or false U Traverse Mount Points Causes Tripwire for Servers to cross file system mount points during integrity checks. Parameter name: Default value: Valid values: TRAVERSEMOUNTS false true or false Caution: By default, Tripwire for Servers does not cross file system mount points during integrity checks. Setting this parameter to true may introduce security risks. If you set this parameter to true we recommend you limit recursion by adding recurse attributes to the policy file. For more information, see Specifying Recursion on page 72. Tripwire Manager and Tripwire for Servers Reference Guide 9

28 Chapter 1. Configuration Reference Enable Event Tracking This parameter turns event tracking on and off. See the Tripwire for Servers User Guide for more information on event tracking. Parameter name: Valid values: Default value: EVENT_TRACKING true or false false Event Tracking Flags Specifies additional events for Tripwire for Servers to track, if event tracking is enabled. Parameter name: EVENT_FLAGS Valid values: +r +x +f Default value: none For this version of Tripwire for Servers, the following types of events may be tracked, in addition to the default events described in the Tripwire for Servers User Guide. Table 4. Event Tracking Flags options Flag Description +r Track successful attempts to read files +x Track successful attempts to execute files +f Track failed attempts, in addition to successful ones. Can be used with other flags. +f will track successful or failed attempts to write to an object +r+f will track successful or failed attempts to read or write +r+x+f will track successful or failed attempts to read, write, or execute 10 Tripwire Manager and Tripwire for Servers Reference Guide

29 Chapter 1. Configuration Reference Politeness Controls the balance between CPU usage and the amount of time operations take to complete. Parameter name: POLITENESS Default value: 0 Valid values: 0 to 5; f0 to f If this value is set, Tripwire for Servers yields CPU time to other processes during integrity checks and database initialization operations according to the table below: Table 5. Politeness options Value Description 0 No pauses. This is the default setting. 1 Pause for one second after every 10 files. 2 Pause for one second after every 5 files. 3 Pause for one second after every 3 files. 4 Pause for one second after every 2 files. 5 Pause for one second after every file. fx Pause for one second after every x files. x can be any number from 0 to Allow Command Execution Turns command execution on or off. For more information on command execution, see Executing Commands After a Violation on page 74. Parameter name: Valid values: Default value: ALLOWEXECUTE true or false false Tripwire Manager and Tripwire for Servers Reference Guide 11

30 Chapter 1. Configuration Reference Execute As User Specifies a user account to run integrated command execution child processes under. Cannot be set to root or 0. Parameter name: Valid values: Dependency: EXEC_AS_USER any user name or numeric user ID ALLOWEXECUTE must be set to true Global On Violation Specifies a command to be executed once per each violation detected by an integrity check. The command must be the absolute path to an executable file (including any options and arguments). Global On Violation supports the same set of arguments as the onviolation attribute in the policy file. For more information, see Executing Commands After a Violation on page 74. When a path contains white space, you must quote it: GLOBALONVIOLATION="c:\program files\notepad.exe" %r If a path does not contain white space, do not quote it: GLOBALONVIOLATION=c:\winnt\system32\notepad.exe %r Global On Violation commands are overridden by policy file onviolation commands. This means that a rule s onviolation command will run instead of a Global On Violation command, for that rule only, when violations occur. For more information on command execution, see Executing Commands After a Violation on page Tripwire Manager and Tripwire for Servers Reference Guide

31 Chapter 1. Configuration Reference Parameter name: Valid values: Dependency: GLOBALONVIOLATION absolute path to an existing executable file ALLOWEXECUTE must be set to true Maximum Command Processes Specifies the maximum number of processes that integrated command execution can spawn for each integrity check. This does not affect any commands spawned by the Always Run Once parameter. If this parameter is omitted the default value of -1 will be used, which allows Tripwire for Servers to spawn an unlimited number of processes. Parameter name: MAXPROCESSES Valid values: -1 to Default value: -1 Dependency: ALLOWEXECUTE must be set to true Tripwire Manager and Tripwire for Servers Reference Guide 13

32 Chapter 1. Configuration Reference Always Run Once Specifies a command to be executed exactly once after an integrity check, whether or not any violations are found. The command must be the absolute path to an executable file (including any options and arguments). When a path contains white space, you must quote it: ALWAYSRUNONCE="c:\program files\notepad.exe" %r If a path does not contain white space, do not quote it: ALWAYSRUNONCE=c:\winnt\system32\notepad.exe %r Only a specific subset of arguments is supported for Always Run Once commands (see Table 6). Always Run Once commands run in addition to any policy file onviolation commands. For more information on onviolation, see Executing Commands After a Violation on page 74. Parameter name: Valid values: Dependency: ALWAYSRUNONCE absolute path to an existing executable file ALLOWEXECUTE must be set to true 14 Tripwire Manager and Tripwire for Servers Reference Guide

33 Chapter 1. Configuration Reference Table 6. Always Run Once options Argument Expands to %d The full path to the database file used for the integrity check. To return only the name of the database file (instead of the full path), follow %d with n, like this: %dn %r The full path to the.twr report file created for the integrity check. To return only the name of the report file (instead of the full path), follow %r with n, like this: %rn %c Writes a plain-text single-line report to a temp file and expands the %c argument to the full path to this temp file. %tf Writes a full report to a temp file. You can follow %tf with these modifiers to specify a report format: x specifies XML output h specifies HTML output c specifies Classic (plain text) output %h Information about the machine where the violation occurred. You can follow %h with these modifiers: f returns the fully-qualified domain name n returns just the machine name i returns the machine s IP address d returns the machine s host ID %k Quoted level 0 (one-line) report. %u Username of the account that ran the integrity check. Tripwire Manager and Tripwire for Servers Reference Guide 15

34 Chapter 1. Configuration Reference Parameters Mail Method Specifies a protocol for sending reports. Parameter name: Valid values: Default value: MAILMETHOD SMTP, sendmail, or MAPI SMTP W MAPI works only if a MAPI-enabled mail client is open on the Tripwire for Servers machine. For the best security, use SMTP or sendmail. SMTP Host Specifies the domain name or IP address of the SMTP server when Mail Method is set to SMTP. Parameter name: Dependency: Valid values: SMTPHOST Mail Method must be set to SMTP IP address or domain name of SMTP server SMTP Port Specifies the port number for SMTP when Mail Method is set to SMTP. Parameter name: SMTPPORT Dependency: Mail Method must be set to SMTP Default value: 25 Valid values: 1 to Tripwire Manager and Tripwire for Servers Reference Guide

35 Chapter 1. Configuration Reference Mail Program Specifies a path and arguments to a mail program for sendmail. If the path contains spaces, it must be quoted. The specified executable must be executable by the user creating the policy file. The mail program must: Take an RFC822-style mail header. List recipients in the To field of the mail header (the -t commandline option to sendmail produces this behavior). Ignore lines of a single period (the -oi command-line option to sendmail produces this behavior). Parameter name: Dependency: Case-sensitive: MAILPROGRAM Mail Method must be set to sendmail yes From Address Specifies a resolvable From address for reports sent via SMTP or sendmail. This parameter does not work with MAPI. Parameter name: Valid values: Example: Case-sensitive: MAILFROMADDRESS one resolvable SMTP address root@domain.com no (both Root@domain.com and root@domain.com are acceptable) Some mail servers may not deliver without a resolvable From address in the mail header. MAILFROMADDRESS causes Tripwire for Servers to place the specified resolvable From address into the mail header of reports. This decreases the possibility that a mail server may refuse to deliver Tripwire reports. Tripwire Manager and Tripwire for Servers Reference Guide 17

36 Chapter 1. Configuration Reference Character Encoding Specifies a character set for Tripwire SMTP reports. This parameter does not work with MAPI. Parameter name: Default value: Valid values: MAILENCODING auto auto (detects the OS character set) none (no specific character set) ISO-2022-JP Report Level This parameter specifies a level of detail for reports. Parameter name: REPORTLEVEL Default value: 3 Valid values: 0 to 4 Table 7. Report Level options Value Description 0 Single line summary report; lists total adds, removes and changes 1 Parsable list of all violated objects 2 Summary report; lists violations by section and rule name 3 Lists added object and removed object violations plus expected vs. observed properties for modified object violations 4 Level 3 plus all properties of all violated objects 18 Tripwire Manager and Tripwire for Servers Reference Guide

37 Chapter 1. Configuration Reference Mail No Violations Reports Causes Tripwire for Servers to send notification even when integrity checks detect no violations. For the highest security, set this parameter to true. Parameter name: Default value: Valid values: MAILNOVIOLATIONS true true or false If true, Tripwire for Servers sends an to notify you that no violations were found. This allows you to distinguish between integrity checks that detect no violations and scheduled integrity checks that fail to run. If false, Tripwire for Servers does not send notification when it detects no violations. Localize Controls localization of reports on Japanese locales. Parameter name: Default value: Valid values: MAIL_LOCALIZED true true or false If true, Tripwire for Servers sends Japanese reports on Japanese host machines. If false, Tripwire for Servers sends English reports on all locales. This helps to work around servers and clients that do not handle multi-byte characters well. Tripwire Manager and Tripwire for Servers Reference Guide 19

38 Chapter 1. Configuration Reference Global Specifies addresses to receive all reports after each integrity check. This is in addition to addresses specified with to attributes in the policy file. When Mail No Violations is set to false, a global address does not receive reports when integrity checks detect no violations. Parameter name: Default value: Valid values: GLOBAL none any valid address or addresses Delimit strings of multiple addresses with semicolons or commas. GLOBAL =user@domain.com,root@domain.com # or GLOBAL =user@domain.com;root@domain.com If Mail Method is set to MAPI, you can use MAPI addresses. W GLOBAL =Joe Admin,Root # or GLOBAL =Joe Admin;Root For more information on the to attribute, see Sending Reports on page Tripwire Manager and Tripwire for Servers Reference Guide

39 Chapter 1. Configuration Reference Logging Parameters Syslog Reporting Causes Tripwire for Servers to log a record of database initializations, integrity checks, database updates, policy file updates, and commands executed by Tripwire (see Executing Commands After a Violation on page 74) to a system log file. Parameter name: Default value: Valid values: SYSLOGREPORTING false true or false U In UNIX, by default Tripwire for Servers makes log entries to the syslog from the user facility at the notice level. W In the Windows operating system, by default Tripwire for Servers makes log entries to the application event log. W Syslog Host Causes Tripwire for Servers to log syslog entries to a remote host or number of host machines (in addition to the local machine s syslog). Note: Without third-party tools, Tripwire for Servers cannot remotely log Windows machine integrity check information to a UNIX machine. Also, Tripwire for Servers cannot remotely log to the Security Log. Parameter name: Valid values: Dependency: SYSLOGHOST \\remote_host SYSLOGREPORTING must be set to true Tripwire Manager and Tripwire for Servers Reference Guide 21

40 Chapter 1. Configuration Reference You can specify multiple remote hosts like this. Precede each host name with two \ characters. W SYSLOGHOST=\\host1 \\host2 \\host3... Syslog Report Level Specifies a level of detail for syslog entries made for integrity checks. Parameter name: SYSLOGREPORTLEVEL Dependency: SYSLOGREPORTING must be set to true Default value: 0 Valid values: 0 to 2 Table 8. Syslog Report Level options Value Description 0 A single line summary; lists total adds, removes, and changes 1 A separate syslog entry for each violation; entry shows that a violation occurred, and its severity if applicable 2 A separate syslog entry for each violated property; each entry shows that a violation occurred, which property was violated, and its severity if applicable 22 Tripwire Manager and Tripwire for Servers Reference Guide

41 Chapter 1. Configuration Reference Syslog No Violations Causes Tripwire for Servers to log notification to syslog when an integrity check detects no violations. For the highest security, set this parameter to true. Parameter name: Default value: Valid values: Dependency: SYSLOGNOVIOLATIONS true true or false SYSLOGREPORTING must be set to true If true, Tripwire for Servers logs a message to syslog to notify you that no violations were found. This allows you to distinguish between integrity checks that detect no violations and scheduled integrity checks that fail to run. If false, Tripwire for Servers does not log a message to syslog when an integrity check detects no violations. Syslog Const Controls the extent of Tripwire for Servers syslogging. Parameter name: Default value: Valid values: Dependency: SYSLOG_CONST false true or false SYSLOGREPORTING must be set to true If true, Tripwire for Servers logs to syslog all events that use a Tripwire for Servers executable, including events that do not change the state of Tripwire for Servers files (such as printing reports, examining encryption, or accessing help on the command line). If false, Tripwire for Servers only logs events that change the state of Tripwire for Servers files (such as encrypting a file, removing encryption from a file, updating a database, etc.). Tripwire Manager and Tripwire for Servers Reference Guide 23

42 Chapter 1. Configuration Reference Localize Syslog Controls localization of syslog messages on Japanese locales. Parameter name: Default value: Valid values: SYSLOG_LOCALIZED false true or false If true, Tripwire for Servers logs syslog messages in Japanese on Japanese locales. If false, Tripwire for Servers logs syslog messages in English on all locales. This helps to work around syslog utilities that do not handle multi-byte characters well. Audit Log Causes Tripwire for Servers to write audit log entries with the same level of report information specified by the SYSLOGREPORTLEVEL parameter. Allows integration of Tripwire for Servers integrity check information with other applications that read audit entries. Available for Windows, Solaris, AIX, Tru64, and HP-UX. Parameter name: Dependencies: Default value: Valid values: AUDITLOG SYSLOGREPORTING must be set to true SYSLOGREPORTLEVEL determines level of audit log information false true or false 24 Tripwire Manager and Tripwire for Servers Reference Guide

43 Chapter 1. Configuration Reference Syslog Facility Specifies the destination facility for syslog entries made by Tripwire. Parameter name: Valid values: Dependency: SYSLOG_FACILITY Varies by operating system (see table below) SYSLOGREPORTING must be set to true Table 9. Syslog Facility options Operating System UNIX Valid Values user, local0 through local7, auth, authpriv Default: user Windows application, system Default: application Syslog Priority Allows Tripwire for Servers to access the numeric range of syslog priorities (as supported by a machine s OS). Parameter name: Valid values: Dependency: SYSLOG_PRIORITY Varies by operating system (see table below) SYSLOGREPORTING must be set to true Table 10. Syslog Priority options Operating System UNIX Priority Range 0 (debug) 7 (emergency) Windows 0 3 Default: 2 (notice) Default: 1 Tripwire Manager and Tripwire for Servers Reference Guide 25

44 Chapter 1. Configuration Reference SNMP Parameters Tripwire for Servers can send Simple Network Management Protocol version 1 (SNMPv1) messages to an enterprise management host after each integrity check. These parameters control this SNMP feature. A Management Information Base (MIB) file containing information for Tripwire for Servers SNMP traps is located on the Tripwire for Servers CD in the SNMP directory. SNMP Host Causes Tripwire for Servers to send an SNMP message trap to the specified host. The information sent is identical to a level 0 report (a one-line summary of total violations). To specify multiple SNMP hosts, separate each host with white space. Parameter name: Valid values: SNMPHOST IP address or domain name of SNMP host SNMP Port Specifies which port on the SNMP host Tripwire for Servers should use for SNMP traffic. Parameter name: SNMPPORT Default value: 162 Valid values: 1 to Tripwire Manager and Tripwire for Servers Reference Guide

45 Chapter 1. Configuration Reference SNMP Community Sets the community name in SNMP trap messages from Tripwire for Servers. This option is only relevant for SNMP version 1. Parameter name: Default value: Valid values: SNMPCOMMUNITY public any text string SNMP on No Violations Causes Tripwire for Servers to send an SNMP trap even when integrity checks detect no violations. For the highest security, set this parameter to true. Parameter name: Default value: Valid values: SNMPNOVIOLATIONS true true or false If false, Tripwire for Servers does not send SNMP traps when it detects no violations. If true, Tripwire for Servers sends an SNMP trap to notify you that no violations were found. This allows you to distinguish between integrity checks that detect no violations and scheduled integrity checks that fail to run. SNMP IP Address Controls which network interface card (NIC) Tripwire for Servers sends SNMP message traps on. Parameter name: Valid values: Default value: SNMP_IPADDRESS any IP address Tripwire for Servers machine s first NIC IP address Tripwire Manager and Tripwire for Servers Reference Guide 27

46 Chapter 1. Configuration Reference Other Parameters Editor Sets an absolute path to a text editor for interactive integrity checks and database updates (see the Tripwire for Servers User Guide). Interactive integrity checks allow an interactive update of the database file directly after an integrity check. If the path to the executable contains white space, it must be quoted. Parameter name: Valid values: Default value: EDITOR an absolute path to an existing executable file /bin/vi on UNIX systems system default text editor on Windows systems To be a valid text editor, a text editor must: Accept a file on the command line. Support multi-byte characters. Exit with 0 status on success and non-0 status on error. U Both vi and emacs satisfy the text editor requirements in UNIX. If the configuration file does not specify an editor and no editor is specified on the command line, Tripwire for Servers looks at the $VISUAL or $EDITOR environment variables. If these do not specify an editor, Tripwire for Servers displays an error message. W Both Notepad and Wordpad satisfy the text editor requirements in Windows. 28 Tripwire Manager and Tripwire for Servers Reference Guide

47 Chapter 1. Configuration Reference Machine Report Level Specifies a default level of detail for Tripwire report files generated from the command line. Parameter name: REPORTLEVEL Default value: 3 Valid values: 0 to 4 Table 11. Machine Report Level options Value Description 0 Single line summary report; lists total adds, removes and changes 1 Parsable list of all violated objects 2 Summary report; lists violations by section and rule name 3 Lists added object and removed object violations plus expected vs. observed properties for modified object violations 4 Level 3 plus all properties of all violated objects Machine Report Format Specifies a default format for Tripwire report files generated from the command line. Parameter name: Default value: Valid values: REPORTFORMAT classic (plain text) classic, HTML, XML Tripwire Manager and Tripwire for Servers Reference Guide 29

48 Chapter 1. Configuration Reference Database Printing Format Specifies a default format for Tripwire database files printed from the command line. Parameter name: Default value: Valid values: DBPRINTFORMAT classic (plain text) classic, HTML, XML Database Printing Level Specifies a default level of detail for Tripwire database files printed from the command line. Parameter name: DBPRINTLEVEL Default value: 2 Valid values: 0 to 2 Table 12. Database Printing Level options Value Description 0 Summary of the database file, without objects 1 All objects in the database file 2 All objects in the database file, plus properties monitored for each object 30 Tripwire Manager and Tripwire for Servers Reference Guide

49 Chapter 1. Configuration Reference Late Prompting Causes Tripwire for Servers to delay the prompt for passphrases on the command line until the last moment. This minimizes the amount of time a passphrase stays in memory. Parameter name: Default value: Valid values: LATEPROMPTING true true or false For the highest security, set Late Prompting to true. Tripwire Manager and Tripwire for Servers Reference Guide 31

50 Chapter 1. Configuration Reference Agent Configuration File The Tripwire Agent manages communication between Tripwire for Servers and Tripwire Manager. On UNIX systems, the Tripwire Agent is a daemon. On Windows systems, the Tripwire Agent is a service. The Agent configuration file parameters control Tripwire Agent operations. By default, the Agent configuration file is located in the Tripwire for Servers bin directory. You can only edit the Agent configuration file using a text editor on the local machine. You must restart the Tripwire Agent daemon or service to enable any changes you make to the Agent configuration file. For more information on the Agent configuration file, see the Tripwire for Servers User Guide. Caution: We strongly recommend that you use fully-qualified paths for all path values. Relative paths are a security risk and may cause unpredictable behavior on some locales. PORTNUMBER This parameter specifies the port used for communication with Tripwire Manager. Default value: 1169 (registered Tripwire port) Valid values: 1 to Ports below 1024 are restricted to system access only. If you do not use port 1169, choose only a known available port. 32 Tripwire Manager and Tripwire for Servers Reference Guide

51 Chapter 1. Configuration Reference IPADDRESS This parameter specifies an IP address for Tripwire Agent communication with Tripwire Manager. Valid values: any IP Address If a Tripwire for Servers machine has more than one network interface card (NIC), use this parameter to specify the NIC you want Tripwire Agent to listen on. If you do not specify an IP address, Tripwire Agent uses the Tripwire for Servers machine s first NIC IP address by default. TWCFGFILE This parameter s value is the path to the configuration file. The Tripwire Agent reads the configuration file for the location of the Tripwire data files. Default value: <TFS_root>\bin\tw.cfg SITEKEYFILE This parameter s value is the path to the site key that cryptographically signs the agent.cfg file. Default value: <TFS_root>\key\site.key This may be the same site key file used to sign Tripwire data files, or a different site key file. Tripwire Manager and Tripwire for Servers Reference Guide 33

52 Chapter 1. Configuration Reference TRIPWIRE This parameter specifies the path to the tripwire executable file. Default value: <TFS_root>\bin\tripwire.exe TWADMIN This parameter specifies the path to the twadmin executable file. Default value: <TFS_root>\bin\twadmin.exe TWPRINT This parameter specifies the path to the twprint executable file. Default value: <TFS_root>\bin\twprint.exe AUTHKEYFILE This parameter specifies the path to the authentication key file. The authentication key file stores the keys Tripwire Agent uses to authenticate connections with Tripwire Manager. Default value: <TFS_root>\key\authentication.dat 34 Tripwire Manager and Tripwire for Servers Reference Guide

53 Chapter 1. Configuration Reference AUTHKEYFILERIGHTS This parameter specifies UNIX-style Read/Write/Execute permissions for the authentication key file. Default value: 600 For more information on data file permissions, see Data File Permissions on page 6. SCHEDULEFILE This parameter specifies the path to the schedule file. The schedule file stores scheduling information for integrity checks. Default value: <TFS_root>\db\schedule.dat SCHEDULEFILERIGHTS This parameter specifies UNIX-style Read/Write/Execute permissions for the schedule file. Default value: 600 For more information on data file permissions, see Data File Permissions on page 6. TASKFILE This parameter specifies the path to the task file. The task file stores information about completed tasks. Default value: <TFS_root>\db\tasks.dat Tripwire Manager and Tripwire for Servers Reference Guide 35

54 Chapter 1. Configuration Reference TASKFILERIGHTS This parameter specifies UNIX-style Read/Write/Execute permissions for the task file. Default value: 600 For more information on data file permissions, see Data File Permissions on page 6. LOGFILE This parameter specifies the path to the log file. Default value <TFS_root>\report\agent.log LOGFILERIGHTS This parameter specifies UNIX-style Read/Write/Execute permissions to the log file. Default value: 600 For more information on data file permissions, see Data File Permissions on page 6. AGENTCFGRIGHTS This parameter specifies UNIX-style Read/Write/Execute permissions for agent configuration files. Default value: Tripwire Manager and Tripwire for Servers Reference Guide

55 Chapter 1. Configuration Reference AGENTLOGGING This parameter controls logging to the agent.log file. If set to true, Tripwire Agent logs information to the file. Default value: true VERBOSE This parameter specifies the level of information provided by Tripwire executable files. If set to true, Tripwire Agent calls executable files with the --verbose option. Default value: false Tripwire Manager and Tripwire for Servers Reference Guide 37

56

57 2 Policy File Reference This chapter describes the Tripwire for Servers policy file and explains how to customize it for your environment. Topics include: Introduction to the Policy File (page 40) Policy File Sections (page 43) Rules (page 46) Rule Attributes (page 67) Variables (page 86) Exclusions (page 97) Directives (page 98) Comments (page 105)

58 Chapter 2. Policy File Reference Introduction to the Policy File The policy file contains policies or rules for specific objects (such as files, directories, and registry keys) on a computer system. By writing policy file rules, you specify which system objects Tripwire for Servers scans during integrity checks. By modifying policy file rules, you change how Tripwire for Servers scans objects during integrity checks. The policy file performs two functions. Initially, it acts as a blueprint for the Tripwire database file. When you initialize a database file, Tripwire for Servers reads the policy file to determine which objects and properties to include in the database file s baseline data. Later, Tripwire for Servers reads the policy file each time it performs an integrity check. It then scans the system according to the policy file s rules and compares the scan against the baseline data in the database file. Inconsistencies between the two sets of data are reported as violations or errors in the integrity check s report file. Default Policy Files Tripwire for Servers installs a minimal default policy file (twpol.txt, located in the Tripwire policy directory) for your operating system (OS). This default policy file monitors basic components common to all versions of your OS. It does not monitor the applications or files specific to your system (you must add rules for these). Because the policy file specifies which objects Tripwire for Servers monitors, it is very important to customize a policy file for your specific system configuration. A customized policy file allows Tripwire for Servers to provide the best integrity assurance for your system. 40 Tripwire Manager and Tripwire for Servers Reference Guide

59 Chapter 2. Policy File Reference Policy File Resources The following resources are available to help you construct a customized policy file for your system. The Tripwire Manager Policy File Editor provides a way to quickly create or edit policy files through a graphical user interface. For more information, see the Tripwire Manager User Guide. This section describes the policy file language. You can construct your own rules easily after learning a few basic syntax principles. For more information, see Policy File Components on page 42. The Tripwire for Servers CD and Tripwire Manager CD policyfiles directories contain default policy files you can use as a starting point for developing your own policy file. For more information, see the Tripwire Manager Quick Start. Tripwire Manager and Tripwire for Servers Reference Guide 41