i downloaded tripwire-2.3-47.bin.tar.gz, untarred and ./install.sh this product. While doing ./install.sh i got the message CLOBBER is false.
after that, i tried to tripwire -init to create my database, see below the result:
trinity:~/tripwire-2.3 # tripwire -init
### Phase 1: Reading configuration file
error: syntax error at line 2 in config file
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Warning: Database file placed in ./databases/tw.db_trinity.
### Make sure to move this file file and the configuration
### to secure media!
### (Tripwire expects to find it in '/etc/tw'.)
....does anybody know whats up here??
what does the first few lines of your twcfg.txt file read?
here is the complete twcfg.txt. thx!
trinity:/etc/tripwire # more twcfg.txt
MAILPROGRAM =/usr/lib/sendmail -oi -t
hmmm...your cfg file looks good to me. your original post references an "/etc/tw.config" file. Do you have one of those? I don't. You also mentioned that you got an error during the installation. Maybe that failed to completely install properly and you should try re-installing. Here is a snipet about Tripwire Setup from my manual (I interface to Tripwire in a security tool I have at www.nsoco.com
5.3.5 Tripwire Setup for system reviews
Before any further customization is performed on the system, Tripwire
should be installed, configured, and implemented. Tripwire v2.3 software
ensures the integrity of critical system files and directories by
identifying all changes made to specified system files and directories.
Configure Tripwire software to monitor your system in the way that is best
for you. Tripwire software works by comparing files and directories against
a baseline. It generates the baseline by taking a "snapshot" of specified
files and directories in a known secure state. Tripwire software then
compares the current system against the baseline and reports any
modifications, additions, or deletions. Use Tripwire software for system
security, intrusion detection, damage assessment, and recovery forensics.
The configuration file stores system-specific information, such as the
location of Tripwire data files. Tripwire software generates some of the
configuration file information during installation. The system administrator
can change parameters in the configuration file at any time. The
configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and
LOCALKEYFILE specify where the policy file, database file, report files,
and site and local key files reside. These variables must be defined or the
configuration file is invalid. If any of these variables are undefined, an
error occurs on execution of Tripwire software and the program exits.
The policy file begins as a text file containing comments, rules, directives,
and variables. These dictate the way Tripwire software checks your system.
Each rule in the policy file specifies a system object to be monitored.
Rules also describe which changes to the object to report, and which to
ignore. System objects are the files and directories you wish to monitor.
Each object is identified by an object name. A property refers to a single
characteristic of an object that Tripwire software can monitor. Directives
control conditional processing of sets of rules in a policy file. During
installation, the text policy file is encrypted and renamed, and becomes
the active policy file.
The database file is an important component of Tripwire software. When first
installed, Tripwire software uses the policy file rules to create the
database file. The database file is a baseline "snapshot" of the system in
a known secure state. Tripwire software compares this baseline against the
current system to determine what changes have occurred. This is an integrity
check. When you perform an integrity check, Tripwire software produces
The report files summarize any changes that violated the policy file rules
during the integrity check. You can view the report file in a variety of
formats, at varying levels of detail.
126.96.36.199 Tripwire Installation
The Tripwire software may be automatically downloaded to the system as
part of the System installation. If a pre-built version of Tripwire is
not available for this operating environment then follow normal package
installations options for that system.
On Linux systems :
1. Locate the RPM directory on the CD or download it from the Internet.
2. Locate the Tripwire RPM.
3. Type rpm -i (name of rpm file)
The Tripwire binary installs the basic program files needed to run the
software. However, this installation does not complete custom configurations
that Tripwire needs to perform correctly. After you unpack the RPM, you must
either edit the twpol.txt and twcfg.txt files and run:
or do this manually using the following guide:
1. Run the configuration script: /etc/tripwire/twinstall.sh
to sign these files. This script walks you through the processes of
setting passphrases and signing the Tripwire policy and configuration
Note: Once encoded and signed, the configuration file should not be
renamed or moved.
2. Initialize the Tripwire database file: /usr/sbin/tripwire --init
3. Run the first integrity check: /usr/sbin/tripwire --check
4. Edit the configuration file twcfg.txt to customize the configuration
for this system
5. Edit the policy file twpol.txt to customize the policies for this system
Note: If you plan to modify the policy file, do so before running the
configuration script. If you modify the policy file after running the
configuration script, you must re-run the configuration file before
initializing the database file.
188.8.131.52 Selecting Passphrases
Tripwire files are signed or encrypted using site or local keys. These keys
are protected by passphrases. When selecting passphrases, the following
- Use at least eight alphanumeric and symbolic characters for each
passphrase. The maximum length of a passphrase is 1023 characters.
- Quotes should not be used as passphrase characters.
- Assign a unique passphrase for the site key. The site key passphrase
protects the site key, which is used to sign Tripwire software
configuration and policy files.
- Assign a unique passphrase for the local key. The local key signs Tripwire
database files. The local key may sign the Tripwire report files also.
- Store the passphrases in a secure location. There is no way to remove
encryption from a signed file if you forget your passphrase. If you forget
the passphrases, the files are unusable. In that case you must
reinitialize the baseline database.
184.108.40.206 Updating the Configuration File
You can specify how Tripwire software should check your system and where to
find files by default in the Tripwire configuration file twcfg.txt. A
default configuration file is included in the Tripwire software installation.
This configuration file should be reviewed and if necessary updated to fit
this particular system. After modifying the policy file, run the
configuration script. This script signs the modified policy file and
renames it to tw.cfg. This is the active configuration file that runs as
part of the Tripwire software and directs the way that Tripwire software
scans the system.
Below is a sample twcfg.txt file:
MAILPROGRAM =/usr/sbin/sendmail -oi -t
The syntax for Configuration Update mode is:
220.127.116.11 Updating the Policy File
You can specify how Tripwire software checks the system in the Tripwire
policy file twpol.txt. A default policy file is included in the Tripwire
software installation. This policy file should be updated to fit this
particular system. Tailoring the policy file greatly increases Tripwire
software's ability to ensure the integrity of the system.
Below is a sample section of the policy file, but is not the entire policy
# Temporary directories
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
rulename = "Shell Binaries",
severity = $(SIG_HI)
/bin/ksh -> $(SEC_BIN) ;
/bin/sh -> $(SEC_BIN) ;
/bin/bash -> $(SEC_BIN) ;
/bin/tcsh -> $(SEC_BIN) ;
# Security files
rulename = "Security Control",
severity = $(SIG_HI)
/etc/group -> $(SEC_CRIT) ;
/etc/security -> $(SEC_CRIT) ;
/var/spool/cron -> $(SEC_CRIT) ;
After modifying the policy file, run the configuration script. This script
signs the modified policy file and renames it to tw.pol. This is the active
policy file that runs as part of the Tripwire software and changes the way
that Tripwire software scans the system by changing the rules in the policy
file. You can then update the database without a complete re-initialization
and save a significant amount of time and preserves security by keeping the
policy file synchronized with the database it uses. The syntax for Policy
Update mode is:
18.104.22.168 Initializing the Database
In Database Initialization mode, Tripwire software builds a database of
filesystem objects based on the rules in the policy file. This database
serves as the baseline for integrity checks. The syntax for Database
Initialization mode is:
22.214.171.124 Running an Integrity Check
The Integrity Check mode compares the current file system objects with
their properties recorded in the Tripwire database. Violations are printed
to stdout. The report file is saved and can later be accessed by twprint.
An email option enables you to send email. The syntax for Integrity Check
126.96.36.199 Printing Reports
The twprint --print-report mode prints the contents of a Tripwire report.
If you do not specify a report with the --twrfile or -r command-line
argument, the default report file specified by the configuration file
REPORTFILE variable is used. Example: On a machine named LIGHTHOUSE, the
command would be:
./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr
188.8.131.52 Updating the Database after an Integrity Check
Database Update mode enables you to update the Tripwire database after an
integrity check if you determine that the violations discovered are valid.
This update process saves time by enabling you to update the database
without having to re-initialize it. It also enables selective updating,
which cannot be done through re-initialization. The syntax for Database
Update mode is:
Something else to keep in mind: there are two incarnations of the tripwire config file: twcfg.txt (cleartext config file) and tw.cfg (encoded/signed config file). The cleartext one is what you'd make changes to, but you must then 'promote' this version to the official tw.cfg file with the following command:
twadmin -m F -S ../key/site.key twcfg.txt
Conversely, you can output the contents of the tw.cfg file by issuing:
twadmin -m f > twcfg.txt
Other noteworthy evidence: the db init shows that it's building a database called tw.db_trinity, even though the config file shows that it should be trinity.twd.
So- in summary, just because your twcfg.txt file shows everything to be a-okay, doesn't mean that the 'real' config file is using the same settings. I'd suggest outputting the current file (using second command above) and posting it here, so we can get a better idea of what's going on.
thanx to all....i just removed once again all files concerning somehow tripwire and reinstalled it. it works now fine! thanx all for help!