installation tripwire: failing tripwire -init

  • emulefreak

    hello all,

    i downloaded tripwire-2.3-47.bin.tar.gz, untarred and ./ this product. While doing ./ i got the message CLOBBER is false.

    after that, i tried to tripwire -init to create my database, see below the result:

    trinity:~/tripwire-2.3 # tripwire -init
    ### Phase 1:   Reading configuration file
    error: syntax error at line 2 in config file
            '/etc/tw.config' !
    ### Phase 2:   Generating file list
    ### Phase 3:   Creating file information database
    ### Warning:   Database file placed in ./databases/tw.db_trinity.
    ###            Make sure to move this file file and the configuration
    ###            to secure media!
    ###            (Tripwire expects to find it in '/etc/tw'.)

    ....does anybody know whats up here??

    • Bob Mahan
      Bob Mahan

      what does the first few lines of your twcfg.txt file read?

      • emulefreak

        here is the complete twcfg.txt. thx!

        trinity:/etc/tripwire # more twcfg.txt
        ROOT          =/usr/sbin
        POLFILE       =/etc/tripwire/tw.pol
        DBFILE        =/var/lib/tripwire/$(HOSTNAME).twd
        REPORTFILE    =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
        SITEKEYFILE   =/etc/tripwire/site.key
        LOCALKEYFILE  =/etc/tripwire/trinity-local.key
        EDITOR        =/bin/vi
        LATEPROMPTING =false
        REPORTLEVEL   =3
        SYSLOGREPORTING =false
        MAILPROGRAM   =/usr/lib/sendmail -oi -t

        • Bob Mahan
          Bob Mahan

          hmmm...your cfg file looks good to me.  your original post references an "/etc/tw.config" file.  Do you have one of those?  I don't.  You also mentioned that you got an error during the installation.  Maybe that failed to completely install properly and you should try re-installing.  Here is a snipet about Tripwire Setup from my manual (I interface to Tripwire in a security tool I have at

          5.3.5 Tripwire Setup for system reviews

             Before any further customization is performed on the system, Tripwire
             should be installed, configured, and implemented. Tripwire v2.3 software
             ensures the integrity of critical system files and directories by
             identifying all changes made to specified system files and directories.
             Configure Tripwire software to monitor your system in the way that is best
             for you. Tripwire software works by comparing files and directories against
             a baseline. It generates the baseline by taking a "snapshot" of specified
             files and directories in a known secure state. Tripwire software then
             compares the current system against the baseline and reports any
             modifications, additions, or deletions. Use Tripwire software for system
             security, intrusion detection, damage assessment, and recovery forensics.

             Tripwire Components

             The configuration file stores system-specific information, such as the
             location of Tripwire data files. Tripwire software generates some of the
             configuration file information during installation. The system administrator
             can change parameters in the configuration file at any time. The
             configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and
             LOCALKEYFILE specify where the policy file, database file, report files,
             and site and local key files reside. These variables must be defined or the
             configuration file is invalid. If any of these variables are undefined, an
             error occurs on execution of Tripwire software and the program exits.

             The policy file begins as a text file containing comments, rules, directives,
             and variables. These dictate the way Tripwire software checks your system.
             Each rule in the policy file specifies a system object to be monitored.
             Rules also describe which changes to the object to report, and which to
             ignore. System objects are the files and directories you wish to monitor.
             Each object is identified by an object name. A property refers to a single
             characteristic of an object that Tripwire software can monitor. Directives
             control conditional processing of sets of rules in a policy file. During
             installation, the text policy file is encrypted and renamed, and becomes
             the active policy file.

             The database file is an important component of Tripwire software. When first
             installed, Tripwire software uses the policy file rules to create the
             database file. The database file is a baseline "snapshot" of the system in
             a known secure state. Tripwire software compares this baseline against the
             current system to determine what changes have occurred. This is an integrity
             check. When you perform an integrity check, Tripwire software produces
             report files.

             The report files summarize any changes that violated the policy file rules
             during the integrity check. You can view the report file in a variety of
             formats, at varying levels of detail.
 Tripwire Installation

             The Tripwire software may be automatically downloaded to the system as
             part of the System installation.  If a pre-built version of Tripwire is
             not available for this operating environment then follow normal package
             installations options for that system.

             On Linux systems :

             1. Locate the RPM directory on the CD or download it from the Internet.
             2. Locate the Tripwire RPM.
             3. Type rpm -i (name of rpm file)

             The Tripwire binary installs the basic program files needed to run the
             software. However, this installation does not complete custom configurations
             that Tripwire needs to perform correctly. After you unpack the RPM, you must
             either edit the twpol.txt and twcfg.txt files and run:

                  vi /home/netsec/data/twpol.txt
                  vi /home/netsec/data/twcfg.txt

             or do this manually using the following guide:

             1. Run the configuration script:   /etc/tripwire/ 
                to sign these files. This script walks you through the processes of 
                setting passphrases and signing the Tripwire policy and configuration 

                Note: Once encoded and signed, the configuration file should not be 
                      renamed or moved.

             2. Initialize the Tripwire database file:  /usr/sbin/tripwire --init
             3. Run the first integrity check:  /usr/sbin/tripwire --check
             4. Edit the configuration file twcfg.txt to customize the configuration
                for this system
             5. Edit the policy file twpol.txt to customize the policies for this system

             Note: If you plan to modify the policy file, do so before running the
                   configuration script. If you modify the policy file after running the
                   configuration script, you must re-run the configuration file before
                   initializing the database file.
 Selecting Passphrases

             Tripwire files are signed or encrypted using site or local keys. These keys
             are protected by passphrases. When selecting passphrases, the following
             recommendations apply:
             - Use at least eight alphanumeric and symbolic characters for each
               passphrase. The maximum length of a passphrase is 1023 characters.
             - Quotes should not be used as passphrase characters.
             - Assign a unique passphrase for the site key. The site key passphrase
               protects the site key, which is used to sign Tripwire software
               configuration and policy files.
             - Assign a unique passphrase for the local key. The local key signs Tripwire
               database files. The local key may sign the Tripwire report files also.
             - Store the passphrases in a secure location. There is no way to remove
               encryption from a signed file if you forget your passphrase. If you forget
               the passphrases, the files are unusable. In that case you must
               reinitialize the baseline database.
 Updating the Configuration File

             You can specify how Tripwire software should check your system and where to
             find files by default in the Tripwire configuration file twcfg.txt. A
             default configuration file is included in the Tripwire software installation.
             This configuration file should be reviewed and if necessary updated to fit
             this particular system. After modifying the policy file, run the
             configuration script. This script signs the modified policy file and
             renames it to tw.cfg. This is the active configuration file that runs as
             part of the Tripwire software and directs the way that Tripwire software
             scans the system.

          Below is a sample twcfg.txt file:

          ROOT                   =/usr/sbin
          POLFILE                =/etc/tripwire/tw.pol
          DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
          REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
          SITEKEYFILE            =/etc/tripwire/site.key
          LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
          EDITOR                 =/bin/vi
          LATEPROMPTING          =true
          MAILNOVIOLATIONS       =false
          EMAILREPORTLEVEL       =3
          REPORTLEVEL            =3
          MAILMETHOD             =SENDMAIL
          SYSLOGREPORTING        =true
          MAILPROGRAM            =/usr/sbin/sendmail -oi -t
          GLOBALEMAIL            =root

             The syntax for Configuration Update mode is:

                tripwire --update-policy
 Updating the Policy File

             You can specify how Tripwire software checks the system in the Tripwire
             policy file twpol.txt. A default policy file is included in the Tripwire
             software installation. This policy file should be updated to fit this
             particular system. Tailoring the policy file greatly increases Tripwire
             software's ability to ensure the integrity of the system.

             Below is a sample section of the policy file, but is not the entire policy

          # Temporary directories
            rulename = "Temporary directories",
            recurse = false,
            severity = $(SIG_LOW)
            /usr/tmp                             -> $(SEC_INVARIANT) ;
            /var/tmp                             -> $(SEC_INVARIANT) ;
            /tmp                                 -> $(SEC_INVARIANT) ;
          # Shells
            rulename = "Shell Binaries",
            severity = $(SIG_HI)
            /bin/ksh                             -> $(SEC_BIN) ;
            /bin/sh                              -> $(SEC_BIN) ;
            /bin/bash                            -> $(SEC_BIN) ;
            /bin/tcsh                            -> $(SEC_BIN) ;
          # Security files
            rulename = "Security Control",
            severity = $(SIG_HI)
            /etc/group                           -> $(SEC_CRIT) ;
            /etc/security                        -> $(SEC_CRIT) ;
            /var/spool/cron                      -> $(SEC_CRIT) ;

             After modifying the policy file, run the configuration script. This script
             signs the modified policy file and renames it to tw.pol. This is the active
             policy file that runs as part of the Tripwire software and changes the way
             that Tripwire software scans the system by changing the rules in the policy
             file. You can then update the database without a complete re-initialization
             and save a significant amount of time and preserves security by keeping the
             policy file synchronized with the database it uses. The syntax for Policy
             Update mode is:

               tripwire --update-policy
 Initializing the Database

             In Database Initialization mode, Tripwire software builds a database of
             filesystem objects based on the rules in the policy file. This database
             serves as the baseline for integrity checks. The syntax for Database
             Initialization mode is:

               tripwire --init
 Running an Integrity Check

             The Integrity Check mode compares the current file system objects with
             their properties recorded in the Tripwire database. Violations are printed
             to stdout. The report file is saved and can later be accessed by twprint.
             An email option enables you to send email. The syntax for Integrity Check
             mode is:

               tripwire --check
 Printing Reports

             The twprint --print-report mode prints the contents of a Tripwire report.
             If you do not specify a report with the --twrfile or -r command-line
             argument, the default report file specified by the configuration file
             REPORTFILE variable is used. Example: On a machine named LIGHTHOUSE, the
             command would be:

               ./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr
 Updating the Database after an Integrity Check

             Database Update mode enables you to update the Tripwire database after an
             integrity check if you determine that the violations discovered are valid.
             This update process saves time by enabling you to update the database
             without having to re-initialize it. It also enables selective updating,
             which cannot be done through re-initialization. The syntax for Database
             Update mode is:

               tripwire --update

    • Jason I.
      Jason I.

      Something else to keep in mind:  there are two incarnations of the tripwire config file:  twcfg.txt (cleartext config file) and tw.cfg (encoded/signed config file).  The cleartext one is what you'd make changes to, but you must then 'promote' this version to the official tw.cfg file with the following command:

      twadmin -m F -S ../key/site.key twcfg.txt

      Conversely, you can output the contents of the tw.cfg file by issuing:

      twadmin -m f > twcfg.txt

      Other noteworthy evidence:  the db init shows that it's building a database called tw.db_trinity, even though the config file shows that it should be trinity.twd.

      So- in summary, just because your twcfg.txt file shows everything to be a-okay, doesn't mean that the 'real' config file is using the same settings.  I'd suggest outputting the current file (using second command above) and posting it here, so we can get a better idea of what's going on.


      • emulefreak

        thanx to all....i just removed once again all files concerning somehow tripwire and reinstalled it. it works now fine! thanx all for help!