NAME
twfiles - overview of files used by Tripwire and file backup process
DESCRIPTION
Configuration
File
default: /etc/tripwire/tw.cfg
The configuration file stores system-specific information,
such as the location of Tripwire data files. The
configuration settings are generated during the installation
process, but can be changed by the system administrator at
any time. See the twconfig(4) man page for a more
complete discussion.
Policy File
default: /etc/tripwire/tw.pol
The policy file consists of a series of rules specifying the
system objects that Tripwire should monitor, and the
data for each object that should be collected and stored in
the database file. Should unexpected changes occur, the
policy file can describe the person to be notified and the
severity of the violation. See the policyguide.txt
file in the policy directory and the twpolicy(4) man
page for a more complete discussion.
Database
File
default: /var/lib/$(HOSTNAME).twd
The database file serves as the baseline for integrity
checking. After installation, Tripwire creates the
initial database file, a "snapshot" of the
filesystem in a known secure state. Later, when an integrity
check is run, Tripwire compares each system object
described in the policy file against its corresponding entry
in the database. A report is created, and if an object has
changed outside of constraints defined in the policy file, a
violation is reported. See the tripwire(8) and
twprint(8) man pages for more information on creating
and maintaining database files.
Report Files
default:
/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
Once the above three files have been created,
Tripwire can run an integrity check and search for
any differences between the current system and the data
stored in the "baseline" Tripwire database.
This information is archived into report files, a collection
of rule violations discovered during an integrity check.
With the appropriate settings, a report can also be emailed
to one or more recipients. See the tripwire(8) and
twprint(8) man pages for information on creating and
printing report files.
Key Files
defaults: /etc/tripwire/site.key and
/etc/tripwire/$(HOSTNAME)-local.key
It is critical that Tripwire files be protected from
unauthorized access--an attacker who is able to modify these
files can subvert Tripwire operation. For this
reason, all of the above files are signed using public key
cryptography to prevent unauthorized modification. Two
separate sets of keys protect critical Tripwire data
files. One or both of these key sets is necessary for
performing almost every Tripwire task.
The site key is used to protect files that could be used across several systems. This includes the policy and configuration files. The local key is used to protect files specific to the local machine, such as the Tripwire database. The local key may also be used for signing integrity check reports. See the twadmin(8) man page for more information on keys.
File
Backup
To prevent the accidental deletion of important data,
Tripwire automatically creates backup files whenever
any Tripwire file is overwritten. The existing file
will be renamed with a .bak extension, and the new
version of the file will take its place. Only one backup
copy for each filename can exist at any time. If a backup
copy of a file already exists, the older backup file will be
deleted and replaced with the newer one.
File backup is an integral part of Tripwire, and cannot be removed or changed.
VERSION INFORMATION
This man page describes Tripwire 2.4.
AUTHORS
Tripwire, Inc.
COPYING PERMISSIONS
Permission is granted to make and distribute verbatim copies of this man page provided the copyright notice and this permission notice are preserved on all copies.
Permission is granted to copy and distribute modified versions of this man page under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
Copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
SEE ALSO
twintro(8), tripwire(8), twadmin(8), twprint(8), siggen(8), twconfig(4), twpolicy(4)