19.3. Customizing Tripwire

After you have installed the Tripwire RPM, you must complete the following steps to initialize the software:

19.3.1. Edit /etc/tripwire/twcfg.txt

Although you are not required to edit this sample Tripwire configuration file, you may find it necessary for your situation. For instance, you may want to alter the location of Tripwire files, customize email settings, or customize the level of detail for reports.

Below is a list of required user configurable variables in the /etc/tripwire/twcfg.txt file:

ImportantImportant
 

If you edit the configuration file and leave any of the above variables undefined, the configuration file will be invalid. If this occurs, when you execute the tripwire command it will report an error and exit.

The rest of the configurable variables in the sample /etc/tripwire/twcfg.txt file are optional. These include the following:

After editing the sample configuration file, you will need to configure the sample policy file.

WarningWarning
 

For security purposes, you should either delete or store in a secure location any copies of the plain text /etc/tripwire/twcfg.txt file after running the installation script or regenerating a signed configuration file. Alternatively, you can change the permissions so that it is not world readable.

19.3.2. Edit /etc/tripwire/twpol.txt

Although it is not required, you should edit this heavily commented sample Tripwire policy file to take into account the specific applications, files, and directories on your system. Relying on the unaltered sample configuration from the RPM may not adequately protect your system.

Modifying the policy file also increases the usefulness of Tripwire reports by minimizing false alerts for files and programs you are not using and by adding functionality, such as email notification.

NoteNote
 

Notification via email is not configured by default. See Section 19.8.1 Tripwire and Email for more on configuring this feature.

If you modify the sample policy file after running the configuration script, see Section 19.8 Updating the Tripwire Policy File for instructions on regenerating a signed policy file.

WarningWarning
 

For security purposes, you should either delete or store in a secure location any copies of the plain text /etc/tripwire/twpol.txt file after running the installation script or regenerating a signed configuration file. Alternatively, you can change the permissions so that it is not world readable.

19.3.3. Run the twinstall.sh Script

As the root user, type /etc/tripwire/twinstall.sh at the shell prompt to run the configuration script. The twinstall.sh script will ask you for site and local passwords. These passwords are used to generate cryptographic keys for protecting Tripwire files. The script then creates and signs these files.

When selecting the site and local passwords, you should consider the following guidelines:

The site key password protects the Tripwire configuration and policy files. The local key password protects the Tripwire database and report files.

WarningWarning
 

There is no way to decrypt a signed file if you forget your password. If you forget the passwords, the files are unusable and you will have to run the configuration script again.

By encrypting its configuration, policy, database, and report files, Tripwire protects them from being viewed by anyone who does not know the site and local passwords. This means that, even if an intruder obtains root access to your system, they will not be able to alter the Tripwire files to hide their tracks.

Once encrypted and signed, the configuration and policy files generated by running the twinstall.sh script should not be renamed or moved.