Characters used in property masks, with descriptions:
- Ignore the following properties + Record and check the following properties a Access timestamp b Number of blocks allocated c Inode timestamp (create/modify) d ID of device on which inode resides g File owner's group ID i Inode number l File is increasing in size (a "growing file") m Modification timestamp n Number of links (inode reference count) p Permissions and file mode bits r ID of device pointed to by inode (valid only for device objects) s File size t File type u File owner's user ID C CRC-32 hash value H Haval hash value M MD5 hash value S SHA hash value
Template Function +mask The properties following the + sign are to be monitored for the file or directory. -mask The properties following the - sign are to be ignored for the specified file or directory. R Used with read-only files (+pingsum12-ac34546789) L Used with log files (+pinug-sacm123456789) N +pinugsamc123456789 Template is used to ignore nothing. E -pinugsamc123456789 Template is used to ignore everything. > Used for files that will increase in size. An alarm is tripped when the file size is smaller than it previously was.
ReadOnly is good for files that are widely available but are intended to be read-only.
Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior.
The Growing variable is intended for files that should only get larger.
Device is good for devices or other files that Tripwire should not attempt to open.
IgnoreAll tracks a file's presence or absence, but doesn't check any other properties.
IgnoreNone turns on all properties and provides a convenient starting point for defining your own property masks. (For example, mymask = $(IgnoreNone) -ar;)
The CWrulename attribute is used to associate a rule or set of rules with a specific name. In a report file, this name will be associated with violations to the specified rule. This feature is useful if you want to track certain objects within a large Tripwire database. For instance, if you associate the rule name "watchme" with important files, you can sort through the Tripwire report using "watchme" as a sorting key.
Example: /etc -> +ug (rulename=watchme);
CWemailto The CWemailto attribute associates one or more email addresses with a rule or group of rules. When an integrity check is run with the --email-report option and a rule is violated, a report of that violation will be sent to the specified email address(es), using the report format specified by the CWEMAILREPORTLEVEL variable in the configuration file.
Example: /etc -> +ug (email@example.com);
To specify multiple email addresses, include them as a quoted, semicolon-delimited list.
/etc -> +ug (emailto="firstname.lastname@example.org;email@example.com");
CWseverity The CWseverity attribute associates a numeric severity level with a rule. When Tripwire is run in Integrity Checking mode, it is possible to specify that only rules exceeding a certain severity level are used. The default severity level is 0, and values can range from 0 to 1,000,000. Example: /etc -> +ug (severity=50); CWrecurse The CWrecurse attribute specifies how a rule will scan directories. Valid values for CWrecurse are true, false, or a number from -1 to 1,000,000. If CWrecurse is set to true (or -1), tripwire will recursively scan the entire contents of the directory (both files and subdirectories). When CWrecurse is set to false (or 0), and the rule refers to a directory, Tripwire will scan the inode of the directory but none of the files or subdirectories contained therein. For positive CWrecurse value n, the rule will monitor all objects up to n levels below the start point. Stop points within the recursed directory still apply, and will prevent the specified file or directory from being scanned.