Outils personnels

Variables Tripwire : Différence entre versions

De wikiGite

 
(Règles additionnelles)
 
(9 révisions intermédiaires par un autre utilisateur non affichées)
Ligne 1 : Ligne 1 :
 
Characters used in property masks, with descriptions:
 
Characters used in property masks, with descriptions:
 
 
     -      Ignore the following properties
 
     -      Ignore the following properties
 
     +    Record and check the following properties
 
     +    Record and check the following properties
Ligne 23 : Ligne 22 :
 
     S    SHA hash value
 
     S    SHA hash value
  
--------------------------------------------------
+
Template Function
 +
+mask The properties following the + sign are to be monitored for the file or directory.
 +
-mask The properties following the - sign are to be ignored for the specified file or directory.
 +
R Used with read-only files (+pingsum12-ac34546789)
 +
L Used with log files (+pinug-sacm123456789)
 +
N +pinugsamc123456789 Template is used to ignore nothing.
 +
E -pinugsamc123456789 Template is used to ignore everything.
 +
> Used for files that will increase in size. An alarm is tripped when the file size is smaller than it previously was.
  
ReadOnly is good for files that are widely available but are intended to be read-only.
+
'''ReadOnly''' is good for files that are widely available but are intended to be read-only.
  
 
Value: +pinugtsdbmCM-rlacSH
 
Value: +pinugtsdbmCM-rlacSH
  
Dynamic
+
'''Dynamic''' is good for monitoring user directories and files that tend to be dynamic in behavior.
 
 
Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior.
 
  
 
Value: +pinugtd-srlbamcCMSH
 
Value: +pinugtd-srlbamcCMSH
  
Growing
+
The '''Growing''' variable is intended for files that should only get larger.
 
 
The Growing variable is intended for files that should only get larger.
 
  
 
Value: +pinugtdl-srbamcCMSH
 
Value: +pinugtdl-srbamcCMSH
  
Device
+
'''Device''' is good for devices or other files that Tripwire should not attempt to open.
 
 
Device is good for devices or other files that Tripwire should not attempt to open.
 
  
 
Value: +pugsdr-intlbamcCMSH
 
Value: +pugsdr-intlbamcCMSH
  
IgnoreAll
+
'''IgnoreAll''' tracks a file's presence or absence, but doesn't check any other properties.
  
IgnoreAll tracks a file's presence or absence, but doesn't check any other properties.
+
Value: -pinugtsdrlbamcCMSH
  
Value: -pinugtsdrlbamcCMSH
+
'''IgnoreNone''' turns on all properties and provides a convenient starting point for defining your own property masks. (For example, mymask = $(IgnoreNone) -ar;)
 +
 
 +
Value: +pinugtsdrbamcCMSH-l
  
IgnoreNone
 
  
IgnoreNone turns on all properties and provides a convenient starting point for defining your own property masks. (For example, mymask = $(IgnoreNone) -ar;)
+
== Règles additionnelles ==
  
Value: +pinugtsdrbamcCMSH-l
+
'''CWrulename'''<br/>
 +
The CWrulename attribute is used to associate a rule or set of rules with a specific name. In a report file, this name will be associated with violations to the specified rule. This feature is useful if you want to track certain objects within a large Tripwire database. For instance, if you associate the rule name "watchme" with important files, you can sort through the Tripwire report using "watchme" as a sorting key.
 +
Example: /etc -> +ug (rulename=watchme);
 +
'''CWemailto'''
 +
The CWemailto attribute associates one or more email addresses with a rule or group of rules. When an integrity check is run with the --email-report option and a rule is violated, a report of that violation will be sent to the specified email address(es), using the report format specified by the CWEMAILREPORTLEVEL variable in the configuration file.
 +
Example: /etc -> +ug (emailto=admin@domain.com);
 +
To specify multiple email addresses, include them as a quoted, semicolon-delimited list.
 +
/etc -> +ug (emailto="admin@foo.com;admin2@foo.com");
 +
'''CWseverity'''
 +
The CWseverity attribute associates a numeric severity level with a rule. When Tripwire is run in Integrity Checking mode, it is possible to specify that only rules exceeding a certain severity level are used. The default severity level is 0, and values can range from 0 to 1,000,000.
 +
Example: /etc -> +ug (severity=50);
 +
'''CWrecurse'''
 +
The CWrecurse attribute specifies how a rule will scan directories. Valid values for CWrecurse are true, false, or a number from -1 to 1,000,000. If CWrecurse is set to true (or -1), tripwire will recursively scan the entire contents of the directory (both files and subdirectories). When CWrecurse is set to false (or 0), and the rule refers to a directory, Tripwire will scan the inode of the directory but none of the files or subdirectories contained therein. For positive CWrecurse value n, the rule will monitor all objects up to n levels below the start point. Stop points within the recursed directory still apply, and will prevent the specified file or directory from being scanned.

Version actuelle datée du 31 octobre 2008 à 08:48

Characters used in property masks, with descriptions:

   -      Ignore the following properties
   +     Record and check the following properties
   a     Access timestamp
   b     Number of blocks allocated
   c     Inode timestamp (create/modify)
   d     ID of device on which inode resides
   g     File owner's group ID
   i     Inode number
   l     File is increasing in size (a "growing file")
   m     Modification timestamp
   n     Number of links (inode reference count)
   p     Permissions and file mode bits
   r     ID of device pointed to by inode
         (valid only for device objects)
   s     File size
   t     File type
   u     File owner's user ID
   C     CRC-32 hash value
   H     Haval hash value
   M     MD5 hash value
   S     SHA hash value
Template 	Function
+mask 	The properties following the + sign are to be monitored for the file or directory.
-mask 	The properties following the - sign are to be ignored for the specified file or directory.
R 	Used with read-only files (+pingsum12-ac34546789)
L 	Used with log files (+pinug-sacm123456789)
N 	+pinugsamc123456789 Template is used to ignore nothing.
E 	-pinugsamc123456789 Template is used to ignore everything.
> 	Used for files that will increase in size. An alarm is tripped when the file size is smaller than it previously was.

ReadOnly is good for files that are widely available but are intended to be read-only.

Value: +pinugtsdbmCM-rlacSH

Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior.

Value: +pinugtd-srlbamcCMSH

The Growing variable is intended for files that should only get larger.

Value: +pinugtdl-srbamcCMSH

Device is good for devices or other files that Tripwire should not attempt to open.

Value: +pugsdr-intlbamcCMSH

IgnoreAll tracks a file's presence or absence, but doesn't check any other properties.

Value: -pinugtsdrlbamcCMSH

IgnoreNone turns on all properties and provides a convenient starting point for defining your own property masks. (For example, mymask = $(IgnoreNone) -ar;)

Value: +pinugtsdrbamcCMSH-l


Règles additionnelles

CWrulename
The CWrulename attribute is used to associate a rule or set of rules with a specific name. In a report file, this name will be associated with violations to the specified rule. This feature is useful if you want to track certain objects within a large Tripwire database. For instance, if you associate the rule name "watchme" with important files, you can sort through the Tripwire report using "watchme" as a sorting key.

Example: /etc -> +ug (rulename=watchme);

CWemailto The CWemailto attribute associates one or more email addresses with a rule or group of rules. When an integrity check is run with the --email-report option and a rule is violated, a report of that violation will be sent to the specified email address(es), using the report format specified by the CWEMAILREPORTLEVEL variable in the configuration file.

Example: /etc -> +ug (emailto=admin@domain.com); 

To specify multiple email addresses, include them as a quoted, semicolon-delimited list.

/etc -> +ug (emailto="admin@foo.com;admin2@foo.com");

CWseverity The CWseverity attribute associates a numeric severity level with a rule. When Tripwire is run in Integrity Checking mode, it is possible to specify that only rules exceeding a certain severity level are used. The default severity level is 0, and values can range from 0 to 1,000,000. Example: /etc -> +ug (severity=50); CWrecurse The CWrecurse attribute specifies how a rule will scan directories. Valid values for CWrecurse are true, false, or a number from -1 to 1,000,000. If CWrecurse is set to true (or -1), tripwire will recursively scan the entire contents of the directory (both files and subdirectories). When CWrecurse is set to false (or 0), and the rule refers to a directory, Tripwire will scan the inode of the directory but none of the files or subdirectories contained therein. For positive CWrecurse value n, the rule will monitor all objects up to n levels below the start point. Stop points within the recursed directory still apply, and will prevent the specified file or directory from being scanned.