###############################################################################
Tripwire for Servers version 4.1 for UNIX Operating Systems
Feb 2004
###############################################################################
CONTENTS:
- Introduction
- What's New in this Release
- Where to look for help
- Contacting Tripwire
- Tripwire System Components
- Known issues
1. Installation
2. General Operation
3. Tripwire Manager Operation
4. Command-line Operation
5. Tripwire Agent
6. Tripwire Configuration File
7. Agent Configuration File
8. Policy File
===============================================================================
Introduction
===============================================================================
Welcome to Tripwire for Servers, supporting Linux Kernel 2.2 and above;
Hewlett-Packard HP-UX 10.2, 11.0 and 11i; IBM AIX 4.3.3, 5.1, and 5.2 for
RS/6000; Sun Solaris (SPARC) 2.6, 7.0, 8.0, and 9.0; Compaq Tru64 4.0F,
4.0G, 5.0A, 5.1, 5.1A, and 5.1B; and FreeBSD 4.5, 4.6, and 4.7.
This document contains descriptions of new product capabilities as well as
up-to-the-last-minute information on the known issues and behaviors of this
release of Tripwire software. Please read this document carefully before
installing Tripwire for Servers or reporting any issues.
We have also included important contact information for your benefit. Please
tell us about any issues you may find, or how you feel about our product.
===============================================================================
What's New in this Release
===============================================================================
In version 4.1:
1) Improved security for key exchange between Tripwire for Servers and
Tripwire Manager and Configuration, Policy, and Schedule file creation.
2) OpenSSL library upgrade, enhancing communication security between Tripwire
for Servers and Tripwire Manager.
In version 4.0 (also included in 4.1):
1) "Who" Made the Change - The event tracking feature provides more in-depth
information about integrity violations, specifically: who made a change.
Being able to identify "who" made a change makes Tripwire for Servers a
critical component for effective change management processes and procedures.
2) Policy File Wildcard Support - Wildcard support makes policy file creation
and editing easier. You can now use wildcards to specify objects to monitor
by file type. For example, you can create a rule to monitor all *.exe or *.dll
files. Both inclusion (monitor all *.exe files) and exclusion (don't monitor
any *.tmp files) are supported.
3) ACL (Access Control List) Support UNIX - Access Control Lists (ACLs) are
tables that control user access rights to particular system objects (such as
file directories, or individual files). It is critical that ACLs do not
change without the notice of an administrator. Use Tripwire for Servers ACL
support to monitor ACLs for change.
4) Improved Syslog Output - Now you can send level 1 or 2 reports (with more
detail than level 0 reports) to syslog.
5) Smart Integrity Checking - During initial policy file creation, Tripwire for
Servers now ignores objects specified in the policy file that do not exist in the
file system. (In previous versions, the software would report errors for these
situations.)
6) Selective Policy Update - Now you can update a policy file selectively from
a report, approving only the errors you choose. (Previous versions required you to
update globally, accepting all or no reported errors.)
7) Report Naming - You can now construct a customized naming scheme for the
report files generated after each integrity check.
===============================================================================
Where to look for help
===============================================================================
See the Tripwire for Servers User Guide for helpful information about running
Tripwire for Servers. In particular, refer to the Initial Configuration, Using
Tripwire for Servers, and Command Reference chapters. Look for a PDF copy of
the User Guide (and other documents) on your Tripwire for Servers CD, in the
/docs directory.
The Tripwire support website may offer post-release or upgrade information
for this software. See the Tripwire support website at:
http://www.tripwire.com/services_and_support
===============================================================================
Contacting Tripwire
===============================================================================
For any support communications or questions regarding this product, please
contact Tripwire, Inc. at:
URL: http://www.tripwire.com/
E-MAIL: support@tripwire.com
VOICE, DOMESTIC: 866.897.8776 (06:00 - 18:00 PST)
VOICE, INTERNATIONAL: +1 503.276.7663 (06:00 - 18:00 PST)
FAX: 503.223.0182
Tripwire Inc. offers many options for Service and Support, including
Support and Maintenance, Tripwire Deployment and Implementation Services,
and Tripwire Educational Services. For more information please see the
Tripwire Inc. Services and Support website at:
http://www.tripwire.com/services_and_support/
We encourage you to use the Tripwire Policy Resource Center. This site provides
the Tripwire Community with a place to share policy file expertise and product
information. The site provides tools and a collection of practical information on
deploying Tripwire policy files. To access the resource center, go to:
http://policy.tripwire.com/
===============================================================================
Tripwire System Components
===============================================================================
Tripwire for Servers is the self-contained integrity software that resides on
host machines.
Tripwire Manager is the management console that can manage multiple Tripwire
for Servers machines remotely.
Tripwire Agent is the component of Tripwire for Servers that handles
communication between Tripwire for Servers and Tripwire Manager.
===============================================================================
Known Issues
===============================================================================
-------------------------------------------------------------------------------
1. Installation Issues
-------------------------------------------------------------------------------
Note: These issues affect operation of Tripwire for Servers when using Tripwire
Manager AND when running Tripwire for Servers on hosts from the command line.
1.1 When installing Tripwire for Servers, ensure that you do not install the
product to a network mounted file system if you intend to run the Tripwire
Agent automatically on start up. Some administrators mount /usr/local to an NFS
mount for ease of deployment. If this is the case, install Tripwire for
Servers to a different location by editing the install.cfg file before running
the installation program.
Or, move Tripwire Agent to a different directory on the system and modify the
Tripwire Agent configuration file to use paths that are accessible during start up.
1.2 On Solaris 2.6, Tripwire Agent requires an updated version of libpthread.so.1
An updated version of this file is provided by Tripwire, Inc. under
special agreement from Sun Microsystems. The installation program copies this
newer version of libpthread.so.1 to the tripwire bin/ folder. You must modify
the LD_LIBRARY_PATH environment variable such that Tripwire uses the updated
version, by making sure the path to the modified version is first:
For sh and bash:
LD_LIBRARY_PATH=/usr/local/tripwire/tfs/bin:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
For csh and tcsh:
setenv LD_LIBRARY_PATH /usr/local/tripwire/tfs/bin:$LD_LIBRARY_PATH
It is important that LD_LIBRARY_PATH is set this way only for the user running
Tripwire for Servers, to ensure no unexpected interactions with other
applications occur.
1.3 On Red Hat 9, Tripwire for Servers requires an upgrade to glibc.
Bug fixes in the upgrade version (version 2.3.2-27.9) resolve some threading
defects that interact poorly with Tripwire for Servers. On Red Hat 9 be sure to
upgrade to glibc version 2.3.2-27.9 before installing and configuring Tripwire
for Servers. Red Hat bugfix info: https://rhn.redhat.com/errata/RHBA-2003-136.html
1.4 Tru64 5.1.B systems and WorldWide Language Support issue: Tripwire for
Servers 4.1 is not supported on Tru64 5.1.B systems that have the WorldWide
Language Support packages installed.
1.5 Ports 61000 to 65096 may not be available for use on Linux. They are used
by the system for IP Masquerading (if that Kernel module is active). We
recommend that you do not use these ports for Tripwire software on Linux.
1.6 The Tripwire installation program will attempt to determine the fully
qualified host name (FQHN) of the system on which it is being installed. This is
used in the default policy file for emailing. This routine in the installer
requires access to either the 'host' or 'nslookup' commands, and assumes that
the system is configured with a proper host name. Some systems may be
configured such that only the root has access to the required commands. Tripwire
recommends that the installation program be run as a user that has access
to 'host' or 'nslookup' in the current path.
1.7 The Tripwire for Servers installation program will set the MAILNOVIOLATIONS
configuration file setting to "False" by default. This is contrary to the
default value of "True" if the MAILNOVIOLATIONS option is not present at all
in the configuration file. This was done to reduce the amount of email "noise"
generated by the product.
-------------------------------------------------------------------------------
2. General Operation Issues
-------------------------------------------------------------------------------
Note: These issues affect operation of Tripwire for Servers when using Tripwire
Manager AND when running Tripwire for Servers on hosts from the command line.
2.1 The default policy file installed with Tripwire for Servers contains a
rule to verify the integrity of critical Tripwire for Servers components,
including the database file. However, the database file is generated *after*
the policy file. Therefore, the first integrity check run after a default
installation reports a violation describing the database as an "added object".
Other files are created when the Tripwire Agent is first run (when you register
the Tripwire for Servers machine to a Tripwire Manager). These files also cause
"added object" violations during the first integrity check after you run an
Agent.
This behavior is normal.
As your first task after installation, we recommend that you fully configure
the software, then run through an integrity check at least twice so that all
Tripwire files have a chance to be created. Then, perform a database update to
add all the new files to the exiting baseline database.
2.2 For some operating systems in which /tmp is a symlink (later versions of
Tru64 for instance), it may be necessary to explicitly set the temp directory
via the TEMPDIRECTORY configuration variable. If TEMPDIRECTORY is pointing to a
symlink, you must append a trailing slash, for instance:
TEMPDIRECTORY = /tmp/
If you get errors regarding temporary files, please try this before you contact
technical support.
2.3 In the event that the umask is set such that files are created as non-writable
by default, the editor launched in interactive integrity check and database
update modes may be unable to save changes made to the report. If the editor
is closed without saving the changes, Tripwire assumes that all items in the
report should be updated, potentially including compromised data in the
database. To exploit this vulnerability, an intruder would require a
previously compromised account with write access to either the Tripwire
administrator's account or the Tripwire binary files. To work around this issue,
launch a shell from the editor (":shell" in vi), add user-write (chmod u+w
) permissions to the temp file open in the editor, exit the shell
and force a write to the file (":w!" in vi). To avoid this issue, make certain
that the umask does not contain the user-write bit (0200).
2.4 CAUTION: Tripwire keyfiles are inextricably linked to their associated
signed files. Consequently, if you create a new keyfile and overwrite the
pre-existing keyfile, all files signed with the original key become unusable.
2.5 Due to limitations of the operating system, Tripwire for Servers cannot
scan files larger than 2 GB on some platforms such as Solaris 2.6. A non-fatal
error is generated upon attempts to access such files and Tripwire for Servers
cannot retrieve some properties of these files, but operation otherwise
continues normally. This is an operating system limitation, not a limitation of
Tripwire for Servers.
2.6 E-mail reports containing high-ascii or multi-byte characters are now MIME
encoded if the MAILMETHOD configuration file parameter is set to SMTP or
Sendmail.
2.7 The MAILFROMADDRESS configuration file parameter is intended to prevent
SMTP relays from bouncing Tripwire e-mail reports. However, using this feature
does not ensure that some SMTP relays with strict mail handling rules will not
bounce Tripwire e-mail reports.
MAILFROMADDRESS modifies the 'from' field of the e-mail. However, when you set
MAILMETHOD=SENDMAIL, the mail may bounce if coming from an unresolvable host.
Use the sendmail's -f option to cause sendmail to send the
e-mail correctly using the specified address. Here is an example as it would
appear in the Tripwire configuration file.
MAILPROGRAM = /usr/lib/sendmail -oi -t -fuser@domain.com
This was tested under sendmail 8.11.0, but may also work for other versions.
2.8 Tripwire for Servers will not make any attempt to determine if there is
enough disk space for an operation to complete. If the system runs out of disk
space while Tripwire for Servers is attempting to perform a task, it will
cause an error or possibly freeze. Tripwire recommends that disk space on critical
systems running Tripwire for Servers be monitored on a regular basis to ensure that
all processes run smoothly.
2.9 Extremely large e-mail reports may cause some versions of Sendmail to abort
the mailing process, resulting in no or partial e-mail reports being received. These
reports must be of very large size (1.0 megs and up) and are therefore very
unlikely to occur.
Tripwire recommends that policy files be kept tuned so that Tripwire for
Servers only reports real violations of security policies.
Tripwire also recommends the use of lower EMAILREPORTLEVEL settings to keep
e-mail size down. See the Tripwire for Servers User's guide for more
information on setting e-mail report levels.
Also, Tripwire recommends that when using Sendmail, it be kept up to
date, and configured correctly. Most Sendmail issues are due to
misconfigurations or old versions of Sendmail being installed.
2.10 Scanning all of /proc with a single rule is not recommended. On some
systems this may take a long time and result in many useless violations being
reported. There are often individual files under /proc which contain current
system configuration data, and monitoring them with Tripwire may be highly
desirable. In such cases, it is recommended that just these specific files be
listed in the Tripwire policy file.
2.11 Tripwire for Servers for Linux and FreeBSD operating systems contain
statically linked code protected under the LGPL (GLibC). As per that
agreement, Tripwire has included a "Lib Kit" to allow users to re-link the
Tripwire for Servers Linux binary files with different versions of GlibC.
Tripwire does not certify or guarantee any functionality for binary files that
have been re-linked.
If you build the linux Tripwire binaries using the lib kit, they will not
operate properly with the system locale set to en_US.UTF-8 on Red Hat
8.x.
The Makefile included with the FreeBSD libkit requires GNU Make 3.79 or
later. By default, the libkits attempt to deposit the binaries in
../../bin/. To have the binaries made in the same
directory as the libkit, do the following: "gmake TARGETDIR=."
2.12 The HOSTID for FreeBSD will show as '0' unless it has been manually
changed. HOSTID is not automatically set on FreeBSD systems. This is
sometimes the case on Tru64. Tru64's hostid can be set using /usr/sbin/hostid.
On FreeBSD, the hostid can be set using /sbin/sysctl.
2.13 Tripwire for Servers 4.0 for the FreeBSD operating system does
not support locales other than single-byte English.
2.14 On AIX 4.3x, the default, unmodified /etc/inittab script launches the
Netscape browser when the system starts up. The Tripwire installer
optionally modifies this file to allow the Tripwire Agent to be started
automatically by adding a line to the end of /etc/inittab. If Netscape is
launched first, anything after the Netscape line in the inittab file will
wait until the Netscape browser is manually closed. It is highly recommended
by Tripwire that the /etc/inittab file be modified to allow the inittab
script to complete without being stopped by the Netscape browser.
2.15 Tripwire for Servers reports accumulate over time. While this provides
historical information, it can also occupy a significant amount of space. We
suggest creating a management script to periodically prune the report directory
of unnecessary reports.
2.16 Temporary files may accumulate when using the Integrated Command
Execution feature. If a '%' argument is used to create a temp file
(%t, %x, %c), the temp file is written to the location defined by your
TEMPDIRECTORY variable or the system temp variable if TEMPDIRECTORY is not set.
The child process is responsible for deleting it when it's done. If
the child process doesn't delete the file, temporary files may accumulate. We
suggest periodically deleting these files.
2.17 To avoid erroneous violations being reported, we recommend not using the
3 new policy file properties, A (or &acl), f (&flags), and G (&gen) when checking
NFS mounts. One exception to this is if both the client and server are Solaris, then
it is OK to scan ACL's (A or &acl) over NFS.
2.18 "Bad file number, -1" will be reported to audit.log on Solaris 9 if you
attempt to do piping or redirection in the ICE command lines. If you
need to pipe or redirect output, it should be encapsulated within a
shell script and the script should be run from the ICE command line.
2.19 The auditing feature on early versions of AIX 4.3.3 (prior to
maintenance level 10) is broken. Thus, the system does not capture these
events and Tripwire for Servers 4.0 can not report them. To fix the auditing bug in
AIX 4.3.3 a maintenance level of 10 or above will need to be installed on the system.
Maintenance levels for AIX 4.3.3 and instructions on how to install them
can be found on this site:
http://techsupport.services.ibm.com/server/mlfixes/43/
2.20 Two new syslog facilities (cron and authpriv) have been added for the operating
systems that support them. To ensure that syslog information is not lost, be sure to verify
that your operating system supports these prior to setting the SYSLOG_FACILITY
to one of them.
2.21 Do to an issue with syslog on linux not handling SJIS characters correctly, we recommend
setting SYSLOG_LOCALIZED to false on linux platforms with locale set to SJIS.
2.22 In order for dtmail to successfully read a Tripwire for Server email report
generated on computer running AIX with the locale set to SJIS, change the locale of the
machine you are running dtmail on to SJIS.
-------------------------------------------------------------------------------
3. Tripwire Manager-related Operation Issues
-------------------------------------------------------------------------------
Note: These issues affect operation of Tripwire for Servers ONLY when running
the software from Tripwire Manager.
3.1 At times, network connection between Tripwire Agent and Tripwire Manager
may be interrupted. If so, there is a brief timeout period that must be
exceeded for the Tripwire Agent to 'give up' on the connection so that
Tripwire Manager can re-connect. The Tripwire Manager may show a short-lived
'connection error' status for the Tripwire for Servers machine during this time. This
usually occurs on heavily loaded networks or machines. Consider 'Connection
Errors' lasting more than 4 minutes as suspect of something other than a
connection timeout. Tripwire Manager and Tripwire Agent should have
re-connected and re-authorized within this time.
Timeout behavior can be adjusted by setting the Request Timeout and Response
Timeout values within Tripwire Manager under View > Preferences.
3.2 All paths in the Tripwire Agent configuration file MUST point to valid
objects or paths. If not, Tripwire Manager cannot find the necessary Tripwire
for Servers files and executables. Errors accessing files or executables
using Tripwire Agent may not be reported to the Tripwire Manager. You must view the
log files to detect these errors.
-------------------------------------------------------------------------------
4. Command-line Operation Issues
-------------------------------------------------------------------------------
Note: These issues affect operation of Tripwire for Servers ONLY when running
Tripwire for Servers on hosts from the command line.
4.1 Making modifications to an existing policy file requires that you use the
Tripwire --update-policy mode. This mode ensures that the database remains
internally consistent with the updated policy file.
If you do not use this mode, then you must perform several steps to ensure
that no changes were made to the file system between the last integrity check and the
policy file modification. These steps include disconnecting the machine from
the network, running an integrity check, updating the policy file and
re-initializing the database.
The --update-policy mode allows the same functionality and security of all
these in one step. See the Tripwire section of the Command Reference in the
Tripwire for Servers User Guide for further information.
4.2 Using the 'twadmin --create-polfile' mode to update an existing policy
file causes errors on the next integrity check if you do not also re-initialize
the database from scratch. If any rules were added or changed in the policy
file used to initialize the database, Tripwire for Servers reports errors.
However, rules removed from the policy file generate no errors or warnings.
4.3 If a filename is present that includes character 0x5C, the file system may
fail to pass the filename to Tripwire correctly. This causes Tripwire to
incorrectly see the file as having been removed. However, if the file name is
passed on the command line, Tripwire can correctly interpret it.
4.4 Tripwire recommends upgrading bash to a version greater than 2.01 if
integrated command execution scripts are expected to use the bash shell.
4.5 Due to how csh expands wildcards, you can not use "--match -?" or "-?"
from the command-line.
-------------------------------------------------------------------------------
5. Tripwire Agent Issues
-------------------------------------------------------------------------------
Note: These issues affect operation of Tripwire for Servers ONLY when running
the software from Tripwire Manager.
5.1 Tripwire Agent on Linux will not respond to a SIGHUP signal. It will not
reload its configuration. The Tripwire Agent must be stopped with a SIGTERM
(15) signal and restarted. Using the S950twagent script is the best way to
do this (S950twagent restart).
5.2 The Tripwire Agent script file "twagent" is used to start and stop the
Tripwire Agent. It is installed by default to the system's application startup
folder. This script assumes that only one Tripwire Agent is running on a
system at any one time. Attempting to use "twagent stop" to stop a Tripwire
Agent if there is more than one running may cause all or no agents to be
stopped depending on platform or user rights. It is recommended that if
running more than one Tripwire Agent simultaneously, that "twagent" not be used
to control them.
5.4 There is a known issue with iconv libraries that can cause twagent to exit
with a segmentation fault on Solaris 2.6 JA. Applying Solaris patch 106616-03
"Japanese UTF-8 iconv patch" will eliminate the segmentation faults.
5.5 If the user that is specified to run the Tripwire agent does not have
sufficient rights to start the service, the installer does not notify the user
during installation that the Tripwire agent service failed to start.
-------------------------------------------------------------------------------
6. Tripwire Configuration File Issues
-------------------------------------------------------------------------------
Note: These issues affect operation of Tripwire for Servers when using Tripwire
Manager AND when running Tripwire for Servers on hosts from the command line.
6.1 We STRONGLY recommend that you use fully qualified paths for all
configuration file parameters that specify paths. Serious security risks are
introduced when you use relative paths. Multi-byte paths cannot be properly
parsed if they are not fully qualified paths. UNC Paths are acceptable.
6.2 If the path value for the REPORTFILE configuration file parameter
contains $(DATE) followed by one or more additional variables, the variables
following $(DATE) are not expanded. This is due to special handling of
report files by Tripwire Agent. We recommend that the $(DATE) variable always
appear last in the path value.
-------------------------------------------------------------------------------
7. Agent Configuration File Issues
-------------------------------------------------------------------------------
Note: These issues affect operation of Tripwire for Servers ONLY when running
the software from Tripwire Manager.
7.1 Commented text in the Agent configuration file must be on separate
lines from configuration parameters. A line may not contain configuration
data AND a comment.
7.2 We STRONGLY recommend that you use fully-qualified paths for all Agent
configuration file parameters that specify paths. Serious security risks are
introduced when you use relative paths. Multi-byte paths cannot be properly
parsed if they are not fully-qualified paths.
-------------------------------------------------------------------------------
8. Policy File Issues
-------------------------------------------------------------------------------
Note: These issues affect operation of Tripwire for Servers when using Tripwire
Manager AND when running Tripwire for Servers on hosts from the command line.
8.1 When a policy file rule includes both hash properties (C, M, S, or H) AND
the access timestamp property (a), every file scanned by this rule shows up as
violated. This is because Tripwire for Servers does not reset an object's
access time attribute after accessing the object to obtain hash values. Thus,
the next integrity check shows that the access timestamp was violated (by
Tripwire for Servers) for every hashed file.
8.2 When a policy file rule monitors the access timestamp (a) property for
directory objects, every directory recursed by that rule shows up as having
changed between scans. This is because Tripwire for Servers does not reset
the directory's access time attribute after recursing the directory contents.
To avoid this, set LOOSEDIRECTORYCHECKING=true in the configuration file.
However, setting LOOSEDIRECTORYCHECKING=true may introduce some security
implications. See the Chapter 1 in the Tripwire Reference Guide for more
information.
8.3 When you monitor NFS mounted filesystems with Tripwire for Servers, it is
important to be aware that Tripwire for Servers does not issue a 'sync'
command before scanning files. We recommend that you issue a 'sync' command
before scanning these filesystems, as a stale date may cause Tripwire for
Servers to return results that do not reflect the current state of the
scanned data.
8.4 Setting the rights to a Tripwire configuration or policy file to read-only
will cause errors when attempting to edit the file from Tripwire Manager
because the file cannot be written. This is also an issue for
configuration 'rights' settings such as POLICYRIGHTS.
8.5 Policy files may only contain 65535 single-byte characters per line.
Exceeding this limit will cause an error when attempting to compile the policy.
The maximum number of characters per line for multi-byte characters is less
depending on how many bytes are used by each character.
8.6 The policy files have been updated to scan the /etc directory more
securely. Due to this change, reports are more likely to contain noise from
this directory. Since /etc contents can vary widely from machine to machine,
we do not tune out this noise but instead provide commented rules in the policy
files which, when uncommented, can help minimize this noise.
===============================================================================
Special Thanks
===============================================================================
- Thanks to the GNU Project for glibc, gcc, and gdb.
- Thanks to dynamo [dynamo@ime.net] for identification and help debugging a
race condition regarding Tripwire integrity checks and FIFOs.
- Thanks to Jarno Huuskonen [Jarno.Huuskonen@uku.fi] for patches relating to
handling of temporary files.
===============================================================================
Tripwire for Servers Release Notes
Copyright 2004 Tripwire, Inc. Tripwire is a registered trademark of
Tripwire, Inc. All rights reserved.