Problems with tripwire:
I have tripwire installed on one of my servers (Debian Stable), and I've
managed to get the configuration pretty quiet, but I'm having a little
problem with one or two of them.
The particular section of tw.config looks like:
/var @@AW
!/var/log/ksymoops/
/var/log @@LOGSEARCH
/var/lib @@LOGSEARCH
/var/backups @@LOGSEARCH
!/var/spool
!/var/run
!/var/cache
!/var/lock
!/var/state/
where @@AW is:
@@define AW +pinugsm17-ac2345689
The problem is that I still get:
Changed files/directories include:
added: -r--r--r-- root 32630 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.ksyms
added: -r--r--r-- root 78 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.modules
added: -r--r--r-- root 32630 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.ksyms
added: -r--r--r-- root 78 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.modules
deleted: -r--r--r-- root 32630 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.ksyms
deleted: -r--r--r-- root 78 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.modules
deleted: -r--r--r-- root 32630 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.ksyms
deleted: -r--r--r-- root 78 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.modules
deleted: -r--r--r-- root 32630 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.ksyms
deleted: -r--r--r-- root 78 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.modules
changed: -rw-r--r-- root 52 Mar 11 06:25:02 2002 /var/state/logrotate/status
Now, according to my understanding, the ! in front of /var/log/ksymoops/
should be telling tripwire to ignore things under there, right?
Obviously, it's not.
Additionally:
Is there a file-security scanner like tripwire (or like AIDE) that
works across a network? I'm envisioning something that does local
file scanning, then transmits the resulting table to a remote (more
secure) host where the verification is done.
--
Share and Enjoy.
Reply to: