Re:Tripwire
On Saturday 18 September 2004 08:42,
debian-user-digest-request@lists.debian.org wrote:
> "The tripwire command has a policy update mode which means that a change in
> policy does not require us to reinitialise the database. The policy update
> mode simply synchronises the existing database with the new policy file."
This is precisely the command that does not work. Redoing the policy file
itself and then building a new database works fine.
It appears the Debian's (other distros as well, most probably) use
of /root, /etc, /proc, /var are far too volatile for tripwire. /proc must be
excluded from the policy since /proc/...####/ items are dynamically created
and destroyed continually. Logrotate produces a whole series alarms since it
remove archives and creates new ones. So even without any upgrades, the
database must be resynced after each run. I will probably not continue with
this one.
Reply to: