VERIFYING THE ENFORCER ACTUALLY WORKS

Help
jyteh
2011-07-01
2013-04-03
  • jyteh
    jyteh
    2011-07-01

    Hi there and good day.

    I am using Enforcer 0.4 beta for my postgraduate research work. After installation, I am trying to verify if the Enforcer works and trying to get the Enforcer to issue an alert to OS log files in the event SHA! of a file changes, i.e. I am trying to achieve this:

    kernel: Enforcer:enforcer_bad_entry:1153: Enforcer: attribute mtime of `/root/test' incorrect
    kernel: Enforcer:enforcer_bad_entry:1182: Enforcer: Expected: 1074028730.768740586
    kernel: Enforcer:enforcer_bad_entry:1186: Enforcer: Found:    1078860942.634554050
    kernel: Enforcer:enforcer_bad_entry:1204: Enforcer: this means the file has been modified since the database was built.  Your system may be compromised.

    I had performed all STEPS outlined in the README.CONFIG file from QUICKSTART to SIGNING THE DATABASE.

    However, instead of producing the above output, the Enforcer perform check of every kernel file during system startup. The
    checks performed are the as follows (from kern.log):
    <snip>

    Jun 13 16:45:45 localhost kernel: Enforcer:inode_permission_dentry_check:1639: checking: /etc/rpc
    Jun 13 16:45:48 localhost kernel: Enforcer:inode_permission_dentry_check:1639: checking: /usr/share/mime/globs
    Jun 13 16:45:48 localhost kernel: Enforcer:inode_permission_dentry_check:1639: checking: /usr/share/mime/magic

    <snip>

    I had added "enforcer.debug_level=1 enforcer.check_signature=no" to GRUB 0.97 in Debian Etch r9 but still can't get bad_entry alert. I also tried with "enforcer.debug_level=0 enforcer.check_signature=yes", but to no avail.

    What configuration is needed to make Enforcer display bad_entry alert ?

    Thanks for helping.

    rgds
    jyteh