No alert in kern.log after modify test file

  • jyteh

    Dear Omen and users,

    Thank you so much for your help given so far. I had been successful in compiling the Enforcer into the Debian Etch 4.1 r9 with kernel 2.6.5.

    Note that  "zcat /proc/config.gz " gave :


    Now I am trying to test if the enforcer worked in triggering a log in the kernel if file integrity compromised.

    Chronology of events:

    1. Hence, I ran make && make install at the top level enforcer directory and compilation was flawless.

    2. Created /etc/enforcer/enforcer.db.entries that has a single line like this:
    action=log /root/test

    3. ran # enforcer-admin builddb and database was created.

    jyteh:/etc/enforcer# ls -lth
    total 12K
    -rw-r-r- 1 root root 194 2011-06-01 18:55 enforcer.db
    -rw-r-r- 1 root root 719 2011-06-01 18:55 helper.conf
    -rw-r-r- 1 root root  22 2011-06-01 18:54 enforcer.db.entries

    4. Modified test file (sha1 confirmed differs) and tailed kern.log but unable to find something like this :

    el: Enforcer:enforcer_bad_entry:1153: Enforcer: attribute mtime of `/root/test' incorrect
    kernel: Enforcer:enforcer_bad_entry:1182: Enforcer: Expected: 1074028730.768740586
    kernel: Enforcer:enforcer_bad_entry:1186: Enforcer: Found:    1078860942.634554050
    kernel: Enforcer:enforcer_bad_entry:1204: Enforcer: this means the file has been modified since the database was built.  Your system may be compromised.

    5.  Thinking problem was due to helper program, I had created a helper.conf file in /etc/enforcer by using helper.conf.sample.

    6. Also added enforcer.debug_level=1 enforcer.check_signature=no to GRUB menu.lst boot loader.

    7. Configured sysv-rc-conf to start at Debian init levels 1-5, with 'enforcer-helper start'

    8. Rebooted several times ( each time I checked that I had followed steps 1 to 7 above)  and read all system related logs in /var/logs but still no enforcer response from kern.log

    My questions:
    a. Greatly appreciate if someone can point out what went wrong or any steps missed out?
    b. Does the enforcer need ALL of these to function:

    i) tpm chip/emulator (I installed a TPM Emulator v 0.20- Mario Strasser's)
    ii) Encrypted Loopback Filesystem

    I suspect both are needed before kern.log gave an output since:

    jyteh:/home/jyteh/enforcer-0.4.beta/helper# ./helper
    helper: usage
    helper (start|stop|force-stop|tpm-lock)
    jyteh:/home/jyteh/enforcer-0.4.beta/helper# ./helper start
    helper: unable to open '/etc/enforcer/' for reading.

    Thanks in advance for any kind feedback.