I'm using tripwire on RedHat 9.0. When I run 'tripwire -m c' I always get one violation (even when I run it directly after running the 'tripwire -m i' command):
Any idea how I can get rid of this violation without removing the /root directory from the policy file?
When I was using tripwire on Mandrake 8 this never occurred.
The underlying question is, "why is Tripwire detecting a change to /root?" Tripwire will report exactly how the properties for the /root object differ from what's in its database, so we need to know what it sees as being different. Then, it will be a simple matter of removing this particular property from the /root rule in the policy, and you should be in good shape.
To find this out, you'll need to run a level 3 report:
./twprint -m r -t 3 -r ../report/<report-name>.twr
This will show you what aspects of /root changed (including what it expected, and what it observed).
My guess: either the access time is changing, or the inode time stamp. When we know what is causing the violation, we can take more targeted action in the policy instead of resorting to ignoring the entire /root directory.
Hope this helps,
Thanks, that put me on the right track. It was the access/change time of the inode timestamp that was causing the problem.