Menu
▾
▴
RE: [Tripwire-announce] what to do??
|
From: Ron F. <ro...@tr...> - 2001-04-11 17:31:41
|
> The main (& the HUGEST) bad changes in report was tat I > CAN'T know from it what it WAS & what it NOW. I _NEED_ this information for > all parameters set to be checked. Maybe I misunderstand you Olli, but here is an excerpt from a 2.3 report: Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 769 769 Inode Number 104008 104008 Mode -rwxr-xr-x -rwxr-xr-x Num Links 1 1 UID 0 0 GID 0 0 * Size 1151 1316 * Modify Time Thu Feb 15 13:47:41 2001 Mon Apr 9 06:05:32 2001 Blocks 4 4 * CRC32 DSBqPk AwneSj * MD5 B9C6iM+h+k7koU+m6zwtpt D/jgBrXJwzYnwxmq9CJP1j It clearly shows what the properties were (Expected), and what they are now (observed), and marks the changed ones with an '*' to highlight them. Is this not what you are asking for above? > What da hell means /bin/ls has changed? What of MANY > parameters changed. & HOW them where changed. :? I've some scripts running from I am beginning to think you have your report level set at something below 3. You need to add to your config file: EMAILREPORTLEVEL = 4 and I think you will get a lot more information (too much according to some <cough><g>). > These new reports are USELESS. I decided to remove tripwire > because old one with fine reports has bugs with non-"C"-locale-based file > names & the new one is just a WASTE of CPU cicles & human reading time. With all due respect, that is really just plain silly. I mean, come on. You are going to compromise you system security policy because the reports are a little _too_ verbose? I really think if you explore the EMAILREPORTLEVEL values from 0 to 4 you will find one that you can live with until Gary and I come up with something better, and in the meantime at least your system(s) are more secure for having tripwire running on them. rjf& |