I am using Enforcer 0.4 beta for my postgraduate research work. After installation, I am trying to verify if the Enforcer works and trying to get the Enforcer to issue an alert to OS log files in the event SHA! of a file changes, i.e. I am trying to achieve this:
kernel: Enforcer:enforcer_bad_entry:1153: Enforcer: attribute mtime of `/root/test' incorrect
kernel: Enforcer:enforcer_bad_entry:1182: Enforcer: Expected: 1074028730.768740586
kernel: Enforcer:enforcer_bad_entry:1186: Enforcer: Found: 1078860942.634554050
kernel: Enforcer:enforcer_bad_entry:1204: Enforcer: this means the file has been modified since the database was built. Your system may be compromised.
I had performed all STEPS outlined in the README.CONFIG file from QUICKSTART to SIGNING THE DATABASE.
However, instead of producing the above output, the Enforcer perform check of every kernel file during system startup. The
checks performed are the as follows (from kern.log):
<snip>
Jun 13 16:45:45 localhost kernel: Enforcer:inode_permission_dentry_check:1639: checking: /etc/rpc
Jun 13 16:45:48 localhost kernel: Enforcer:inode_permission_dentry_check:1639: checking: /usr/share/mime/globs
Jun 13 16:45:48 localhost kernel: Enforcer:inode_permission_dentry_check:1639: checking: /usr/share/mime/magic
<snip>
I had added "enforcer.debug_level=1 enforcer.check_signature=no" to GRUB 0.97 in Debian Etch r9 but still can't get bad_entry alert. I also tried with "enforcer.debug_level=0 enforcer.check_signature=yes", but to no avail.
What configuration is needed to make Enforcer display bad_entry alert ?
Thanks for helping.
rgds
jyteh
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi there and good day.
I am using Enforcer 0.4 beta for my postgraduate research work. After installation, I am trying to verify if the Enforcer works and trying to get the Enforcer to issue an alert to OS log files in the event SHA! of a file changes, i.e. I am trying to achieve this:
kernel: Enforcer:enforcer_bad_entry:1153: Enforcer: attribute mtime of `/root/test' incorrect
kernel: Enforcer:enforcer_bad_entry:1182: Enforcer: Expected: 1074028730.768740586
kernel: Enforcer:enforcer_bad_entry:1186: Enforcer: Found: 1078860942.634554050
kernel: Enforcer:enforcer_bad_entry:1204: Enforcer: this means the file has been modified since the database was built. Your system may be compromised.
I had performed all STEPS outlined in the README.CONFIG file from QUICKSTART to SIGNING THE DATABASE.
However, instead of producing the above output, the Enforcer perform check of every kernel file during system startup. The
checks performed are the as follows (from kern.log):
<snip>
Jun 13 16:45:45 localhost kernel: Enforcer:inode_permission_dentry_check:1639: checking: /etc/rpc
Jun 13 16:45:48 localhost kernel: Enforcer:inode_permission_dentry_check:1639: checking: /usr/share/mime/globs
Jun 13 16:45:48 localhost kernel: Enforcer:inode_permission_dentry_check:1639: checking: /usr/share/mime/magic
<snip>
I had added "enforcer.debug_level=1 enforcer.check_signature=no" to GRUB 0.97 in Debian Etch r9 but still can't get bad_entry alert. I also tried with "enforcer.debug_level=0 enforcer.check_signature=yes", but to no avail.
What configuration is needed to make Enforcer display bad_entry alert ?
Thanks for helping.
rgds
jyteh