Problem with /etc directory and contents

2008-01-28
2013-04-30
  • Greg Kilfoyle

    Greg Kilfoyle - 2008-01-28

    Hi,

    I've just started using tripwire for the first time and am having an issue with the /etc directory. Here's the relevant policy contents:

    SEC_BIN    = $(ReadOnly) ;
    SEC_CONFIG = $(Dynamic) ;
    {
            /etc/mtab       -> $(SEC_CONFIG) -i ;
    }
    {
            /etc            -> $(SEC_BIN) ;
    }

    The /etc/mtab file changes every time the system is loaded or a file system is mounted/unmounted, which causes the /etc directory to also be modified. I can't find a way of having all the /etc contents checked, but not the /etc directory itself. The only ways I can see around this would be to: 1) explicitly list all /etc files and directories (very tedious); or 2) ignore the reported /etc changes from each check.

    How have others handled this?

    Thanks, Greg.

     
    • Andy Bach

      Andy Bach - 2008-01-28

      Ours is setup:
      # Commonly accessed directories that should remain static with regards to owner and group
      (
        rulename = "Invariant Directories",
        severity = $(SIG_MED)
      )
      {
        /                                    -> $(SEC_INVARIANT) (recurse = 0) ;
        /home                                -> $(SEC_INVARIANT) (recurse = 0) ;
        /etc                                 -> $(SEC_INVARIANT) (recurse = 0) ;
      }

      ...
      (
        rulename = "System boot changes",
        severity = $(SIG_HI)
      )
      {

          /etc/mtab                         -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount

       
    • Greg Kilfoyle

      Greg Kilfoyle - 2008-01-28

      Thanks Andy.

      So you don't have a rule which covers the full contents of the /etc directory?

      I tried entering two rules for /etc, one with recursion and one without, but it wouldn't let me.

       
      • Andy Bach

        Andy Bach - 2008-01-28

        No, there are plenty of /etc/<blah> files listed - this is using the default RedHat twopol.txt.

         

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks