I've just started using tripwire for the first time and am having an issue with the /etc directory. Here's the relevant policy contents:
SEC_BIN = $(ReadOnly) ;
SEC_CONFIG = $(Dynamic) ;
/etc/mtab -> $(SEC_CONFIG) -i ;
/etc -> $(SEC_BIN) ;
The /etc/mtab file changes every time the system is loaded or a file system is mounted/unmounted, which causes the /etc directory to also be modified. I can't find a way of having all the /etc contents checked, but not the /etc directory itself. The only ways I can see around this would be to: 1) explicitly list all /etc files and directories (very tedious); or 2) ignore the reported /etc changes from each check.
How have others handled this?
Ours is setup:
# Commonly accessed directories that should remain static with regards to owner and group
rulename = "Invariant Directories",
severity = $(SIG_MED)
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/etc -> $(SEC_INVARIANT) (recurse = 0) ;
rulename = "System boot changes",
severity = $(SIG_HI)
/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
So you don't have a rule which covers the full contents of the /etc directory?
I tried entering two rules for /etc, one with recursion and one without, but it wouldn't let me.
No, there are plenty of /etc/<blah> files listed - this is using the default RedHat twopol.txt.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.