Tripwire and/or Cron modifies /root

  • Anonymous

    Anonymous - 2003-05-07

    Hello tripwireres,

    I have a problem that I would have thought was very common,
    but googeling it didn't turn up any suggestion. The problem
    is that somehow the process of running tripwire as a cron-job
    modifies the root-home directrory, and that I therefore always
    get a violation of the rule
    /root                             -> $(SEC_CRIT) ;
    like so:
      Modified Objects: 1

    Modified object name:  /root

      Property:            Expected                    Observed                   
      -------------        -----------                 -----------                
    * Modify Time          Sun Apr 20 18:40:23 2003    Tue Apr 22 04:11:09 2003   
    * Change Time          Sun Apr 20 18:40:23 2003    Tue Apr 22 04:11:09 2003   

    One can note that:

    Report created on:            Tue Apr 22 04:11:08 2003

    so that the modification was done at the time tripwire was finishing
    up. As this happens every night, there is no doubt in my mind that
    it is the cron-job that makes the modification. It should be noted
    that a manual tripwire --check doesn't give this problem, and that
    the notification mail comes from the tripwire uid, not from cron.

    The command in the tripwire cron-script is
    /usr/sbin/tripwire --check  --silent --no-tty-output --email-report
    so there should never be any output that cron would like to email.
    In any case, I've configured cron to mail any reports to my acount,
    rather than to root, and the emailto tag in tripwire is also set
    to my account, not root. So, there should be no reason that any
    notification should be sent to root.

    SO: why is /root modified ? How can avoid it ? (I'd clearly not
    like to remove the very useful "m" property tag in the rule!!)

    • Anonymous

      Anonymous - 2003-07-25

      I had the same problem. Turned out to be the
      .viminfo file being modified as a result of vi being
      run after a check. This is obiously recursive! In
      the end i put !/root/.viminfo in my cfg file.

      Check to see what dotfiles are being modified in



Log in to post a comment.