mdlueck - 2010-10-11


We are making use of Tripwire that is found in the Ubuntu 8.04 repository on a x64 server hosted upon Parallels Virtuozzo Version 25.3.swsoft (build: 3.0.0-25.3.swsoft)

Our hosting provider, and I will quote from their email response:

"It looks like the hardware node was rebooted by our local administrators on xx-xx-2010 at about 1:05pm EST."

The result was that MANY files were now failing their Tripwire scan. Yet I bravely fetched one off the server, a shell script file, and the MD5SUM matched a local copy.

Digging still further, I found that Inode numbers had changed, as example:

  Property:            Expected                    Observed                   
  ---------        -------                 -------                
* Inode Number         654384574                   518848516

So questions:

1) Where is it documented what policies the various "rule names" in the twpol.txt file actually scan. For example: IgnoreNone, ReadOnly, Dynamic, and so on. I even see in the Ubuntu version of the file at times names being used, but modified by additional switches, such as:

SEC_CRIT      = $(IgnoreNone)-SHa ;

2) I did a bit of reading up on Inodes. Perhaps if the provider somehow ran a defrag of our VPS, pointers to the disk blocks could have changed. How could I ignore that part of the Inode but allow the rest of the Inode to be included for consideration? Or if you think something else likely happened to adjust Inode numbers, please suggest your impression.

In general, I was thinking Tripwire was doing some sort of md5sum checking of sorts, and I do see that as one of the options. Thus I would like to understand Tripwire's configuration in greater detail, and save myself from further tense moments… If you know what I mean! :-)

Michael Lueck