RE: [Tripwire-announce] what to do??

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 11 Apr 2001, Ron Forrester wrote:
> > The main (& the HUGEST)  bad changes in report was tat I 
> > CAN'T know from it what it WAS & what it NOW. I _NEED_ this information
> > for all parameters set to be checked. 
> Maybe I misunderstand you Olli, but here is an excerpt from a 2.3 report:
>   Property:            Expected                    Observed    
>   -------------        -----------                 ----------- 
>   Object Type          Regular File                Regular File
>   Device Number        769                         769   
>   Inode Number         104008                      104008
>   Mode                 -rwxr-xr-x                  -rwxr-xr-x
>   Num Links            1                           1
>   UID                  0                           0   
>   GID                  0                           0   
> * Size                 1151                        1316
> * Modify Time          Thu Feb 15 13:47:41 2001    Mon Apr  9 06:05:32 2001
>   Blocks               4                           4
> * CRC32                DSBqPk                      AwneSj
> * MD5                  B9C6iM+h+k7koU+m6zwtpt      D/jgBrXJwzYnwxmq9CJP1j
> It clearly shows what the properties were (Expected), and what they are now
> (observed), 
> and marks the changed ones with an '*' to highlight them. Is this not what
> you are asking for above?
yep. The only thing left for this is not to say what has not
changed. Probably with special variable from config?

> > What da hell means /bin/ls has changed? What of MANY 
> > parameters changed. & HOW them where changed. :? I've some scripts running
> from 
> I am beginning to think you have your report level set at something below 3.
> You need
> to add to your config file:
> EMAILREPORTLEVEL = 4
If it is really the case I'll have to sorry for things I said... To check
this I'll reinstall tripwire again.

> and I think you will get a lot more information (too much according to some
> <cough><g>).
 
> > These new reports are USELESS. I decided to remove tripwire 
> > because old one with fine reports has bugs with non-"C"-locale-based file 
> > names & the new one is just a WASTE of CPU cicles & human reading time.
> With all due respect, that is really just plain silly. I mean, come on. You
> are going to compromise you system security policy because the reports are 
> a little _too_ verbose?
If them where meaningfully verbose (at least saing all quoted above) I
won't remove tripwire then. I meant what I said - without the subject of
changes reading reports is wasting of time. I'll reinstall tripwire again
& check what you said. If that's why I got so dumb reports - I'll say "I'm
sorry for producing my stupid noise at the list".

> I really think if you explore the EMAILREPORTLEVEL values from 0 to 4 you
> will find one that you can live with until Gary and I come up with 
> something better, and in the meantime  at least your system(s) are more
> secure for having tripwire running on them.
The system security doesn't rase if I install tripwire (& any other
passive intrusion detection tool). It rases by, for example www.openwall.org
kernel patches, libsafe preloading & strict login / group / passwprd /
permissions / software_installation_policy & so on things.
But monitoring the system for changes is really required thing, I
agree. Without this I'm at risk lose the moment of intrusion. I'm not
happy that I was unable to use new tripwire reports. Thank you, I'll
install it again & look if my problem was in verbosity level.

-- 
Bye.Olli
MISiS Telecommunications
phone:   +7(095)955-0087