LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-26-2004, 03:13 PM   #1
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Rep: Reputation: 30
recursive checking and log files (tripwire)


ok, still getting tripwire all set up. never tried anything like this before, so i'm still having some questions with it. first, i haven't figured everything out about "recurse" syntax in the twpol.txt file. i find entries like these:

/home -> $(SEC_INVARIANT) (recurse = 0) ;
/sbin -> $(SEC_BIN) (recurse = 1) ;
recurse = false,

what exactly does that mean. does the "recurse = false" in the rule description mean everything listed in that rule set is what is checked...and never to go down a directory?

and the "recurse = 0" does that mean only check the file or directory directly listed in the rule set...don't descend...while "recurse=1" means check everything and go decend one directory as well? those are my best estimations as to the syntax. if someone could straighten me out i'd appreciate.


also i'm getting the log rotations showing up on my reports. under /var/log
the following show up, along with their rotation logs (1,2,3, exetra):

/httpd/error_log
/sa/sa
/sa/sar
maillog
messages
rpmpkgs
secure
spooler
up2date


i'm not exaclty sure, since i'm also new to administrating, as to what to do about this. should i ignore this errors, and chalk them up to rotation, and try to remove them from my tripwire's scans? is that bad for security. is there some i can remove from the check and some that i shouldn't. i'm not sure exactly what a good policy is? anybody with more background and security expertise got some suggestions. i know it happends to everybody, just not sure what the best policy is....
 
Old 05-27-2004, 04:28 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
I don't use tripwire, i'm using Aide, so I can't comment on the recursive syntax. I suppose it should be in the docs?


also i'm getting the log rotations showing up on my reports. under /var/log
the following show up, along with their rotation logs (..) i'm not exaclty sure, since i'm also new to administrating, as to what to do about this. should i ignore this errors, and chalk them up to rotation, and try to remove them from my tripwire's scans? is that bad for security. is there some i can remove from the check and some that i shouldn't.

Logs grow, and that changes their checksum. When they're rotated they're renamed and the oldest one is deleted, so that changes their sums as well. There's not much you achieve by adding them to the integrity test. For stuff like utmp there's other ways to verify integrity.
 
Old 05-28-2004, 12:20 PM   #3
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Original Poster
Rep: Reputation: 30
-----------------------------------------------------
For stuff like utmp there's other ways to verify integrity.
-----------------------------------------------------


such as? explain.....


are you saying that as long as you check other things, like the utmp stuff, that you really don't have to worry about all the logs. that you can always be checking for integrity w/o fooling with the them (the logs and their rotation)?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Error checking CDs with recursive MD5 un134sh3d Linux - General 2 06-20-2005 05:22 PM
chmod recursive on files on dlublink Linux - Newbie 6 03-02-2005 08:45 AM
Tripwire log question PktLoss Linux - Security 1 08-28-2004 05:00 AM
rox + recursive permission change for FILES only? NonSumPisces Linux - Newbie 9 08-11-2004 07:21 PM
Can log files be time stamped? (such as FTP login and transfer log files) bripage Linux - Networking 6 08-08-2002 10:55 PM


All times are GMT -5. The time now is 08:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration