Tripwire --check errors..what to do?

ir0nmdn · 10-18-2005, 03:49 PM

Hello,

I have installed the base version of tripwire, which came with a RH9.0 book I purchased last week. I must admit I am at work and left my sheet with the various vrns, but hopefully someone can guide me I apologize since that might be helpful in answering..

My problem is a LOOONG list of errors when running the --init or one of the other options like --check. I am fairly confident several of them should not be commented out based on the man but how about the rest. Please forgive me for the long list, but if you could rvw it and let me know which ones I can safely ignore/comment out from the twpol.txt

Here goes

The first is as listed in the output. I will only list the filename for the other entries for space sake..)

1. File system error.
Filename: /root/.esd_auth
No such file or directory

Filename: /usr/sbin/fixrmtab
Filename: /sbin/accton
Filename: /sbin/busybox
Filename: /sbin/busybox.anaconda
Filename: /sbin/fsck.minix
Filename: /sbin/mkfs.bfs
Filename: /sbin/mkfs.minix
Filename: /sbin/update
Filename: /sbin/adjtimex
Filename: /sbin/sndconfig
Filename: /sbin/dhcpcd
Filename: /sbin/iptables
Filename: /sbin/ipchains
Filename: /sbin/ipchains-restore
Filename: /sbin/ipchains-save
Filename: /sbin/ipfwadm
Filename: /sbin/ipvsadm
Filename: /sbin/ipvsadm-restore
Filename: /sbin/ipvsadm-save
Filename: /sbin/mgetty
Filename: /sbin/vgetty
Filename: /sbin/cbq
Filename: /sbin/shapecfg
Filename: /sbin/sash
Filename: /sbin/ipfwadm-wrapper
Filename: /sbin/mount.ncp
Filename: /sbin/mount.ncpfs
Filename: /sbin/raidhotgenerateerror
Filename: /var/lock/subsys/ipchains
Filename: /var/lock/subsys/iptables
Filename: /var/lock/subsys/ipvsadm
Filename: /var/lock/subsys/ypbind
Filename: /var/lock/subsys/amd
Filename: /var/lock/subsys/arpwatch
Filename: /var/lock/subsys/autofs
Filename: /var/lock/subsys/bcm
Filename: /var/lock/subsys/bgpd
Filename: /var/lock/subsys/bootparamd
Filename: /var/lock/subsys/canna
Filename: /var/lock/subsys/cWnn
Filename: /var/lock/subsys/firewall
Filename: /var/lock/subsys/freeWnn
Filename: /var/lock/subsys/gated
Filename: /var/lock/subsys/httpd
Filename: /var/lock/subsys/identd
Filename: /var/lock/subsys/innd
Filename: /var/lock/subsys/irda
Filename: /var/lock/subsys/iscsi
Filename: /var/lock/subsys/kadmin
Filename: /var/lock/subsys/kprop
Filename: /var/lock/subsys/krb
Filename: /var/lock/subsys/krbkdc
Filename: /var/lock/subsys/kWnn
Filename: /var/lock/subsys/ldap
Filename: /var/lock/subsys/linuxconf
Filename: /var/lock/subsys/lpd
Filename: /var/lock/subsys/mcserv
Filename: /var/lock/subsys/mysqld
Filename: /var/lock/subsys/named
Filename: /var/lock/subsys/nfs
Filename: /var/lock/subsys/nscd
Filename: /var/lock/subsys/ntpd
Filename: /var/lock/subsys/ospfd
Filename: /var/lock/subsys/ospfd
Filename: /var/lock/subsys/pcmcia
Filename: /var/lock/subsys/postgresql
Filename: /var/lock/subsys/pxe
Filename: /var/lock/subsys/radvd
Filename: /var/lock/subsys/rarpd
Filename: /var/lock/subsys/reconfig
Filename: /var/lock/subsys/rhnsd
Filename: /var/lock/subsys/ripd
Filename: /var/lock/subsys/ripngd
Filename: /var/lock/subsys/routed
Filename: /var/lock/subsys/rstatd
Filename: /var/lock/subsys/rusersd
Filename: /var/lock/subsys/rwalld
Filename: /var/lock/subsys/rwhod
Filename: /var/lock/subsys/smb
Filename: /var/lock/subsys/snmpd
Filename: /var/lock/subsys/squid
Filename: /var/lock/subsys/tux
Filename: /var/lock/subsys/tWnn
Filename: /var/lock/subsys/ups
Filename: /var/lock/subsys/vncserver
Filename: /var/lock/subsys/wine
Filename: /var/lock/subsys/xfs
Filename: /var/lock/subsys/yppasswdd
Filename: /var/lock/subsys/ypserv
Filename: /var/lock/subsys/ypxfrd
Filename: /var/lock/subsys/zebra
Filename: /etc/named.conf
Filename: /etc/tripwire/localhost-local.key
Filename: /etc/sysconfig/network-scripts/ifdown-cipcb
Filename: /etc/sysconfig/network-scripts/ifup-cipcb
Filename: /bin/sfxload
Filename: /bin/aumix-minimal
Filename: /bin/gawk-..
Filename: /bin/gettext
Filename: /bin/zsh
Filename: /bin/zsh-..
Filename: /bin/ksh

Thank you very much in advance!!

R

TruckStuff · 10-19-2005, 09:33 AM

The problem is that the policy file you have been given is out of date. The policy file that ships ships with Tripwire is pretty good for a RH9 box, but unfortunately its not very good for modern distros. I'd suggest you checkout tripwire-portable. Its based on the (now unmaintained) Tripwire source and is easier to use on modern distros. The default policy file is much better than the one that ships with tripwire, although its a bit open ended (i.e. it cheks too many things) and can result in some obnoxious warnings, so it will still need to be tweaked.

ir0nmdn · 10-20-2005, 08:43 AM

Quote:

Originally posted by TruckStuff
The problem is that the policy file you have been given is out of date. The policy file that ships ships with Tripwire is pretty good for a RH9 box, but unfortunately its not very good for modern distros. I'd suggest you checkout tripwire-portable. Its based on the (now unmaintained) Tripwire source and is easier to use on modern distros. The default policy file is much better than the one that ships with tripwire, although its a bit open ended (i.e. it cheks too many things) and can result in some obnoxious warnings, so it will still need to be tweaked.

Ok let me check. I ran in to a bigger issue trying to resolve the db device busy error while running the rebuilddb for rpm. I had to reinstall since everything I kept on adding referred to another dependency.. uuurggh..

Is there a better app which can do the same as tripwire since, if I understood, tw is 'done'..

Thanks,
Raymond

TruckStuff · 10-20-2005, 08:48 AM

Quote:

Originally posted by ir0nmdn
Is there a better app which can do the same as tripwire since, if I understood, tw is 'done'..

I wouldn't call tripwire "done," especially since so much of it depends on the policy files. But, yes, there are other file integrity checkers out there. Look in the Security references thread at the top of this forum.