LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Tripwire check with error messages related to proc (http://www.linuxquestions.org/questions/linux-security-4/tripwire-check-with-error-messages-related-to-proc-933616/)

shayno90 03-09-2012 10:17 AM

Tripwire check with error messages related to proc
 
I have setup the tripwire database and have ran the tripwire --check to get rid of errors in the twpol.txt file however 4 errors remain related to the proc and there is no option to comment out specific proc directories:

tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
.....................................................
"/proc/4901/loginuid"
"/proc/4901/sessionid"
"/proc/4901/coredump_filter"

===============================================================================
Error Report:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

1. File system error.
Filename: /proc/4915/fd/3
No such file or directory
2. File system error.
Filename: /proc/4915/fdinfo/3
No such file or directory
3. File system error.
Filename: /proc/4915/task/4915/fd/3
No such file or directory
4. File system error.
Filename: /proc/4915/task/4915/fdinfo/3
No such file or directory

-------------------------------------------------------------------------------
*** End of report ***

In the twpol.txt file:

# Critical devices
#
(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
)
{
/dev -> $(Device) ;
/proc -> $(Device) ;
}

How can I remove the proc error messages?
It seems the only way to resolve this is comment out /proc!

shayno90 03-09-2012 11:22 AM

I resolved it by copying the specified /proc directories to monitor from this link and uncommenting /proc:
http://www.faqs.org/docs/securing/chap17sec139.html

append to under the section:
#/proc -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
..........
}

Make sure to comment out these 2 directories on the template as they don't exist on Ubuntu 10.04 according to tripwire:
#/proc/ide
#/proc/ksyms

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Noway2 03-09-2012 06:00 PM

Thank you for sharing your solution!


All times are GMT -5. The time now is 01:12 AM.