LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-11-2012, 01:04 AM   #1
hocheetiong
Member
 
Registered: Jul 2007
Location: Penang , Malaysia.
Distribution: red hat linux
Posts: 133

Rep: Reputation: 15
Smile Tripwire not able show who deleted files


Hi All Expert,

I already installed/setup Tripwire, it was working fine, but i need to know who(userID) are made a changes(modified, deleted...) files. From the report i cant see any userID change/deleted my monitored file even i set report level to 4.

*I follow default Tripwire settings.
*Is it possible to log who are made a changes?

Thanks.
 
Old 12-11-2012, 04:57 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
As far as I'm aware Open Source Tripwire can not be run in a way that would facilitate this and neither does it include any functionality that could detect who deletes a file. To detect this you would need to log system calls and privilege elevation. Inotify-based tools log the effect of system calls (events) but require watches to do that (plus you can't insert watches at the top level inode 2) and PAM-based systems log transitions to syslog. The audit service can provide both in a single log file, in more detail and with less manual configuration.
 
Old 12-11-2012, 11:35 AM   #3
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,117

Rep: Reputation: 532Reputation: 532Reputation: 532Reputation: 532Reputation: 532Reputation: 532
You need a distribution that implements SELinux and audit logging.

Tripwire cannot do that. It can examine paths and analyze contents (essentially generate checksums) to verify existence, ownership, access modes, and detect changes.

What you are asking for involves being able to audit and log filesystem events. Not all file removals work through the system calls (unlink), for instance, mkfs can remove everything... but that is a separate activity from file deletion, yet files are deleted. And unlink itself may be deceving - a file doesn't get deleted until the last link is removed; and that may not be the one you want to catch (directory modification might be, and that is a different though related thing).

One problem with logging all system calls is that that can/will be a HUGE number of log entries. Even file removal - all temporary files would be recorded, and what about truncation events? These delete the contents of files without using unlink. What about overwrites? These can replace the contents as well. So the choice of logging has expanded...
 
1 members found this post helpful.
Old 12-11-2012, 07:36 PM   #4
hocheetiong
Member
 
Registered: Jul 2007
Location: Penang , Malaysia.
Distribution: red hat linux
Posts: 133

Original Poster
Rep: Reputation: 15
Thanks unspawn & jpollard.
 
Old 12-12-2012, 11:13 AM   #5
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 759
Blog Entries: 2

Rep: Reputation: 196Reputation: 196
Quote:
Originally Posted by jpollard View Post
You need a distribution that implements SELinux and audit logging.
Audit logging obviously .. why would SELinux be needed?
 
1 members found this post helpful.
Old 12-12-2012, 11:25 PM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,117

Rep: Reputation: 532Reputation: 532Reputation: 532Reputation: 532Reputation: 532Reputation: 532
It goes hand in hand. SELinux sets up a lot of trap points... which are also audit points.

Full logging is unreasonable - it generates so much data that it is impractical to actually go through it. But narrowing it down is possible.

In addition, you can define security labels that can be used for both auditing (as in they permit anything, but allow audit entries) as well as being able to block what you really don't want happening.

PITA to setup, but possible to do.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
deleted items don't show up in 'Trash' radiodee1 Debian 4 08-08-2011 07:42 AM
Excluding directories and files in tripwire kaplan71 Linux - Software 1 07-25-2010 05:42 AM
tripwire flagged files, am i hacked? hank43 Linux - Security 2 11-11-2006 06:13 PM
TRIPWIRE: Why do system files' md5sums change? krasl Linux - Security 3 03-06-2006 11:55 PM
tripwire reports /usr/sbin/tripwire changed alfaalfabeta Linux - Security 5 07-22-2003 05:52 PM


All times are GMT -5. The time now is 04:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration