ok, still getting tripwire all set up. never tried anything like this before, so i'm still having some questions with it. first, i haven't figured everything out about "recurse" syntax in the twpol.txt file. i find entries like these:

/home -> $(SEC_INVARIANT) (recurse = 0) ;
/sbin -> $(SEC_BIN) (recurse = 1) ;
recurse = false,

what exactly does that mean. does the "recurse = false" in the rule description mean everything listed in that rule set is what is checked...and never to go down a directory?

and the "recurse = 0" does that mean only check the file or directory directly listed in the rule set...don't descend...while "recurse=1" means check everything and go decend one directory as well? those are my best estimations as to the syntax. if someone could straighten me out i'd appreciate.


also i'm getting the log rotations showing up on my reports. under /var/log
the following show up, along with their rotation logs (1,2,3, exetra):

/httpd/error_log
/sa/sa
/sa/sar
maillog
messages
rpmpkgs
secure
spooler
up2date


i'm not exaclty sure, since i'm also new to administrating, as to what to do about this. should i ignore this errors, and chalk them up to rotation, and try to remove them from my tripwire's scans? is that bad for security. is there some i can remove from the check and some that i shouldn't. i'm not sure exactly what a good policy is? anybody with more background and security expertise got some suggestions. i know it happends to everybody, just not sure what the best policy is....

I don't use tripwire, i'm using Aide, so I can't comment on the recursive syntax. I suppose it should be in the docs?


also i'm getting the log rotations showing up on my reports. under /var/log
the following show up, along with their rotation logs (..) i'm not exaclty sure, since i'm also new to administrating, as to what to do about this. should i ignore this errors, and chalk them up to rotation, and try to remove them from my tripwire's scans? is that bad for security. is there some i can remove from the check and some that i shouldn't.
Logs grow, and that changes their checksum. When they're rotated they're renamed and the oldest one is deleted, so that changes their sums as well. There's not much you achieve by adding them to the integrity test. For stuff like utmp there's other ways to verify integrity.

-----------------------------------------------------
For stuff like utmp there's other ways to verify integrity.
-----------------------------------------------------


such as? explain.....


are you saying that as long as you check other things, like the utmp stuff, that you really don't have to worry about all the logs. that you can always be checking for integrity w/o fooling with the them (the logs and their rotation)?