Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-26-2004, 04:13 PM
|
#1
|
Member
Registered: Aug 2003
Posts: 234
Rep:
|
recursive checking and log files (tripwire)
ok, still getting tripwire all set up. never tried anything like this before, so i'm still having some questions with it. first, i haven't figured everything out about "recurse" syntax in the twpol.txt file. i find entries like these:
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/sbin -> $(SEC_BIN) (recurse = 1) ;
recurse = false,
what exactly does that mean. does the "recurse = false" in the rule description mean everything listed in that rule set is what is checked...and never to go down a directory?
and the "recurse = 0" does that mean only check the file or directory directly listed in the rule set...don't descend...while "recurse=1" means check everything and go decend one directory as well? those are my best estimations as to the syntax. if someone could straighten me out i'd appreciate.
also i'm getting the log rotations showing up on my reports. under /var/log
the following show up, along with their rotation logs (1,2,3, exetra):
/httpd/error_log
/sa/sa
/sa/sar
maillog
messages
rpmpkgs
secure
spooler
up2date
i'm not exaclty sure, since i'm also new to administrating, as to what to do about this. should i ignore this errors, and chalk them up to rotation, and try to remove them from my tripwire's scans? is that bad for security. is there some i can remove from the check and some that i shouldn't. i'm not sure exactly what a good policy is? anybody with more background and security expertise got some suggestions. i know it happends to everybody, just not sure what the best policy is....
|
|
|
05-27-2004, 05:28 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
I don't use tripwire, i'm using Aide, so I can't comment on the recursive syntax. I suppose it should be in the docs?
also i'm getting the log rotations showing up on my reports. under /var/log
the following show up, along with their rotation logs (..) i'm not exaclty sure, since i'm also new to administrating, as to what to do about this. should i ignore this errors, and chalk them up to rotation, and try to remove them from my tripwire's scans? is that bad for security. is there some i can remove from the check and some that i shouldn't.
Logs grow, and that changes their checksum. When they're rotated they're renamed and the oldest one is deleted, so that changes their sums as well. There's not much you achieve by adding them to the integrity test. For stuff like utmp there's other ways to verify integrity.
|
|
|
05-28-2004, 01:20 PM
|
#3
|
Member
Registered: Aug 2003
Posts: 234
Original Poster
Rep:
|
-----------------------------------------------------
For stuff like utmp there's other ways to verify integrity.
-----------------------------------------------------
such as? explain.....
are you saying that as long as you check other things, like the utmp stuff, that you really don't have to worry about all the logs. that you can always be checking for integrity w/o fooling with the them (the logs and their rotation)?
|
|
|
All times are GMT -5. The time now is 03:00 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|