LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-20-2004, 09:23 PM   #1
PktLoss
LQ Newbie
 
Registered: Aug 2004
Posts: 2

Rep: Reputation: 0
Tripwire log question


Hi, I was reading my tripwire log today, and there is a couple entries I don't understand:
Code:
-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/run)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/run/sudo/my_username/0:root"

-------------------------------------------------------------------------------
Rule Name: Critical configuration files (/etc/sysconfig)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/sysconfig/hwconf"

-------------------------------------------------------------------------------
Rule Name: Security Control (/etc/security)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/security/console.apps/ethereal"
I find the first one particularily troubling. Can anyone give me some info on what they mean?
 
Old 08-28-2004, 06:00 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Rule Name: System boot changes (/var/run)
/var/run should contain utmp, any PID files (daemon) processes set when they are started in a controlled fashion, sometimes sockets for processes, plus subdirs for some processes.

Severity Level: 100
(Arbitrary configurable?) alert scale. So what. Is 1000 really that worse than 100? :-]

Added:
"/var/run/sudo/my_username/0:root"

/var/run/sudo/ is Sudo's timestamp directory. If permissions change on that dir, that would be bad. The dir should be owner and group root, permissions 0700.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about Tripwire linuxboy69 Linux - Security 2 10-05-2004 12:49 PM
recursive checking and log files (tripwire) wedgeworth Linux - Security 2 05-28-2004 01:20 PM
Tripwire question dominant Linux - Security 2 03-28-2004 06:04 AM
tripwire reports /usr/sbin/tripwire changed alfaalfabeta Linux - Security 5 07-22-2003 06:52 PM
A question about Tripwire tarballedtux Linux - Security 5 04-28-2002 12:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration