LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-21-2009, 08:39 PM   #1
pobman
Member
 
Registered: Jun 2005
Location: Wellington, New Zealand
Distribution: Fedora 9
Posts: 31

Rep: Reputation: 16
Question Tripwire Reports huge in size how can I reduce / prune them


Hi All,

I have been asked to investigate some of our servers that run tripwire 2.3.0 on Red Hat Linux Advanced Server release 2.1AS (Pensacola)

We have the reports emailed to us using cron and twprint -m r -r report -t 4, it has been growing steadily and today it was 9mb
It seems the database records go back to before 2004 and are being compared against today's files.

I really need to be informed what needs to be done to tripwire to keep it serviced through cron.

I have tried to google this but could not find any information that seemed to answer my questions.

Looking at the following guide http://www.akadia.com/services/tripwire.html step 6 talks about "Updating the Database after an Integrity Check" using
Code:
# tripwire --update --twrfile /var/lib/tripwire/report/<name>.twr
Should I be using this command or should I be re-creating the db every month or so and using the #tripwire -init?

Extract from report -
Quote:
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed
Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Tripwire Data Files 100 0 0 0
Temporary directories 33 0 0 0
* Critical devices 100 0 0 1
Tripwire Binaries 100 0 0 0
* User binaries 66 130 62 781
* Libraries 66 120 47 7455
* OS executables and libraries 100 10 2 167
* File System and Disk Administraton Programs
100 0 0 38
* Networking Programs 100 0 0 16
* System Administration Programs 100 0 0 16
* Operating System Utilities 100 0 0 33
* Critical Utility Sym-Links 100 0 0 25
* Shell Binaries 100 0 0 6
* Security Control 100 4 1 25
Login Scripts 100 0 0 0
* System boot changes 100 3088 0 19
* Critical configuration files 100 87 16 137
* Kernel Administration Programs 100 0 0 10
* Hardware and Device Control Programs
100 0 0 5
* System Information Programs 100 0 0 2
* Application Information Programs
100 0 0 3
* Shell Releated Programs 100 0 0 1
(/sbin/getkey)
* Critical system boot files 100 13 0 6
* Root config files 100 11 10902 11

Total objects scanned: 21039
Total violations found: 23250
Can you tell me perhaps what I should be looking for as well as there are lots of entries.

eg:
Code:
-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------
  ----------------------------------------
  Added Objects: 109
  ----------------------------------------

Added object name:  /usr/bin/neat-control
Added object name:  /usr/bin/usernet
Added object name:  /usr/bin/rp3
Added object name:  /usr/bin/cawin_echo
Added object name:  /usr/bin/sddtaflt
Added object name:  /usr/bin/dmscript
Added object name:  /usr/bin/casdips
Added object name:  /usr/bin/isodebug
Added object name:  /usr/bin/man2dvi
Added object name:  /usr/bin/oldrdist
Added object name:  /usr/bin/isodump
Added object name:  /usr/bin/isoinfo
Added object name:  /usr/bin/isovfy
Added object name:  /usr/bin/slabtop
Added object name:  /usr/bin/rep
Code:
  ----------------------------------------
  Removed Objects: 4
  ----------------------------------------

Removed object name:  /usr/bin/glibcbug
Removed object name:  /usr/bin/isag
Removed object name:  /usr/bin/nsupdate
Removed object name:  /usr/bin/saucer

  ----------------------------------------
  Modified Objects: 564
  ----------------------------------------

Modified object name:  /usr/bin

  Property:            Expected                    Observed
  -------------        -----------                 -----------
* Modify Time          Mon Jul 26 12:08:39 2004    Fri Aug  1 10:39:35 
2008


Modified object name:  /usr/bin/[

  Property:            Expected                    Observed
  -------------        -----------                 -----------
* Inode Number         311657                      312687
* Modify Time          Wed Jul 23 21:36:35 2003    Fri Aug  1 10:34:10 
2008


Modified object name:  /usr/bin/a2p

  Property:            Expected                    Observed
  -------------        -----------                 -----------
* Inode Number         311452                      311470
* Size                 102461                      102477
* Modify Time          Wed Mar 27 07:30:20 2002    Fri Feb 27 05:09:04 
2004
* CRC32                D/5rsJ                      DHU6bv
* MD5                  Bbb7+HIxh3xDHQG/fFCcGy      BnJaC1HRBWM2GVMne807FB
The above list is huge!

I need to understand how to change the expected to the observed so the db will be up to date.

I would also like some of the rules explained:
What does removed and added mean?
Is it removed as it has not changed and added if it finds a new one that has?

Code:
-------------------------------------------------------------------------------
Rule Name: System boot changes (/lib/modules)
Severity Level: 100
-------------------------------------------------------------------------------
  ----------------------------------------
  Added Objects: 3075
  ----------------------------------------

Added object name:  /lib/modules/2.4.9-e.72
Added object name:  /lib/modules/2.4.9-e.72/kernel
Added object name:  /lib/modules/2.4.9-e.72/kernel/net
Added object name:  /lib/modules/2.4.9-e.72/kernel/net/atm
Added object name:  /lib/modules/2.4.9-e.72/kernel/net/atm/pppoatm.o
Added object name:  /lib/modules/2.4.9-e.72/kernel/net/atm/lec.o
Added object name:  /lib/modules/2.4.9-e.72/kernel/net/atm/mpoa.o
Added object name:  /lib/modules/2.4.9-e.72/kernel/net/bluetooth
Added object name:  /lib/modules/2.4.9-e.72/kernel/net/bluetooth/hci.o
Added object name:  /lib/modules/2.4.9-e.72/kernel/net/bluetooth/l2cap.o
Added object name:  /lib/modules/2.4.9-e.72/kernel/net/irda
Added object name:  /lib/modules/2.4.9-e.72/kernel/net/irda/ircomm
Added object name: 
/lib/modules/2.4.9-e.72/kernel/net/irda/ircomm/ircomm-tty.o
Added object name: 
Code:

------------------------------------------------------------------------------- Rule Name: System boot changes (/dev/log) Severity Level: 100 ------------------------------------------------------------------------------- ---------------------------------------- Modified Objects: 1 ---------------------------------------- Modified object name: /dev/log Property: Expected Observed ------------- ----------- ----------- * Inode Number 73492 65646 ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- ---------------------------------------- Added Objects: 8 ---------------------------------------- Added object name: /root/1 Added object name: /root/fp3/base/java_tmp/jre/lib/core.jar_jtzubackup Added object name: /root/fp3/nd/java_tmp/jre/lib/core.jar_jtzubackup Added object name: /root/.gnupg Added object name: /root/.gnupg/options Added object name: /root/.gnupg/secring.gpg Added object name: /root/.gnupg/trustdb.gpg Added object name: /root/.gnupg/pubring.gpg ---------------------------------------- Removed Objects: 10902 ---------------------------------------- Removed object name: /root/oshard-erato-20050527.tar Removed object name: /root/was510 Removed object name: /root/was510/base Removed object name: /root/was510/base/readme Removed object name: /root/was510/base/readme/readme_de.html Removed object name: /root/was510/base/readme/readme_en.html

Cheers
 
Old 01-21-2009, 09:37 PM   #2
FragInHell
Member
 
Registered: Sep 2003
Location: Sydney Australia
Distribution: Redhat, Centos, Solaris, Ubuntu, SUSE
Posts: 282

Rep: Reputation: 45
There is a fairly good guide to tripwire in the Redhat 9 docs on the redhat site. It tells you how to update the policy etc.

Here you see section 19

http://www.redhat.com/docs/manuals/l...ual/ref-guide/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
find using -prune and -size sharky Programming 4 09-24-2008 04:14 AM
tripwire reports different change time schentor Linux - Security 3 05-30-2006 05:05 PM
help me reduce my OS size =/ xushi Slackware 29 12-01-2004 11:45 AM
tripwire reports /usr/sbin/tripwire changed alfaalfabeta Linux - Security 5 07-22-2003 05:52 PM
Tripwire Reports Changes I Don't Understand WurlyBurly Linux - Security 1 07-03-2001 04:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration