Tripwire Policy File Question
Scot L. Harris
webid at cfl.rr.com
Sat Jul 31 20:00:33 UTC 2004
On Sat, 2004-07-31 at 15:46, Norman Nunn wrote:
> In running tripwire for several days I get daily reports that identify
> allot of missing files, most in /var/lock/subsys. These files are not
> on my system and the comment comes from the tripwire checks defined in
> the policy file. I was wondering if it was customary to comment these
> out in the policy file so the reports are much shorter. Or is there a
> good reason to leave them there as is.
>
> Norm
In my experience you need to edit the policy file to match your
particular system. Not only do you need to comment out files that do
not exist on your system but also include rules for files that may not
be included in the default tripwire policy file. Stuff like databases
are not typically included.
I also find I have to tweak the rules for the root home directory. By
default it triggers on the .xauth* stuff which changes each time you
login as root.
Once you get it all setup you should get a clean report each time it is
run. I also have setup some filters that verify it was clean or not and
mark the message as read if it is clean. So it stands out when
something has changed.
--
Scot L. Harris
webid at cfl.rr.com
You shouldn't have to pay for your love with your bones and your flesh.
-- Pat Benatar, "Hell is for Children"
More information about the fedora-list
mailing list