Tripwire config ???

Jeff Vian jvian10 at charter.net
Wed Sep 22 01:31:19 UTC 2004 

On Tue, 2004-09-21 at 11:23, Don Maxwell wrote:
> > On Mon, 2004-09-20 at 09:43, jpitts at hvc.rr.com wrote:
> > 
> > > 1.   File system error.
> > >      Filename: /etc/tripwire/kangol.homelinux.net-local.key
> > >      No such file or directory
> > > 2.   File system error.
> > >      Filename: /root/.Xauthority
> > >      No such file or directory
> > >
> > > Both of these files exist ... why doesn't tripwire see them ???
> > 
> > Check permissions on the key file.  I assume you run tripwire as root?
> > 
> > .Xauthority may not be there if root is not logged in.  I had to play
> > some games with my tripwire configs.  Seems that /root had a number of
> > .xauthxxxxxx files that change each time you su to root.  Never really
> > found a really good solution for that.
> > 
> 
> The notion of a Tripwire alert for the presence of /root/.Xauthority
> is pretty useful to me.  As stated, this file is present while root is
> logged in.  For that matter, if one logs in with a user account and
> then does a "su" then the file will be there.
> 
> Ordinarily, I don't wish to remian logged in as root.  When the
> scheduled Triipwire reports are run unattended via cron,  it would be
> helpful to know if this file is there.  If it is, it means either I
> inadvertantly left root (su) logged in or someone else (a bad thing!)
> is there.
> 
> Leaving Triipwire flag this file gives me a little extra comfort level.
> 

As my $0.02 -- Since when does the .Xauthority file get erased with a
logout.?

If I look at my system I see that file in the home directory of ALL
users that have logged in under X.

** If it gets erased and recreated it will be flagged by tripwire.  
** If it gets modified it will get flagged by tripwire. 

The only case where it will NOT get flagged is when nothing touches it
except to read after it has been created, AND the tripwire policy has
been created after it was created.

If you are setting tripwire to flag ANY file that routinely gets changed
then you are deliberately creating flags to look at.

I prefer to ignore files that change regularly and only get warned by
those that matter (ones that should NEVER change without explicit admin
action.)

More information about the fedora-list mailing list