Re: Tripwire output on Solaris 2.7
From: Darren J Moffat (Darren.Moffat@eng.sun.com)Date: 10/11/01
- Previous message: Neil Dickey: "Re: Tripwire output on Solaris 2.7"
- Maybe in reply to: Simon Crowther: "Tripwire output on Solaris 2.7"
- Next in thread: Gary Mulder: "Re: Tripwire output on Solaris 2.7"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200110111952.f9BJqHUL148834@jurassic.eng.sun.com> Date: Thu, 11 Oct 2001 12:51:49 -0700 (PDT) From: Darren J Moffat <Darren.Moffat@eng.sun.com> Subject: Re: Tripwire output on Solaris 2.7 To: SCrowthe@msxi-euro.com
Minor nit to start with there is no such thing as Solaris 2.7 it Solaris 7,
or SunOS 5.7 but never 2.7.
Since you don't give any information about when the previous run of
tripwire was and what you have done since then it is really hard to
explain why directory m and c times have changed.
>/etc/rc2.d/S73aroutes
No such file in Solaris.
>/etc/security/audit_data
> st_mtime: Tue Sep 18 18:28:11 2001 Fri Aug 10 20:39:54 2001
> st_ctime: Tue Sep 18 18:28:11 2001 Fri Aug 10 20:39:54 2001
> md5 (sig1): 1TNTwId4rliPQsDmYYft6a 1026:.0glAHKTNBJ7eDLwy
> snefru (sig2): 1PaWLvvhbAZ1p7rzkHrMPo 2WLFJE5gGfFH2BsWif.A.U
This is a dynamic file and it will change under these circumstances:
reboot
audit -n is run
audit -s is run
the free space on the current audit partition reaches minfree
the free spaec on the current audit partition is 0
It contains the pid of the current auditd and the path to
the current audit file.
>/etc/mnttab
> st_size: 402 395
> st_mtime: Tue Sep 18 18:28:06 2001 Fri Aug 10 20:39:49 2001
> st_ctime: Tue Sep 18 18:28:06 2001 Fri Aug 10 20:39:49 2001
> md5 (sig1): 0XfdN5:ZqwlNpNiKuCqpCl 1f8cRP:ln0Zv8p2X2mxPgj
> snefru (sig2): 3wNWpM6csYNE5w5cZNqS:b 3H8z3cIM5UJNYmkRaWmxWl
This is a dynamic file, so it means a filesystem was mounted or unmounted.
Are you running automountd ?
>/etc/syslog.pid
> st_mtime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
> st_ctime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
> md5 (sig1): 0MjmvegjqY5G3nG3iz9EdU 2GbPRiRCVRYt3nHH:mQpWQ
> snefru (sig2): 1Wf3fbOtyqtghckd91UVEa 3GvW.JCudTpN2HGBnL3l5v
syslog got restarted:
reboot
someone restarted it
newsyslog was run from cron (0310 on a Sunday).
>/etc/oshadow
> st_size: 534 520
> st_mtime: Wed Oct 10 13:35:01 2001 Wed Aug 15 14:38:36 2001
> st_ctime: Wed Oct 10 13:35:15 2001 Wed Aug 15 14:38:43 2001
> md5 (sig1): 0lVZggzEqTj7b2BD5ughpZ 0B9enMiVM.ar4kNcKeKg8D
> snefru (sig2): 0GEZk65og:VoBPy1LyejA5 1m2ibqQFeYiTueaMKEBA8L
a user who is in local files changed their password.
>/proc
> st_nlink: 31 33
Never include proc in tripwire it changes from second to second and it
isn't a real filesystem.
>/export/home/tripwire/bin/databases/tw.db_msxgbgw1
> st_mtime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
> st_ctime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
> md5 (sig1): 0IwBXI:7wc0zkf6Fd.ZDz4 1WBpJzMF9qHs1S:hA7rVsd
> snefru (sig2): 0tfIUuhOX:2WTXxljSXXO0 1aPZdiJ7sUTvwi1OWKYEwh
Are you really sure you wnant tripwire checking itself because it will
write to those files so they will always change.
Also don't keep the tripwire databases online, by doing so you are
completely wasting your time running tripwire because all the hacker
has to do is modify the tripwire database.
-- Darren J Moffat
- Previous message: Neil Dickey: "Re: Tripwire output on Solaris 2.7"
- Maybe in reply to: Simon Crowther: "Tripwire output on Solaris 2.7"
- Next in thread: Gary Mulder: "Re: Tripwire output on Solaris 2.7"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
