Re: Tripwire output on Solaris 2.7

From: Darren J Moffat (Darren.Moffat@eng.sun.com)
Date: 10/11/01


Message-Id: <200110111952.f9BJqHUL148834@jurassic.eng.sun.com>
Date: Thu, 11 Oct 2001 12:51:49 -0700 (PDT)
From: Darren J Moffat <Darren.Moffat@eng.sun.com>
Subject: Re: Tripwire output on Solaris 2.7
To: SCrowthe@msxi-euro.com

Minor nit to start with there is no such thing as Solaris 2.7 it Solaris 7,
or SunOS 5.7 but never 2.7.

Since you don't give any information about when the previous run of
tripwire was and what you have done since then it is really hard to
explain why directory m and c times have changed.

>/etc/rc2.d/S73aroutes

No such file in Solaris.

>/etc/security/audit_data
> st_mtime: Tue Sep 18 18:28:11 2001 Fri Aug 10 20:39:54 2001
> st_ctime: Tue Sep 18 18:28:11 2001 Fri Aug 10 20:39:54 2001
> md5 (sig1): 1TNTwId4rliPQsDmYYft6a 1026:.0glAHKTNBJ7eDLwy
> snefru (sig2): 1PaWLvvhbAZ1p7rzkHrMPo 2WLFJE5gGfFH2BsWif.A.U

This is a dynamic file and it will change under these circumstances:

        reboot
        audit -n is run
        audit -s is run
        the free space on the current audit partition reaches minfree
        the free spaec on the current audit partition is 0
        
        It contains the pid of the current auditd and the path to
        the current audit file.
        
>/etc/mnttab
> st_size: 402 395
> st_mtime: Tue Sep 18 18:28:06 2001 Fri Aug 10 20:39:49 2001
> st_ctime: Tue Sep 18 18:28:06 2001 Fri Aug 10 20:39:49 2001
> md5 (sig1): 0XfdN5:ZqwlNpNiKuCqpCl 1f8cRP:ln0Zv8p2X2mxPgj
> snefru (sig2): 3wNWpM6csYNE5w5cZNqS:b 3H8z3cIM5UJNYmkRaWmxWl

This is a dynamic file, so it means a filesystem was mounted or unmounted.
Are you running automountd ?

>/etc/syslog.pid
> st_mtime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
> st_ctime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
> md5 (sig1): 0MjmvegjqY5G3nG3iz9EdU 2GbPRiRCVRYt3nHH:mQpWQ
> snefru (sig2): 1Wf3fbOtyqtghckd91UVEa 3GvW.JCudTpN2HGBnL3l5v

syslog got restarted:
        reboot
        someone restarted it
        newsyslog was run from cron (0310 on a Sunday).
        
>/etc/oshadow
> st_size: 534 520
> st_mtime: Wed Oct 10 13:35:01 2001 Wed Aug 15 14:38:36 2001
> st_ctime: Wed Oct 10 13:35:15 2001 Wed Aug 15 14:38:43 2001
> md5 (sig1): 0lVZggzEqTj7b2BD5ughpZ 0B9enMiVM.ar4kNcKeKg8D
> snefru (sig2): 0GEZk65og:VoBPy1LyejA5 1m2ibqQFeYiTueaMKEBA8L

a user who is in local files changed their password.

>/proc
> st_nlink: 31 33

Never include proc in tripwire it changes from second to second and it
isn't a real filesystem.

>/export/home/tripwire/bin/databases/tw.db_msxgbgw1
> st_mtime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
> st_ctime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
> md5 (sig1): 0IwBXI:7wc0zkf6Fd.ZDz4 1WBpJzMF9qHs1S:hA7rVsd
> snefru (sig2): 0tfIUuhOX:2WTXxljSXXO0 1aPZdiJ7sUTvwi1OWKYEwh

Are you really sure you wnant tripwire checking itself because it will
write to those files so they will always change.

Also don't keep the tripwire databases online, by doing so you are
completely wasting your time running tripwire because all the hacker
has to do is modify the tripwire database.

--
Darren J Moffat



Relevant Pages

  • RE: Tripwire for Solaris 8
    ... Tripwire works for me on Sun Sparc Solaris 9. ... I can't remember which tripwire version is installed on my system. ... tripwire is only going to nicely compile ... from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Tripwire on Solaris
    ... Solaris 10 will provide such a feature. ... > exists that the system is clean when ASET is initialized). ... > legitimate changes due to patches or packages being installed or removed. ... > Both commercial and free tripwire can also be obtained for Solaris; ...
    (comp.unix.solaris)
  • Re: Tripwire on Solaris
    ... Solaris 10 will provide such a feature. ... > exists that the system is clean when ASET is initialized). ... > legitimate changes due to patches or packages being installed or removed. ... > Both commercial and free tripwire can also be obtained for Solaris; ...
    (comp.sys.sun.admin)
  • Re: Tripwire on Solaris
    ... >> Does the system provide mechanisms like 'Tripwire' to allow the ... Solaris has had since at least 2.4 something called ASET, ... legitimate changes due to patches or packages being installed or removed. ...
    (comp.sys.sun.admin)
  • Re: Tripwire on Solaris
    ... >> Does the system provide mechanisms like 'Tripwire' to allow the ... Solaris has had since at least 2.4 something called ASET, ... legitimate changes due to patches or packages being installed or removed. ...
    (comp.unix.solaris)