Re: Tripwire output on Solaris 2.7

From: Neil Dickey (
Date: 10/12/01

Message-Id: <>
Date: Fri, 12 Oct 2001 09:21:53 -0500 (CDT)
From: Neil Dickey <>
Subject: Re: Tripwire output on Solaris 2.7

Darren J Moffat <> wrote in part:

>> st_mtime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
>> st_ctime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
>> md5 (sig1): 0IwBXI:7wc0zkf6Fd.ZDz4 1WBpJzMF9qHs1S:hA7rVsd
>> snefru (sig2): 0tfIUuhOX:2WTXxljSXXO0 1aPZdiJ7sUTvwi1OWKYEwh
>Are you really sure you wnant tripwire checking itself because it will
>write to those files so they will always change.

But that is the database file, which shouldn't change unless the user,
or an intruder, runs Tripwire in 'initialize' mode. The md5 and snefru
signatures indicate that the *content* of tw.db_msxgbgw1 has changed,
and this shouldn't happen under normal operation. I have other ways of
verifying the integrity of my database and executable files, so cannot
say from experience whether mtime or ctime would be changed by running
tripwire against itself. I tend to think not, because it doesn't do that
to other files it checks. Otherwise, the database would have to be re-
initialized every time Tripwire was run.

If you look at the dates in the log extract, that modification happened
22 days ago, counting from today. That's a good long time, don't you

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois