Re: Tripwire output on Solaris 2.7

From: Neil Dickey (neil@geol.niu.edu)
Date: 10/12/01


Message-Id: <200110121421.JAA29328@shiloh.geol.niu.edu>
Date: Fri, 12 Oct 2001 09:21:53 -0500 (CDT)
From: Neil Dickey <neil@geol.niu.edu>
Subject: Re: Tripwire output on Solaris 2.7
To: focus-sun@securityfocus.com


Darren J Moffat <Darren.Moffat@eng.sun.com> wrote in part:

>>/export/home/tripwire/bin/databases/tw.db_msxgbgw1
>> st_mtime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
>> st_ctime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
>> md5 (sig1): 0IwBXI:7wc0zkf6Fd.ZDz4 1WBpJzMF9qHs1S:hA7rVsd
>> snefru (sig2): 0tfIUuhOX:2WTXxljSXXO0 1aPZdiJ7sUTvwi1OWKYEwh
>
>
>Are you really sure you wnant tripwire checking itself because it will
>write to those files so they will always change.

But that is the database file, which shouldn't change unless the user,
or an intruder, runs Tripwire in 'initialize' mode. The md5 and snefru
signatures indicate that the *content* of tw.db_msxgbgw1 has changed,
and this shouldn't happen under normal operation. I have other ways of
verifying the integrity of my database and executable files, so cannot
say from experience whether mtime or ctime would be changed by running
tripwire against itself. I tend to think not, because it doesn't do that
to other files it checks. Otherwise, the database would have to be re-
initialized every time Tripwire was run.

If you look at the dates in the log extract, that modification happened
22 days ago, counting from today. That's a good long time, don't you
think?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115



Relevant Pages

  • Re: Tripwire on RHEL 3.0
    ... The problem occurs when you try to initialize ... > Please enter your local passphrase: ... > Generating the database... ... Get the updated tripwire package from http://fedora.us ...
    (RedHat)
  • Re: tripwire --check does not require a passphrase
    ... > Suppose one has a system configured with tripwire, ... > Because 'tripwire --check' does not require a passphrase, ... > than trying to update the database one day and discovering that his ... md5 value and database to removable media such as a floppy disk or zip disk. ...
    (comp.security.unix)
  • RE: tripwire config
    ... has tampered with your files, say if your server is a web server, a file ... I also don't quite understand what tripwire has to do with those billions of ... |the tripwire binaries or database so that rootkits, ... |box will alert the attacker to be extra cautious. ...
    (Security-Basics)
  • Re: tripwire - problems with database and policy update
    ... > Because i got an error message indicating that the policy file in use ... I am quite sure that i used this policy file during ... > the database init, but i made a lot of changes to the system after ... I went through this repeatedly when I first set up tripwire on my ...
    (comp.os.linux.security)
  • Re: Tripwire for Dummies
    ... > I read that it was best to move the tripwire database to a read-only ... > medium (floppy or cdrom). ... > and ended up with 3MB database. ... I've had a quick search for the documentation in question but can't find ...
    (FreeBSD-Security)