Re: tripwire still complains about /proc

From: Mike (foor_at_bar.com)
Date: 04/08/04


Date: 8 Apr 2004 07:51:24 GMT

Anthony Campbell <me@privacy.net> wrote in news:c52udc$2oavbh$1@ID-
175405.news.uni-berlin.de:

>> Everything under the /proc filesystem is just an image of running
>> processes, memory, I/O, etc. Those are not files in the normal meaning.
>> You can happily keep everything in /proc out of your Tripwire database.
>> Cheers,
>>
>
> In that case, why does twpol.txt describe the /proc entries as "Critical
> devices"?
>

Sorry, my mistake for not checking that first.
I repeat my fist phrase regarding WHAT is under /proc.
But Tripwire does check SOME of the references there, to check that some
"critical devices" are in place.
According to a twpol.txt I've here for a RH9 system, it checks the
following "devices":

/proc/devices
/proc/net
/proc/sys
/proc/cpuinfo
/proc/modules
/proc/mounts
/proc/dma
/proc/filesystems
/proc/pci
/proc/interrupts
/proc/driver/rtc
/proc/ioports
/proc/scsi
/proc/kcore
/proc/self
/proc/kmsg
/proc/stat
/proc/ksyms
/proc/loadavg
/proc/uptime
/proc/locks
/proc/version
/proc/mdstat
/proc/meminfo
/proc/cmdline
/proc/misc

and a few entries from /dev

I your first message, you mentioned:

>I've got tripwire nearly right but it still gives error reports of the
>kind:
>
>1. File system error.
> Filename: /proc/19860/fd/3
> No such file or directory
>
>Do I just ignore this, or what?

That means that Tripwire is trying to check either:

a) /proc/19860/fd/3 (that means the 3rd file descriptor of process with pid
19860... not very likely that Tripwire would like to check that).

b) /proc/*

If you've (b), you're trying to check some dynamic information about
running processes, that's probably not a good idea for an integrity tool
like Tripwire (look for Nabou if you're interested in that, IIRC, it has
some process check as well).

Hope this clarifies the situation, and sorry for my first (Very Short)
answer.
Cheers,

-- 
Nekromancer
PUF (FAQ) del grupo:
http://usuarios.lycos.es/n3kr0m4nc3r/
Apuntes de seguridad:
http://www.pclandia.net/nekromancer/
"El nivel de conocimientos adquiridos es
inversamente proporcional a la temperatura del cafe"