Re: tripwire still complains about /proc
From: Mike (foor_at_bar.com)
Date: 04/08/04
- Next message: Mr. Spock: "OpenSWAN 2.0.4 and kernel 2.6.4"
- Previous message: Anthony Campbell: "Re: tripwire still complains about /proc"
- In reply to: Anthony Campbell: "Re: tripwire still complains about /proc"
- Next in thread: Anthony Campbell: "Re: tripwire still complains about /proc"
- Reply: Anthony Campbell: "Re: tripwire still complains about /proc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 8 Apr 2004 07:51:24 GMT
Anthony Campbell <me@privacy.net> wrote in news:c52udc$2oavbh$1@ID-
175405.news.uni-berlin.de:
>> Everything under the /proc filesystem is just an image of running
>> processes, memory, I/O, etc. Those are not files in the normal meaning.
>> You can happily keep everything in /proc out of your Tripwire database.
>> Cheers,
>>
>
> In that case, why does twpol.txt describe the /proc entries as "Critical
> devices"?
>
Sorry, my mistake for not checking that first.
I repeat my fist phrase regarding WHAT is under /proc.
But Tripwire does check SOME of the references there, to check that some
"critical devices" are in place.
According to a twpol.txt I've here for a RH9 system, it checks the
following "devices":
/proc/devices
/proc/net
/proc/sys
/proc/cpuinfo
/proc/modules
/proc/mounts
/proc/dma
/proc/filesystems
/proc/pci
/proc/interrupts
/proc/driver/rtc
/proc/ioports
/proc/scsi
/proc/kcore
/proc/self
/proc/kmsg
/proc/stat
/proc/ksyms
/proc/loadavg
/proc/uptime
/proc/locks
/proc/version
/proc/mdstat
/proc/meminfo
/proc/cmdline
/proc/misc
and a few entries from /dev
I your first message, you mentioned:
>I've got tripwire nearly right but it still gives error reports of the
>kind:
>
>1. File system error.
> Filename: /proc/19860/fd/3
> No such file or directory
>
>Do I just ignore this, or what?
That means that Tripwire is trying to check either:
a) /proc/19860/fd/3 (that means the 3rd file descriptor of process with pid
19860... not very likely that Tripwire would like to check that).
b) /proc/*
If you've (b), you're trying to check some dynamic information about
running processes, that's probably not a good idea for an integrity tool
like Tripwire (look for Nabou if you're interested in that, IIRC, it has
some process check as well).
Hope this clarifies the situation, and sorry for my first (Very Short)
answer.
Cheers,
-- Nekromancer PUF (FAQ) del grupo: http://usuarios.lycos.es/n3kr0m4nc3r/ Apuntes de seguridad: http://www.pclandia.net/nekromancer/ "El nivel de conocimientos adquiridos es inversamente proporcional a la temperatura del cafe"
- Next message: Mr. Spock: "OpenSWAN 2.0.4 and kernel 2.6.4"
- Previous message: Anthony Campbell: "Re: tripwire still complains about /proc"
- In reply to: Anthony Campbell: "Re: tripwire still complains about /proc"
- Next in thread: Anthony Campbell: "Re: tripwire still complains about /proc"
- Reply: Anthony Campbell: "Re: tripwire still complains about /proc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
