Monday, 4 May 2009

Tripwire and frequient inode number changes

During daily tripwire log files examination I've discovered the following:
System boot changes             100               0        0        85 

In my case this message explained with the next lines:
Rule Name: System boot changes (/var/log)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 58
----------------------------------------

Modified object name: /var/log/boot.log

Property: Expected Observed
------------- ----------- -----------
* Inode Number 141028 141034


Modified object name: /var/log/boot.log.1

Property: Expected Observed
------------- ----------- -----------


* Inode Number 141023 141028

I think this behavior connected to crontab job logrotate. I decided to modify twpol.txt for the section above:

/var/log -> $(SEC_CONFIG) -i ; # Inode number changes

and re-create binary version of the policy:
twadmin --create-polfile --cfgfile tw.cfg --polfile tw.pol --site-keyfile site.key twpol.txt

and regenerate the database:
tripwire --init --cfgfile tw.cfg --polfile tw.pol --site-keyfile site.key --local-keyfile hostname.domain.com-local.key




No comments: