2

everytime i update the database:

tripwire --check --interactive

but i still get notifications from tripwire telling me that /root has changed.

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
  ----------------------------------------
  Modified Objects: 1
  ----------------------------------------

Modified object name:  /root

  Property:            Expected                    Observed                    
  -------------        -----------                 -----------                 
  Object Type          Directory                   Directory                   
  Device Number        2049                        2049                        
  File Device Number   0                           0                           
  Inode Number         1572865                     1572865                     
  Mode                 drwx------                  drwx------                  
  Num Links            8                           8                           
  UID                  root (0)                    root (0)                    
  GID                  root (0)                    root (0)                    
  Size                 4096                        4096                        
* Modify Time          Fri Jan 11 18:45:54 2019    Sat Jan 12 03:46:50 2019    
* Change Time          Fri Jan 11 18:45:54 2019    Sat Jan 12 03:46:50 2019    
  Blocks               8                           8

here´s the policy after a fresh new install, i only removed .bash_history because i don´t know howto identify my own changes from "bad changes" in that file:


# These files change the behavior of the root account
(
  rulename = "Root config files",
  severity = 100
)
{
        /root                           -> $(SEC_CRIT) ; # Catch all additions to /root
        /root/test_results              -> $(SEC_CONFIG) -s;
        /root/.joe_state                -> $(SEC_CONFIG) -s;
#       /root/mail                      -> $(SEC_CONFIG) ;
#       /root/Mail                      -> $(SEC_CONFIG) ;
#       /root/.xsession-errors          -> $(SEC_CONFIG) ;
#       /root/.xauth                    -> $(SEC_CONFIG) ;
#       /root/.tcshrc                   -> $(SEC_CONFIG) ;
#       /root/.sawfish                  -> $(SEC_CONFIG) ;
#       /root/.pinerc                   -> $(SEC_CONFIG) ;
#       /root/.mc                       -> $(SEC_CONFIG) ;
#       /root/.gnome_private            -> $(SEC_CONFIG) ;
#       /root/.gnome-desktop            -> $(SEC_CONFIG) ;
#       /root/.gnome                    -> $(SEC_CONFIG) ;
#       /root/.esd_auth                 -> $(SEC_CONFIG) ;
#       /root/.elm                      -> $(SEC_CONFIG) ;
#       /root/.cshrc                    -> $(SEC_CONFIG) ;
        /root/.bashrc                   -> $(SEC_CONFIG) ;
#       /root/.bash_profile             -> $(SEC_CONFIG) ;
#       /root/.bash_logout              -> $(SEC_CONFIG) ;
#       /root/.bash_history             -> $(SEC_CONFIG) -s;
        !/root/.bash_history ;
#       /root/.amandahosts              -> $(SEC_CONFIG) ;
#       /root/.addressbook.lu           -> $(SEC_CONFIG) ;
#       /root/.addressbook              -> $(SEC_CONFIG) ;
#       /root/.Xresources               -> $(SEC_CONFIG) ;
#       /root/.Xauthority               -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#       /root/.ICEauthority                 -> $(SEC_CONFIG) ;
}

i don´t know what causes the "modify time change", but it´s annyoing. is there a way to ignore the time-change but still keep an eye of deleted,added and modified files in the root-folder ?

maybe /root -> $(SEC_CRIT) -m;

but i don´t know if -m also ignores file changes.

michabbb
  • 130
  • 5
  • Hi michabbb and welcome to Unix&Linux ! Before tweaking your policy and/or rules, go ahead and check what file is being changed. It's likely to save you time. To do so: `$ sudo debugfs -R 'ncheck 1572865' /dev/device-name-here`. "device-name-here" is the volume on with /root is mounted. It will vary according to yr setup. Respond below with result and @Cbhihe in yr comment if you want to notify me. – Cbhihe Jan 12 '19 at 20:59
  • Just thinking that if `debugfs` is not implemented on yr OS, try the slower: `sudo find / -inum 1572865`. It may be more portable. – Cbhihe Jan 12 '19 at 21:05
  • @Cbhihe so does all this mean, not the changed timestamp of the root folder has changed, instead - really - a file insde /root has changed ??? i wasn´t sure about the report. – michabbb Jan 13 '19 at 10:57
  • @Cbhihe the command u gave me, gives me the /root folder itself, not a specific file. so it seems like, the root-folder has changed, but only the timestamp, no file. that´s what still is confusing me. if i exclude /root in my policy, i am afraid of loosing infos of files inside the folder - that´s why i am really confused here ;( – michabbb Jan 13 '19 at 11:29
  • @Cbhihe thanks a lot for your help! i am running debian. it´s a XEN host. of course, there may be processes running that do something inside root. but i wasn´t aware that something changes the timestamp of the folder itself. i have no idea, what this change could cause. and yes, the result of your commands just show me `/root/` , no specific file. so when tripwire is yelling i am doing a `tripwire --check --interactive` so that everything is fine again. – michabbb Jan 13 '19 at 11:39
  • @Cbhihe might it be possible that tripwire changes the root itself, so everytime i want trip to accept the latest changed, trip itself changes the root and so next time, when trip checks, root has a different timestamp again - something like an infinitely check roundtrip ? ;) – michabbb Jan 13 '19 at 11:39
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/88215/discussion-between-cbhihe-and-michabbb). – Cbhihe Jan 13 '19 at 11:43
  • @Cbhihe the compiled policy is stored in `/etc/tripwire/tw.pol` and the plain in `/etc/tripwire/twpol.txt` – michabbb Jan 13 '19 at 11:43
  • @Cbhihe i am currently investigating with `inotifywait -r -m /root` what happens inside my root. the main question for me still is: how need the policy to be look like, if i want to ignore the timestamp of the root folder itself, but not the files inside. the report only shows me that the timestamp of root has changed, but i don´t see "which file exacatly" has changed - that makes things hard to investigate here. – michabbb Jan 16 '19 at 12:05
  • `inofywait` may help, but did you check your *policy directives* (if any), or whether you have a special `recurse` policy provision for `/root` somewhere. What version of TW do you use ? ( could not find the `-s` flag in v2.4 manual. ) – Cbhihe Jan 16 '19 at 16:39
  • @Cbhihe i am testing all the time. my version is 2.4 and i am trying right now, because i don´t know, which files have changed, i am trying: `/root -> $(SEC_CONFIG) ; # Catch all additions to /root /root/.bash_history -> $(SEC_CONFIG) ; /root/.cache -> $(SEC_CONFIG) ; /root/.config -> $(SEC_CONFIG) ; /root/.local -> $(SEC_CONFIG) ;` with the help of `inotifywait` i see a lot access in `/root` but every access says `CLOSE_NOWRITE` - so i have no idea, what causes the timestamp-change of the root folder itself. i go on – michabbb Jan 17 '19 at 20:12

1 Answers1

1

first: this is not the direct answer, howto ignore the timepstamp of /root, it´s more an info to howto configure tripwire to ignore some special changes inside the root folder (because i still have no answer to my original question).

it´s still frustrating to see only a timestamp change on a folder without knowing, what has changed inside that folder. with the help of inotify (see comments) i was able to identify some changes inside root.

now here are some examples, that can cause root changes:

  • temp files from editors like joe (joe creates files with a ~ at the end, to save last changes)
  • cronjobs where scripts save/update something inside root
  • programs using /root/.cache/ like mc (midnight commander) uses /root/.cache/mc
  • programs using /root/.config like htop or mc
  • programs using /root/.local/ like mc (/root/.local/share/mc)
  • changes at /root/.bash_history
  • the editor joe uses /root/.joe_state

of course there are endless things that can cause changes inside root, inotify is a nice helper here to identify these changes.

in my special case, i stopped tripwire complaining about my changes with this config:

        /root -> $(SEC_CONFIG) ; # Catch all additions to /root
        !/root/.bash_history ;
        !/root/.joe_state ;
        /root/.cache  -> $(SEC_CONFIG) ;
        /root/.config -> $(SEC_CONFIG) ;
        /root/.local  -> $(SEC_CONFIG) ;

/root should be $(SEC_CRIT), but in my case, most stuff is done as root, doesn´t matter if that is bad or not, so to keep tripwire a bit more quiet, i am doing nice now with using $(SEC_CONFIG) instead.

of course we should mention, that many problems like these can be avoided with not working as root and use sudo instead. but if you cannot or don´t want to, you have to take care about everything that changes inside root, which can be very sisyphean challenge.

michabbb
  • 130
  • 5