This is the second part of the summary to the original question:
>Could anyone please share his/her experiences of compiling and using
>tripwire on DU3.2c?
>
>I've managed to compile and link it statically with the gcc 2.7.2, with
>the following flags: -DTW_TYPE32='int' (as it was recommended in the manuals
>which come with it). The programm seems to be working all right, but each
time
>it runs the terminal where it was started gets bombarded by flurries of the
>messages "Unaligned access pid=18190 <tripwire> va=11fffc94c pc=120038e58
>ra=120038dc0 type=stq" which the kernel seems to be producing.
>
>What is happening here? Has anyone experienced similar behaviour of tripwire?
>
>And the second question is: Does anybody has a tripwire configuration file
>(describing what to check/what to skip) specifically taylored to DU OS? Whith
>important files to watch included which are specific to DU?
>
I'd like to share the tripwire configuration file which I built with the help of
the following people:
Jim <jims_at_gatekeeper.dor.state.ma.us>
Nebojsa Hrmic <nebojsa_at_alf.tel.hr>
John Files <jhf_at_dmu.ac.uk>
The file attached below was developed for my system and may not be completely
appropriate for your - so it will need some editing. To ease this task I
supplied short comments trying to explain why each item is included in the file.
The configuration proposed is somewhat excessive - it'would take quite a lot of
cycles to run tripwire with such configuration very frequently - instead you may
choose to run it daily with '-i all' flag - ignoring the signatures and once
a week - with signatures. Decide it for yourself depending on how thoroughly you
want your system monitored.
I would be happy to hear your comments/suggestions/critiques,
Hope it helps,
Igor V. Alekseev, Yaroslavl Regional network, Information Systems Expert
------------------------- cut here ------------------------
#
# tripwire.config
# Sample version (with comments for easy modification)
# for alpha-Digital UNIX 3.2c
#
# Created by Igor V. Alekseev <aiv_at_yars.free.net> based upon
# alpha-osf-managers mailing list and with particular help
# from:
# Jim <jims_at_gatekeeper.dor.state.ma.us>
# Nebojsa Hrmic <nebojsa_at_alf.tel.hr>
# John Files <jhf_at_dmu.ac.uk>
#
# This file is provided as is, with hope that it helps, however,
# no responcibility assumed.
#
#
# Will need editing...see comments below
#
#
# This file contains a list of files and directories that System
# Preener will scan. Information collected from these files will be
# stored in the tripwire.database file.
#
# Format: [!|=] entry [ignore-flags]
#
# where: '!' signifies the entry is to be pruned (inclusive) from
# the list of files to be scanned.
# '=' signifies the entry is to be added, but if it is
# a directory, then all its contents are pruned
# (useful for /tmp).
#
# where: entry is the absolute pathname of a file or a directory
#
# where ignore-flags are in the format:
# [template][ [+|-][pinugsam12] ... ]
#
# - : ignore the following atributes
# + : do not ignore the following attributes
#
# p : permission and file mode bits a: access timestamp
# i : inode number m: modification timestamp
# n : number of links (ref count) c: inode creation timestamp
# u : user id of owner 1: signature 1
# g : group id of owner 2: signature 2
# s : size of file
#
#
# Ex: The following entry will scan all the files in /etc, and report
# any changes in mode bits, inode number, reference count, uid,
# gid, modification and creation timestamp, and the signatures.
# However, it will ignore any changes in the access timestamp.
#
# /etc +pinugsm12-a
#
# The following templates have been pre-defined to make these long ignore
# mask descriptions unecessary.
#
# Templates: (default) R : [R]ead-only (+pinugsm12-a)
# L : [L]og file (+pinug-sam12)
# N : ignore [N]othing (+pinusgsamc12)
# E : ignore [E]verything (-pinusgsamc12)
#
# By default, Tripwire uses the R template -- it ignores
# only the access timestamp.
#
# You can use templates with modifiers, like:
# Ex: /etc/lp E+ug
#
# Example configuration file:
# /etc R # all system files
# !/etc/lp R # ...but not those logs
# =/tmp N # just the directory, not its files
#
# Note the difference between pruning (via "!") and ignoring everything
# (via "E" template): Ignoring everything in a directory still monitors
# for added and deleted files. Pruning a directory will prevent Tripwire
# from even looking in the specified directory.
#
#
# Tripwire running slowly? Modify your tripwire.config entries to
# ignore the (signature 2) attribute when this computationally-exorbitant
# protection is not needed. (See README and design document for further
# details.)
#
# Check the / directory and the root's home
# add any relevant configuration files which define the root's
# working environment - shell startup files, X11 startup things,
# xresources, etc.
#
=/ L
/.rhosts R
/.profile R
/.cshrc R
/.login R
/.exrc R
/.logout R
/.netrc R
/.forward R
/.history R
/.dtprofile R
/.dt R
/DXsession R
# look for other dot files under / and add as appropriate
# but generally try to avoid running too many things as root
# Check the current and generic kernel, bool loader, etc.
/genvmunix R
/vmunix R
/osf_boot R
/kdebug R
=/proc L
# Check the device files (and exceptions)
/dev L
/dev/ttyp0 +ins-pugamc12 # L-ugp also suggested
/dev/ttyp1 +ins-pugamc12
/dev/ttyp2 +ins-pugamc12
/dev/ttyp3 +ins-pugamc12
/dev/ttyp4 +ins-pugamc12
/dev/ttyp5 +ins-pugamc12
/dev/ttyp6 +ins-pugamc12
/dev/ttyp7 +ins-pugamc12
/dev/ttyp8 +ins-pugamc12
/dev/ttyp9 +ins-pugamc12
/dev/ttypa +ins-pugamc12
/dev/ttypb +ins-pugamc12
/dev/ttypc +ins-pugamc12
/dev/ttypd +ins-pugamc12
/dev/ttype +ins-pugamc12
/dev/ttypf +ins-pugamc12
/dev/ttyq0 +ins-pugamc12 # L-ugp also suggested
/dev/ttyq1 +ins-pugamc12
/dev/ttyq2 +ins-pugamc12
/dev/ttyq3 +ins-pugamc12
/dev/ttyq4 +ins-pugamc12
/dev/ttyq5 +ins-pugamc12
/dev/ttyq6 +ins-pugamc12
/dev/ttyq7 +ins-pugamc12
/dev/ttyq8 +ins-pugamc12
/dev/ttyq9 +ins-pugamc12
/dev/ttyqa +ins-pugamc12
/dev/ttyqb +ins-pugamc12
/dev/ttyqc +ins-pugamc12
/dev/ttyqd +ins-pugamc12
/dev/ttyqe +ins-pugamc12
/dev/ttyqf +ins-pugamc12
# make sure /tmp is there if you want
=/tmp L-n
# Check the system configuration parameters (and exceptions)
# ask yourself how many files are being rightfully changed in this
# directory and how often.
/etc R
/etc/motd L-i
/etc/state L
# mail subsystem files
/etc/mail/aliases.dir L
/etc/mail/aliases.pag L
#
# /etc/fstab R
# some sysadmins (probably on systems where users come and go)
# have
# /etc/passwd L # or L-i sometimes
# /etc/passwd.dir L # same as above
# /etc/passwd.pag L # same as above
#
# security integration architecture files...
/etc/sia R-nsmc
/etc/sia/bsd_matrix.conf R
/etc/sia/OSFC2_matrix.conf R
/etc/sia/siainitgood L-i
/etc/sia/matrix.conf R-mc
#
=/etc/zoneinfo R # skip the contentens of it
# check important system binaries
/sbin R # R-1 or R-2 or R-12 to save the cycles
# This place is frequently forgotten, but it shouldn't be
# quite an important place in the DU security mechanizm
/tcb R-2
/tcb/files L
# Also consider checking these directories if you feel like
/opt R-12
# you may need to go explore your filesystems and these particular
# directories to have things excluded or included, but
# remember - any excecutable replaced by an attacker poses
# security theat - if excecuted by any user or especially
# a priveleged one.
#
# Now start checking the usr filesystem
#
# information and lockfiles on the software subsets installed
/usr/.smdb. R-12
# most system binaries
/usr/bin R
# things needed for software development
/usr/ccs R
# examples (source and binaries)
/usr/examples R-12
# field test utilities
/usr/field R
# include files
/usr/include R-12
# more system binary excecutables
/usr/sbin R
# even more binaries
/usr/lbin R
# libraries and various things
/usr/lib R
/usr/lib/X11 R-12
=/usr/lib/cda R-12
=/usr/lib/dxbook R-12
=/usr/lib/emacs R-12
=/usr/lib/learn R-12
=/usr/lib/lse R-12
=/usr/lib/nls R-12
=/usr/lib/rcs R-12
# optional soft (ULTRIX/SYSV compatibility)
/usr/opt R
# more libraries and things
/usr/share/lib R-12
# more (shared) libraries
/usr/shlib R
# user environment primitives
/usr/skel R-12
# kernel construction zone
/usr/sys R
# security related files
/usr/tcb R
# Having finished with standard system parts -
# - go check the local stuff
# again - make sure that you check places where binary excecutables
# or libraries live
/usr/local/X11R6 R-2
/usr/local/alpha-dec-osf3.2 R-2 # gcc home
/usr/local/bin R
/usr/local/lib R
# /usr/local/security R # where your security-related programs
# live - don't forget about tripwire itself and its databases
/usr/local/include R-12
# Check the files under var, most of them are logs - make
# sure the files exist, the permissions and ownerships have not changed
/var L
=/var/spool L
# /var/X11 - in place, scripts inside should not change
=/var/X11 L
/var/X11/GiveConsole R
/var/X11/TakeConsole R
/var/X11/Xaccess R
/var/X11/Xkeymaps R
/var/X11/Xresources R
/var/X11/Xservers R
/var/X11/Xsession R
/var/X11/Xsetup_0 R
/var/X11/xdm-config R
/var/X11/Xservers.fs R
/var/X11/xdm-config.fs R
/var/X11/xdm/xdm-errors L
/var/X11/xdm/xdm-pid L-i
/var/X11/xdm/keymap_default L-i
/var/adm/mountdtab L-i
/var/adm/ris/bin R
=/var/adm/syslog.dated L-n # new dir's are created, old destroyed
/var/kdbx R
/var/adm/cron/cron.allow R # and/or cron.deny
/var/adm/cron/at.allow R # and/or at.deny
/var/adm/cron/queuedefaults R
=/var/adm/syslog.dated L-n
=/var/preserve L # editor preserved files - change often
/var/yp R
#
#
# Recall whether you have other excecutables lying around in
# strange places - include them as well. Remember sendmail, RIS stuff
# (if you have it), perhaps a separate bin directory you set aside for
# root. If the system gets slow - try excluding signature 2 or 1 or both (not
# recommended)
Received on Thu Apr 03 1997 - 15:14:28 NZST