Tripwire. Any Ideas?

[butchrecon]

I am seeing the message constantly referenced in: /var/spool/mail/root
(a) what does it mean?
(b) is it a bad thing?
James Collins
Field Service Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.

 

[bjverzal]

What message ?

 

[ifincham]

Hi,

Not sure what you mean. Do you mean that tripwire says /var/spool/mail/root is changed ? If so, thats root's mail spool file so it would obviously change when automated emails are sent by anacron or whatever. Even without using 'pine' or whatever you can look at the contents with 'cat'.

Or do you mean tripwire emails a notification to root ? If so, what does that say ??

Regards

 

[butchrecon]

Here is the complete message:

Date: Fri, 1 Mar 2002 04:04:22 -0600
Message-Id: <200203011004.g21A4MY20987@lapcu>
From: root@lapcu (Cron Daemon)
To: root@lapcu
Subject: Cron <root@lapcu> run-parts /etc/cron.daily
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>

/etc/cron.daily/tripwire-check:

**** Error: Tripwire database for lapcu not found. ****
**** Run /etc/tripwire/twinstall.sh and/or tripwire --init. ****
James Collins
Field Service Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.

 

[bjverzal]

The obvious response (not meant to be cocky ) is that tripwire is complaining - perhaps about an incomplete installation of itself. Been a while since I touched tripwire. Hopefully someone else is a bit more current that I.

Bill.

 

[butchrecon]

I dont know what it is. Any ideas what its for? James Collins
Field Service Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.

 

[ifincham]

Hi,

Once you installed tripwire and configured policies the way you like, then you have to let it take a 'snapshot' of your system for later comparison in its daily checks for changed files. Tripwire builds a database with checksums or whatever and uses this to compare the active state of the system to detect changes. So, as a one-off you need to do :

# /usr/sbin/tripwire --init

(takes some time !)

See -->

http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/ref-guide/ch-tripwire.html

Hope this helps

 

[butchrecon]

The problem is I know nothing about it nor do I use it. How do I get rid of it? James Collins
Field Service Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.

 

[ifincham]

Hi,

Tripwire is a intrusion detection utility that may well be installed by default with RH7.2 .

You should just be able to uninstall the rpm :

# rpm -e tripwire


Regards

 

[butchrecon]

Thanks I wil try that. James Collins
Field Service Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.

 

[butchrecon]

Is it a worth while program? If so how do I set it up and configure it? James Collins
Field Service Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.