On Sat, 2004-07-31 at 15:46, Norman Nunn wrote: > In running tripwire for several days I get daily reports that identify > allot of missing files, most in /var/lock/subsys. These files are not > on my system and the comment comes from the tripwire checks defined in > the policy file. I was wondering if it was customary to comment these > out in the policy file so the reports are much shorter. Or is there a > good reason to leave them there as is. > > Norm In my experience you need to edit the policy file to match your particular system. Not only do you need to comment out files that do not exist on your system but also include rules for files that may not be included in the default tripwire policy file. Stuff like databases are not typically included. I also find I have to tweak the rules for the root home directory. By default it triggers on the .xauth* stuff which changes each time you login as root. Once you get it all setup you should get a clean report each time it is run. I also have setup some filters that verify it was clean or not and mark the message as read if it is clean. So it stands out when something has changed. -- Scot L. Harris webid@xxxxxxxxxx You shouldn't have to pay for your love with your bones and your flesh. -- Pat Benatar, "Hell is for Children"
