Fedora Security :: Tripwire Revealed File Size Differences?
May 14, 2009
Recently I decided to utilize an IDS system. So I installed Open Source Tripwire. Not that I am too worried about anyone gaining a successful foothold on my system. But I wanted to learn and experience this IDS system. And no, this is not a new server install but I have never seen anything that resembles illegal activity. My server is an installed CentOS 5.3 with SELinux in targeted mode.
Tripwire has brought to light some interesting things. Installation states to verify rpm packages using rpm -Va. I have found that many of my system binaries are not the same size as if I were to replace them via yum. Most of the binaries are like twice the size compared to a newly installed package, of the same version. I'm not sure what to make of this. These programs are the original installs (CentOS 5.1) and I keep the system up to date regularly via yum.
I wonder if perhaps these system files installed are perhaps different then individual package size installed via yum? I have a hard time believing this as a package is a package. The only other possibility that comes to mind is that nearly my entire system has been hacked with new system files, and in a way that has revealed and suggest nothing. I find that far fetched as I have run this server for some time now and I should think I would know a problem as not a morning goes by that I haven't review my logs, as they are emailed to me. Thoughts about the difference in file sizes? Those installed via CentOS DVD verses those installed via yum?
View 3 Replies
ADVERTISEMENT
Jul 1, 2010
I have tripwire 2.4.1.2 running on one of our servers on a daily basis, and I was curious to know if it is good practice to periodically update the policy file. The reason for my asking that is while the daily reports that I get indicate there have been changes to files on a daily basis, there are also files that have not been modified for over a month. My thinking is an update of the policy file will establish an updated baseline, and those files that have not been changed for so long will not be reported on until they get changed again.
View 1 Replies
View Related
Jan 21, 2009
I have been asked to investigate some of our servers that run tripwire 2.3.0 on Red Hat Linux Advanced Server release 2.1AS (Pensacola)
We have the reports emailed to us using cron and twprint -m r -r report -t 4, it has been growing steadily and today it was 9mb It seems the database records go back to before 2004 and are being compared against today's files.
I really need to be informed what needs to be done to tripwire to keep it serviced through cron. I have tried to google this but could not find any information that seemed to answer my questions.
Looking at the following guide url step 6 talks about "Updating the Database after an Integrity Check" using
Code:
# tripwire --update --twrfile /var/lib/tripwire/report/<name>.twr Should I be using this command or should I be re-creating the db every month or so and using the #tripwire -init?
Extract from report -
Quote:
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed
Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
code....
I need to understand how to change the expected to the observed so the db will be up to date.
I would also like some of the rules explained:What does removed and added mean? Is it removed as it has not changed and added if it finds a new one that has?
Code:
-------------------------------------------------------------------------------
Rule Name: System boot changes (/lib/modules)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Added Objects: 3075
----------------------------------------
code....
View 1 Replies
View Related
May 1, 2011
I am going to try to install Tripwire on my computer. I do not know why or how to configure Tripwire policy and configuration files.
View 1 Replies
View Related
Jul 29, 2009
I have just installed tripwire. I have created a baseline db using the default policy file. Then I checked the output of the db to see what I did not have on my filesystem that db was searching for (according to the default policy when tripwire was installed), I then changed my default clear text policy file accordingly and used twadmin to generate a new tw.pol file.
Next I come grinding to a halt after this (assuming the next thing is to update the policy in tripwire right? )
Code:
View 2 Replies
View Related
Jul 11, 2010
I have disabled root login in my remote shell and I have a pretty strong password. I am not happy though. I want to increase security. I've been thinking about installing some basic tripwire rig, like say, send myself an email every time I (or anyone) log in. My questions:
- What kind of data would be useful to be sent in that email? Anything else besides "user so-and-so logged in at {date and time}"?
- How would I achieve that? Is it enough to include it in .tcshrc (because my shell is tcsh)? Should I add it to other shells as well (.bashrc, .csh etc.) even though nobody uses the other shells? Is it better placed in some other file, like .login? What is the optimal place?
- Would that be enough? Can I make that whole idea more secure in any way?
View 11 Replies
View Related
Mar 29, 2010
We have 3 RH5u4-64 servers. Server 1 is a standalone server. Servers 2 & 3 are clustered filesystem servers running Veritas CFS 5.0mp3.
Server 1's filesystem is EXT3 and was cloned from a Sun server running Veritas 5.0mp3-VXFS. Filesystem size returned from 'du' 'df' show about 428GB on both the Linux Standalone Server(EXT3) & the Sun Solaris Servers (vxfs).
We then cloned Server 1's filesystem (EXT3) to the 2-node CFS servers. Cloning was successful, but the filesystem sizes returned by 'du' 'df' show 128GB. Block Size for the EXT3 filesystem is 4k while blocksize for the VXFS filesystem is 1k.
Where did that other 300GB go?
I can see VXFS/CFS being slightly more efficient than EXT3 because it's been around much longer, but that can't possibly account for the vast difference.
View 4 Replies
View Related
Jan 19, 2011
is lvresize with --resizefs options re-size the Logical Volume and then re-size the file system? i mean we don't need to use resize2fs?I looked at man pages but it doesn't explain this option.
View 3 Replies
View Related
Dec 14, 2010
How can we find the maximum size of the inode table and what decides it, and how the maximum size of volume of file system is decided ?
View 4 Replies
View Related
Jul 18, 2010
Einstein's Distribution Choice Revealed? [URL]..
View 14 Replies
View Related
Jun 10, 2010
Are there software that can split big file size into small file size in Linux?
View 1 Replies
View Related
Apr 19, 2010
I've got a vnc log file on a barely used server hitting 124 gigs.
On one of our main systems it's at 5 gigs.
Both to large but what could cause such a large log file?
And what can I do to limit it?
View 1 Replies
View Related
Mar 15, 2010
At some point my wine install died. I haven't used it a lot and I update my Fedora 11 regularly so I'm not sure what made it break. I thought "ok, just see if there's an updated version". 'yum info wine' says there is an update version and the file is 27k in size. Tried installing and no joy. Tried erasing wine and then installing; no joy. Yum says that the X86-64 and the i686 version are both 27k in size. I know for sure that is wrong. On a semi-nonFedora note, I tried compiling my own version of wine. It compiled fine after installing some dependencies and '-devel' files, but it gets the same crash as the Fedora version was getting.
View 10 Replies
View Related
Mar 11, 2010
I'm all new to linux. I've got Fedora core 12 - I'm ex windows user. I have these 3 websites to maintain: These are in finnish language. So called pikalaina sites:
pikalainat
pikavipit
vipit
And I have to add pictures to these pages. I don't know how to do even that I don't know web programming or HTML. But my images are about 1 mb in file size - I use to have windows and photoshop and there is this save for web feature where file size is reduced.I have this GIMP -program now - it's terrible compared to photoshop, but it's free. In GIMP there is no feature how to reduce file size for ex. 1mb to 20 Kb. How do I do this? Do you know any good program to do it?
View 8 Replies
View Related
Jun 23, 2011
If I have a file in which data is written which leads to the increase of this file size
Is it possible to make a constraint such that this file size mustn't exceed certain size
let say 5 MB for instance
View 6 Replies
View Related
Feb 22, 2010
Can anyone tell me how to increase system file's partition size.I have ext3 type partition where FC11 is installed.Is it possible to increase the size of ext3 without lost of data?
View 2 Replies
View Related
Dec 16, 2010
I have a single 6.2Gb file that needs to go on a fat32 format hdd, does anyone know of a way to split the file so it will fit.
View 2 Replies
View Related
Dec 7, 2009
Fedora 12 gcc 4.4.1 I am doing some programming, and my program gave me a stack dump. However, there is no core file for me to examine.
So I did:
Code:
ulimit -c unlimited
and got this error message:
Code:
bash: ulimit: core file size: cannot modify limit: Operation not permitted I also tried setting ulimit to 50000 and still got the same error. The results of ulimit -a:
Code:
$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
[Code]...
View 3 Replies
View Related
Jul 2, 2010
I'm trying to install Tripwire, but everytime I run the apt-get command, I receive an error.
How do I fix this and get Tripwire installed?
EDIT: I'm getting the same error trying to install updates. I've never seen this error before and am not sure what could be causing this.
View 1 Replies
View Related
May 17, 2010
Can someone please tell me how to copy tripwire from my rh9 install and tranfer it to Fedora Core 5??
View 3 Replies
View Related
Jul 12, 2010
I have tripwire 2.4.1 up and running on one of our servers, and I am now in the process of configuring it to exclude some files and/or directories that are known to change periodically between integrity checks.
I did some reading on the subject, and one file that came up was the tw.config file. However, when I did a search for the file, there was no instance of it on the server. My next thought was to modify the tw.pol file, and I did try to list some files to be excluded. However, when I tried to update the policy, I got an error message which indicated the syntax that I entered within the tw.pol file was incorrect.
If the tw.config file does not exist, can I create it, and modify the tw.pol file to indicate where the file is located on the server?
View 1 Replies
View Related
Apr 22, 2011
I am curious if perhaps I am doing something wrong extracting pages from a pdf doc using pdftk and creating a new file. I am only extracting the odd pages from the file and outputting them to a new file that is now only 20 pages instead of the input's 40 pages, yet the new output file is still 1.4Mb in size, the same as the original.
It seems strange to extract only half the pages of a large document and end up with a result that is the same size. how to streamline the resulting pdf's using pdftk?
BTW this is the command I am using, in case perhaps I am missing an option to optimize file size or something:
Code:
pdftk A=ch15.pdf cat A1-40odd output odd.pdf
View 1 Replies
View Related
Feb 23, 2009
I'm researching about symbolic links been used with samba / CIFS:I'd like that the user that uses a MS-Windows OS could see my shared folder on CentOS 5 and the symbolic links that are inside this folder. Well, it works but, the user will see that the size of the file is bigger than the real file. Apparently, CIFS gets the size of the symbolic link (aproxim.32K) and add it to the size of the file.Example 1: 100KB file, used with shared folder, MS-Windows's user will see 100KBExample 2: 100KB file, used with symbolic link inside a shared folder, MS-Windows's user will see 132KB. (Sym link + size of file)Is there a way to allow the user only see the size of the file, and not the file + symbolic links ?
View 1 Replies
View Related
Jun 13, 2011
I was just testing specifying limit on file size to a user and have added the following to /etc/security/limits.conf bob soft fsize 100 This basically should have said not to allow bob to create anyfile greater than 100Kb in size.
But the interesting thing is, if bob already has any file which is greater than 100Kb in size, it even doesn't allow to log him into the system both from console and SSH. Also nothing is logged in logs.. How do I configure it so that, bob can login to the system even though he has any file greater than 100Kb (but doesn't allow him to create file which are greater than 100Kb) ??
View 3 Replies
View Related
Dec 7, 2010
I have tripwire enterprise (not open source) agent running on one of my rhel4.8 web servers (I have actually tried with two servers with same results). The agent is a simple install rpm bin file and appears to be running as it should and the server for tripwire enterprise is set up accordingly. A windows tripwire enterprise agent is also on a windows machine that works perfectly well. But I cannot seem to get the tripwire server to talk to the agent on the red hat machine.
I can connect to port 9898 on the server, but the agent who also talks over the same port doesn't appear to be responding to the server on this port. There are no iptables set up to block the requests, there is no firewall set up (disabled) . Network team can see the packet requests being sent over the routers fine... So can't see why there would be a problem. So i reverted to the use of net cat.
Nc -l 9898 (on the agent machine)
Telnet <agent> 9898
But I get connection refused. Is there anything I could be missing here? Redhat is not my Linux of preference and it may be something obvious!
View 4 Replies
View Related
Jul 12, 2010
We have some large files with sampling data in it. Don't want to delete these files. But want to quickly overwrite the file with 0s and/or 1s and preserve the original file size.
View 3 Replies
View Related
May 4, 2011
I need to check the free available size on the "/root" before creating a file .
Can i do it by using df?if not , can you specify me which one to use?
View 1 Replies
View Related
Jun 18, 2010
I am using DD to backup entire system partitions and now I am trying to restore one. The resulting disk image from my buggy process has zero bytes. D'oh.It apparently thinks the image was trailing garbage and ignores it. It deletes the original file and replaces it with a zero byte .dd file. I have the original copy of the image in a dd.gz file. It's 6.3 GB so it may still contain the data.How do I get the original image back without destroying it again?
View 1 Replies
View Related
Dec 19, 2009
Wondering if anyone knows what the range specification is meant to do for the colonHAIN at the top of the iptables file? e.g. what is the 1:76 range mean for :OUTPUT ACCEPT [1:76] ?
# Generated by iptables-save v1.4.1.1 on Sat Dec 19 12:28:00 2009
*filter
:INPUT ACCEPT [0:0]
[code]...
View 2 Replies
View Related
Aug 8, 2011
since I upgraded to F15 I noticed that "su -l" is very slow, it takes about 20sec before it gives the prompt. I traced it down to a problem with "xauth" as su asks for the authorization for the display running "xauth nlist :0" which times out with an error. Actually, the command "xauth nlist :0" by itself gives:
xauth: timeout in locking authority file /home/user/.kde/tmp-host.domain/xauth-200-_0
If I put SELinux in permissive mode both command work without problem so I suppose SEL is the problem. I checked the permissions and settings of the file which is "unconfined_u:object_r:config_home_t:s0" but I have no idea if this is the right value, running "restorecon" on the file, directory or the whole /home/user didn't change anything.
View 4 Replies
View Related
