0

I installed tripwire by following this online documentation on a fresh ubuntu 22.x server. I followed the above documentation exactly and did not add any custom mods to either the cfg or the pol files.

I received the following exceptions shortly thereafter which appear to me to be basic log rotations:

Rule Name: System boot changes (/var/log)
Severity Level: 100

Added:
"/var/log/syslog.3.gz"
"/var/log/mail.log.3.gz"
"/var/log/auth.log.3.gz"
"/var/log/kern.log.3.gz"

Modified:
"/var/log/auth.log"
"/var/log/auth.log.1"
"/var/log/auth.log.2.gz"
"/var/log/kern.log"
"/var/log/kern.log.1"
"/var/log/kern.log.2.gz"
"/var/log/mail.log"
"/var/log/mail.log.1"
"/var/log/mail.log.2.gz"
"/var/log/syslog"
"/var/log/syslog.1"
"/var/log/syslog.2.gz"

My question is, what is the proper way to configure / policy tripwire so log rotations do not trigger report exceptions. Log rotation is a basic function that comes standard with most linux distributions and do not seem to be something that tripwire, meant to detect unauthorized changes to key components (e.g. rootkits), should report as severity level 100 exceptions.

Chris Pappalardo
  • 3
  • 3

1 Answers1

1

In your tripwire policy configuration file (debian or ubuntu: /etc/tripwire/twpol.txt) under the 'rulename = "System boot changes",' changing

/var/log -> $(SEC_CONFIG) ;

to

/var/log -> $(IgnoreAll) ;

will effectively ignore all changes to the log files. [ Ref: man twpolicy ]

The log filename must still exist, but any content changes will be ignored. The normal logfile rotation name swaps will be ignored once they have been established.

But any new or deleted log file or directory NAMES will be reported. In your example above, the Added entries will still be reported, but the Modified entries will be ignored.

As a security consideration, I hope you are also syslogging to a remote server. An intruder can truncate these local logfiles to a zerosize and tripwire will cheerfully ignore it.

Also: Don't forget to do a sudo tripwire -m p -Z low /etc/tripwire/twpol.txt (or equivalent) after making the txt file changes to make it active.

user83536
  • 26
  • 2