From owner-freebsd-security Sun Nov 7 22:27: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 606AF14E4D for ; Sun, 7 Nov 1999 22:26:59 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id BAA37270 for freebsd-security@freebsd.org; Mon, 8 Nov 1999 01:30:32 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199911080630.BAA37270@cc942873-a.ewndsr1.nj.home.com> Subject: Using Tripwire To: freebsd-security@freebsd.org Date: Mon, 8 Nov 1999 01:30:32 -0500 (EST) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am finally getting around to configuring tripwire since we plan on exposing more of our mailserver to the Big, Bad Internet. I had installed tripwire, but never really got into configuring it. I have been looking at the manpages and the default/example tw.config that the port includes. There are a few things that I have not been able to figure out how to do (if they can be done). Is there a way to look a certain _depth_ into a directory tree? For example, I want to do something like this, /home R =/home/user1 +pigun =/home/user2 +pigun . . . That is, in the /home filesystem, I want to watch for new things appearing/disapprearing at the 'user level' and make sure that individual user's home dirs do not get permissions or ownership changed. Is there a way within tripwire to generate the /home/user1, /home/user2, etc. listing without doing it myself and so it can be made to self-update properly? Finally, I am having trouble tracking down more complete tripwire documentation. A quick web search fills up with info on the commercial 2.x versions. Hard to tell what is "new and improved" and what applies to the old freeware version in those. Can anyone point me in the right direction for tripewire version 1.2 docs beyond the manpages? Oh, and as for the manpages, tw.config(5) references a twconvert(8) page which does not exist on my system or in the tripwire package contents. And the siggen(8) manpage (which has headers saying "SIGFETCH(8)") is not referenced by tripwire(8); I only found it looking for twconvert(8) in the package list. Would that be a ports PR? Or is this not gonna get fixed? Wait, one other thing I just remembered, I guess if you are running tripwire, the portion of the default security check that searches for changed set[ug]id files is redundant (depending on your tripwire config, other checks may be redundant too). Anyone have a modified script to offer up? Is that a good place to run tripwire from? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message