Package: tripwire Version: 2.4.3.1-2+b4 Severity: normal Tags: newcomer Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate *** Daily tripwire emails reported modifications of log files. Of course log files are modified. Closer look at /etc/tripwire/twpol.txt revealed that /var/log WAS setup to use SEC_CONFIG definition and not better fitting SEC_LOG definition. This setup is probably the default in debian stretch, and I dont think it should be. Simply changing the definition in the line containing /var/log to SEC_LOG made daily tripwire emails much shorter *** End of the template - remove these template lines *** -- System Information: Debian Release: 9.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tripwire depends on: ii debconf [debconf-2.0] 1.5.61 ii exim4-daemon-light [mail-transport-agent] 4.89-2+deb9u3 tripwire recommends no packages. tripwire suggests no packages. -- Configuration Files: /etc/tripwire/twpol.txt changed: @@section GLOBAL TWBIN = /usr/sbin; TWETC = /etc/tripwire; TWVAR = /var/lib/tripwire; @@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed # infrequently but accessed # often SEC_LOG = $(Growing) ; # Files that grow, but that # should never change ownership SEC_INVARIANT = +tpug ; # Directories that should never # change permission or ownership SIG_LOW = 33 ; # Non-critical files that are of # minimal security impact SIG_MED = 66 ; # Non-critical files that are of # significant security impact SIG_HI = 100 ; # Critical files that are # significant points of # vulnerability ( rulename = "Tripwire Binaries", severity = $(SIG_HI) ) { $(TWBIN)/siggen -> $(SEC_BIN) ; $(TWBIN)/tripwire -> $(SEC_BIN) ; $(TWBIN)/twadmin -> $(SEC_BIN) ; $(TWBIN)/twprint -> $(SEC_BIN) ; } ( rulename = "Tripwire Data Files", severity = $(SIG_HI) ) { $(TWVAR)/$(HOSTNAME).twd -> $(SEC_CONFIG) -i ; $(TWETC)/tw.pol -> $(SEC_BIN) -i ; $(TWETC)/tw.cfg -> $(SEC_BIN) -i ; $(TWETC)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; $(TWETC)/site.key -> $(SEC_BIN) ; #don't scan the individual reports $(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ; } ( rulename = "Critical system boot files", severity = $(SIG_HI) ) { /boot -> $(SEC_CRIT) ; /lib/modules -> $(SEC_CRIT) ; } ( rulename = "Boot Scripts", severity = $(SIG_HI) ) { /etc/init.d -> $(SEC_BIN) ; /etc/rcS.d -> $(SEC_BIN) ; /etc/rc0.d -> $(SEC_BIN) ; /etc/rc1.d -> $(SEC_BIN) ; /etc/rc2.d -> $(SEC_BIN) ; /etc/rc3.d -> $(SEC_BIN) ; /etc/rc4.d -> $(SEC_BIN) ; /etc/rc5.d -> $(SEC_BIN) ; /etc/rc6.d -> $(SEC_BIN) ; } ( rulename = "Root file-system executables", severity = $(SIG_HI) ) { /bin -> $(SEC_BIN) ; /sbin -> $(SEC_BIN) ; } ( rulename = "Root file-system libraries", severity = $(SIG_HI) ) { /lib -> $(SEC_BIN) ; } ( rulename = "Security Control", severity = $(SIG_MED) ) { /etc/passwd -> $(SEC_CONFIG) ; /etc/shadow -> $(SEC_CONFIG) ; } ( rulename = "System boot changes", severity = $(SIG_HI) ) { /var/lock -> $(SEC_CONFIG) ; /var/run -> $(SEC_CONFIG) ; # daemon PIDs /var/log -> $(SEC_LOG) ; } ( rulename = "Root config files", severity = 100 ) { /root -> $(SEC_CRIT) ; # Catch all additions to /root /root/.bashrc -> $(SEC_CONFIG) ; /root/.bash_history -> $(SEC_CONFIG) ; } ( rulename = "Devices & Kernel information", severity = $(SIG_HI), ) { /dev -> $(Device) ; } ( rulename = "Other configuration files", severity = $(SIG_MED) ) { /etc -> $(SEC_BIN) ; } ( rulename = "Other binaries", severity = $(SIG_MED) ) { /usr/local/sbin -> $(SEC_BIN) ; /usr/local/bin -> $(SEC_BIN) ; /usr/sbin -> $(SEC_BIN) ; /usr/bin -> $(SEC_BIN) ; } ( rulename = "Other libraries", severity = $(SIG_MED) ) { /usr/local/lib -> $(SEC_BIN) ; /usr/lib -> $(SEC_BIN) ; } ( rulename = "Invariant Directories", severity = $(SIG_MED) ) { / -> $(SEC_INVARIANT) (recurse = 0) ; /home -> $(SEC_INVARIANT) (recurse = 0) ; /tmp -> $(SEC_INVARIANT) (recurse = 0) ; /usr -> $(SEC_INVARIANT) (recurse = 0) ; /var -> $(SEC_INVARIANT) (recurse = 0) ; /var/tmp -> $(SEC_INVARIANT) (recurse = 0) ; } -- debconf information: tripwire/local-passphrase-incorrect: false * tripwire/rebuild-config: true * tripwire/use-localkey: true tripwire/email-report: tripwire/change-in-default-policy: tripwire/upgrade: true tripwire/site-passphrase-incorrect: false tripwire/broken-passphrase: * tripwire/rebuild-policy: true * tripwire/use-sitekey: true * tripwire/installed: