Re: tripwire and device numbers

At 03:51 PM 3/4/2010, Dag-Erling Sm=C3=B8rgrav wrote:
>Mike Tancsa <mike@sentex.net> writes:
> > While getting a box ready for deployment, I noticed on two occasions,
> > I would get some exception reports flagging all files as the
> > underlying device number through reboots had changed.  Is this
> > "normal" for Tripwire and FreeBSD ?
>
>FreeBSD does not have fixed device numbers, they are allocated on the
>fly as each device attaches.  I don't know if there is a way around
>this.

OK, I think there is a way around it in the config file.

I am thinking the FreeBSD default config could be changed to

  @@section FS
-SEC_CRIT      =3D $(IgnoreNone)-SHa ;  # Critical files that cannot change
-SEC_SUID      =3D $(IgnoreNone)-SHa ;  # Binaries=20
with the SUID or SGID flags set
-SEC_BIN       =3D $(ReadOnly) ;        # Binaries that should not change
-SEC_CONFIG    =3D $(Dynamic) ;         # Config=20
files that are changed infrequently but accessed often
-SEC_TTY    =3D $(Dynamic)-ugp ;        # Tty files=20
that change ownership at login
-SEC_LOG       =3D $(Growing) ;         # Files=20
that grow, but that should never change ownership
-SEC_INVARIANT =3D +tpug ;              #=20
Directories that should never change permission or ownership
+SEC_CRIT      =3D $(IgnoreNone)-SHad ;  # Critical files that cannot change
+SEC_SUID      =3D $(IgnoreNone)-SHad ;  # Binaries=20
with the SUID or SGID flags set
+SEC_BIN       =3D $(ReadOnly)-d ;        # Binaries that should not change
+SEC_CONFIG    =3D $(Dynamic)-d ;         # Config=20
files that are changed infrequently but accessed often
+SEC_TTY    =3D $(Dynamic)-ugpd ;        # Tty=20
files that change ownership at login
+SEC_LOG       =3D $(Growing)-d ;         # Files=20
that grow, but that should never change ownership
+SEC_INVARIANT =3D +tpug-d ;              #=20
Directories that should never change permission or ownership
  SIG_LOW       =3D 33 ;                 #=20
Non-critical files that are of minimal security impact
  SIG_MED       =3D 66 ;                 #=20
Non-critical files that are of significant security impact
  SIG_HI        =3D 100 ;                # Critical=20
files that are significant points of vulnerability

Where

  =
 ###########################################################################=
###
  #  Predefined=20
Variables                                                      #
############################################################################=
##
#
#  Property Masks
#
#  -  ignore the following properties
#  +  check the following properties
#
#  a  access timestamp (mutually exclusive with +CMSH)
#  b  number of blocks allocated
#  c  inode creation/modification timestamp
#  d  ID of device on which inode resides
#  g  group id of owner
#  i  inode number
#  l  growing files (logfiles for example)
#  m  modification timestamp
#  n  number of links
#  p  permission and file mode bits
#  r  ID of device pointed to by inode (valid only for device objects)
#  s  file size
#  t  file type
#  u  user id of owner
#
#  C  CRC-32 hash
#  H  HAVAL hash
#  M  MD5 hash
#  S  SHA hash
#

I have bcc'd the maintainer for input
Thanks,

         ---Mike

--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"