tripwire and device numbers

Mike Tancsa mike at sentex.net
Thu Mar 4 21:20:35 UTC 2010 

At 03:51 PM 3/4/2010, Dag-Erling Smørgrav wrote:
>Mike Tancsa <mike at sentex.net> writes:
> > While getting a box ready for deployment, I noticed on two occasions,
> > I would get some exception reports flagging all files as the
> > underlying device number through reboots had changed.  Is this
> > "normal" for Tripwire and FreeBSD ?
>
>FreeBSD does not have fixed device numbers, they are allocated on the
>fly as each device attaches.  I don't know if there is a way around
>this.


OK, I think there is a way around it in the config file.

I am thinking the FreeBSD default config could be changed to


  @@section FS
-SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
-SEC_SUID      = $(IgnoreNone)-SHa ;  # Binaries 
with the SUID or SGID flags set
-SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change
-SEC_CONFIG    = $(Dynamic) ;         # Config 
files that are changed infrequently but accessed often
-SEC_TTY    = $(Dynamic)-ugp ;        # Tty files 
that change ownership at login
-SEC_LOG       = $(Growing) ;         # Files 
that grow, but that should never change ownership
-SEC_INVARIANT = +tpug ;              # 
Directories that should never change permission or ownership
+SEC_CRIT      = $(IgnoreNone)-SHad ;  # Critical files that cannot change
+SEC_SUID      = $(IgnoreNone)-SHad ;  # Binaries 
with the SUID or SGID flags set
+SEC_BIN       = $(ReadOnly)-d ;        # Binaries that should not change
+SEC_CONFIG    = $(Dynamic)-d ;         # Config 
files that are changed infrequently but accessed often
+SEC_TTY    = $(Dynamic)-ugpd ;        # Tty 
files that change ownership at login
+SEC_LOG       = $(Growing)-d ;         # Files 
that grow, but that should never change ownership
+SEC_INVARIANT = +tpug-d ;              # 
Directories that should never change permission or ownership
  SIG_LOW       = 33 ;                 # 
Non-critical files that are of minimal security impact
  SIG_MED       = 66 ;                 # 
Non-critical files that are of significant security impact
  SIG_HI        = 100 ;                # Critical 
files that are significant points of vulnerability




Where

   ##############################################################################
  #  Predefined 
Variables                                                      #
##############################################################################
#
#  Property Masks
#
#  -  ignore the following properties
#  +  check the following properties
#
#  a  access timestamp (mutually exclusive with +CMSH)
#  b  number of blocks allocated
#  c  inode creation/modification timestamp
#  d  ID of device on which inode resides
#  g  group id of owner
#  i  inode number
#  l  growing files (logfiles for example)
#  m  modification timestamp
#  n  number of links
#  p  permission and file mode bits
#  r  ID of device pointed to by inode (valid only for device objects)
#  s  file size
#  t  file type
#  u  user id of owner
#
#  C  CRC-32 hash
#  H  HAVAL hash
#  M  MD5 hash
#  S  SHA hash
#


I have bcc'd the maintainer for input
Thanks,

         ---Mike





--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the freebsd-security mailing list