how tripwire works

how tripwire works

Post by E » Thu, 11 Jul 2002 20:48:27



does tripwire use the MAC times in its auditing and evaluation
process? If not is there a reason why?

Sorry if its a silly question :)

Regards

Ed

 
 
 

how tripwire works

Post by Damian Mensche » Sat, 13 Jul 2002 02:44:14



> does tripwire use the MAC times in its auditing and evaluation
> process? If not is there a reason why?

A brief list of what it checks (signature algorithms additional):
#       p :  permission and file mode bits      a: access timestamp
#       i :  inode number                       m: modification timestamp
#       n :  number of links (ref count)        c: inode creation timestamp
#       u :  user id of owner                   1: signature 1
#       g :  group id of owner                  2: signature 2
#       s :  size of file

Not sure how it manages to keep a constant access timestamp while
still being able to check a file, but....

Quote:> Sorry if its a silly question :)

Only silly that you didn't RTFM.

Damian Menscher
--

-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 1429 DCL, Workstation Services Group, CITES Ofc:(217)244-3862 |#=-


 
 
 

how tripwire works

Post by E » Sat, 13 Jul 2002 16:43:51




> > does tripwire use the MAC times in its auditing and evaluation
> > process? If not is there a reason why?

> A brief list of what it checks (signature algorithms additional):
> #       p :  permission and file mode bits      a: access timestamp
> #       i :  inode number                       m: modification timestamp
> #       n :  number of links (ref count)        c: inode creation timestamp
> #       u :  user id of owner                   1: signature 1
> #       g :  group id of owner                  2: signature 2
> #       s :  size of file

> Not sure how it manages to keep a constant access timestamp while
> still being able to check a file, but....

> > Sorry if its a silly question :)

> Only silly that you didn't RTFM.

> Damian Menscher

SORRY! I'll RTFM next time, it was just an impulse question that came
to me at work. Thanks for the infomation.

Ed

 
 
 

how tripwire works

Post by Martin Ouweha » Sat, 13 Jul 2002 17:57:52




] > does tripwire use the MAC times in its auditing and evaluation
] > process? If not is there a reason why?
]
] A brief list of what it checks (signature algorithms additional):
] #       p :  permission and file mode bits      a: access timestamp
] #       i :  inode number                       m: modification timestamp
] #       n :  number of links (ref count)        c: inode creation timestamp
] #       u :  user id of owner                   1: signature 1
] #       g :  group id of owner                  2: signature 2
] #       s :  size of file
]
] Not sure how it manages to keep a constant access timestamp while
] still being able to check a file, but....

it doesn't because you don't expect the access timestamp to always
remain the same. That would correspond to a file nobody is supposed
ever to read (if that is what you want, just remove it !).

--
  | ~~~~~~~~ Martin Ouwehand ~ Swiss Federal Institute of Technology ~ Lausanne
__|_____________ Email/PGP: http://slwww.epfl.ch/info/Martin.html _____________
You have zero privacy anyway. Get over it.                      [Scott McNealy]