tripwire-announce Mailing List for Open Source Tripwire®

Minor release that fixes compilation on gcc 4.x, some minor installer
tweaks, etc.

Thanks to dwight, FRLinux and others for the bug reports, patches, and testing.

Cheers,
-- 
rjf&

I have just updated the sourceforge project page with new binary and
source releases, versioned as 2.4.0.1.

This release is essentially identical to Paul Herman's portable
source, and will be the basis for all new features going forward.
Thanks much to Paul for all the great work!

A couple of important notes:

- I've not yet fixed the install.sh, and there are a few issues with
it. I will attend to these issues first thing (if anyone wants to
help, that'd be great).

- The binary package was built on my Gentoo 2005.1 box, statically
linked. The binaries should work on any modern kernel (2.4+), but it
is possible they will give you some problems if you have an old glibc,
as the gethostbyname() call still requires a modern glibc .so be
around.

- I am willing to post contributed binaries for other platforms, but
only after a few criteria are met, email me to get details.

- I am putting together a small roadmap and will post it after the
holidays. If anyone is willing to contribute development work, or
policy tuning, etc, please contact me.

That's all I can think of for now. It's been a long time coming,
hopefully we'll get some momentum now.

Cheers,
--
rjf&

Dear Sir or Madam,  

I have the pleasure to know your esteemed corp. 

We are a manufacturer & exporter of garments and bags in Quanzhou, China.

I think we can cooperate and supply you with garments as you need.  

The following is some introductions about our company.

       Set up: 1988

       Type: manufacturer & exporter

       Product: knitted garments and bags

       Employees: 1300 persons ( garments factory: 500      bags factory: 800)

       Product data:       

                                  product (main items)                      capacity(/year)

                                  brief                                    2,000,000dzs    

                                  baby body                                1,800,000dzs

                                  boxer short                                200,000dzs

                                  pajama                                      50,000dzs

                                  soft bag                                 1,500,000pcs

                                  hard bag                                   500,000pcs

Mimn order:  300dzs for garments

Payment:  irrevocable L/C at sight

Bank: BANK OF CHINA


Our garment factory mainly specialize in Lady's and men's underwear,

children's wear, baby's wear, pajama, boxer shorts, T-shirt, etc. 

The materials we often use are cotton, T/C, Polyester, Polyamide, 

Elasthan, and Polyamide. Our products are design with PAD system, 

produced with advanced equipment, processed in highly quality control 

system with seasoned workmanship and high efficiency. Our main market 

is Europe, Australia, Japan and America. We also accept the orders designed 

and required by costumers. You can see some pictures of our samples through 

our web http://www.senwer.com. (For more pictures in your interesting, 

pls kindly contact us directly). 
 

Our bag factory was founded in 1988, too. We produce all kinds of bags, 

including suitcase, backpack, travel bag, shoulder bag, sport bag, trolley, 

camera bag, tote bag, school bag, computer case, luggage,waist bag, notecase, etc. 

And the goods have met a great favor in the Europe countries, Australia 

and America because of their good quality, beautiful design and competitive price.


Thank you very much. Hope you will give us an opportunity to do 

business together and we will try our level best to fulfill your present 

requirement. Should you therefore need any more details for your 

clarification, pls do not hesitate to contact us. And you are welcome 

to visit our factories.


With best regards


Rachel Wang

Mob:0086-13960286700
E-mail:ra...@se...


Jason Chen

Mob:0086-13959893400
E-mail: jas...@se...


Vicki Wang

Mob:0086-13960228599
E-mail: vi...@se...


-----------------------------------------------------------------------------

SENWER GARMENTS CO., LTD.

ADD: Room F202, Fugui Renjia Building, Liuguan Road, Quanzhou, Fujian, China.

Tel: 0086-595-2506700    Fax: 0086-595-2563400    P.C.:362000

Http://www.senwer.com    E-mail: se...@pu...

-----------------------------------------------------------------------------

Dear Sir,  

I have the pleasure to know your esteemed corp. 

We are a manufacturer & exporter of garments and bags in Quanzhou, China.

I think we can cooperate and supply you with garments as you need.  

The following is some introductions about our company.

       Set up: 1988

       Type: manufacturer & exporter

       Product: knitted garments and bags

       Employees: 1300 persons ( garments factory: 500      bags factory: 800)

       Product data:       

                                  product (main items)                      capacity(/year)

                                  brief                                    2,000,000dzs    

                                  baby body                                1,800,000dzs

                                  boxer short                                200,000dzs

                                  pajama                                      50,000dzs

                                  soft bag                                 1,500,000pcs

                                  hard bag                                   500,000pcs

Mimn order:  300dzs for garments

Payment:  irrevocable L/C at sight

Bank: BANK OF CHINA


Our garment factory mainly specialize in Lady's and men's underwear,

children's wear, baby's wear, pajama, boxer shorts, T-shirt, etc. 

The materials we often use are cotton, T/C, Polyester, Polyamide, 

Elasthan, and Polyamide. Our products are design with PAD system, 

produced with advanced equipment, processed in highly quality control 

system with seasoned workmanship and high efficiency. Our main market 

is Europe, Australia, Japan and America. We also accept the orders designed 

and required by costumers. You can see some pictures of our samples through 

our web http://www.senwer.com. (For more pictures in your interesting, 

pls kindly contact us directly). 
 

Our bag factory was founded in 1988, too. We produce all kinds of bags, 

including suitcase, backpack, travel bag, shoulder bag, sport bag, trolley, 

camera bag, tote bag, school bag, computer case, luggage,waist bag, notecase, etc. 

And the goods have met a great favor in the Europe countries, Australia 

and America because of their good quality, beautiful design and competitive price.


Thank you very much. Hope you will give us an opportunity to do 

business together and we will try our level best to fulfill your present 

requirement. Should you therefore need any more details for your 

clarification, pls do not hesitate to contact us. And you are welcome 

to visit our factories.


With best regards


Rachel Wang

Mob:0086-13960286700
E-mail:ra...@se...


Jason Chen

Mob:0086-13959893400
E-mail: jas...@se...


Vicki Wang

Mob:0086-13960228599
E-mail: vi...@se...


-----------------------------------------------------------------------------

SENWER GARMENTS CO., LTD.

ADD: Room F202, Fugui Renjia Building, Liuguan Road, Quanzhou, Fujian, China.

Tel: 0086-595-2506700    Fax: 0086-595-2563400    P.C.:362000

Http://www.senwer.com    E-mail: se...@pu...

-----------------------------------------------------------------------------

i installed tripwire and its works fine, but i need to update the db, if 
it is possible to do the update into the cron.

My idea to report the changes of tripwire is:

1) everyday mail me a report of changes,
2) on weekend update the db and do the step 1

so for cron.daily
i have :
        /usr/sbin/tripwire --check --email-report

and for cron.weekly:

   /usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/${HOSTNAME}-${DATE}.twr
    && /usr/sbin/tripwire --check --email-report

after the update the db what its next and if my command lines are fine

thanks for any comment 


-- 
Universidad Pedagogica Nacional
Subdireccion de Redes

Ofn.(0155)56309700 ext.1268
Cel.(04455)19200055
er...@up...

---------
Este correo ha sido editado sin diacriticos
---------

Hiii,

Im running RedHat 7.3(2.4.20) And tripwire-2.3-47.  I set it up using this tutorial 

which i think is the easiest to understand and the best one i found

 http://www.linuxsecurity.com/feature_stories/tripwire-2.html for anyone else who 

needs a lil help'

Ok my problem is when tripwire sends a report with still a lot of stuff that i dont want 

it to 

check like:    

"/root/.mozilla/default/5w5t16dp.slt/Cache/954B5EAFd01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/6B44F853d01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/1159246Cd01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/B807E0B0d01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/F1F0843Ed01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/EC280860d01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/B33C0B14d01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/209389F6d01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/A7B74D2Bd01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/72A96B0Ad01"
"/root/.mozilla/default/5w5t16dp.slt/Cache/7DC5BFAEd01"


 

"/usr/lib/python2.2/test/output/test_compare"
"/usr/lib/python2.2/test/output/test_compile"
"/usr/lib/python2.2/test/output/test_cookie"
"/usr/lib/python2.2/test/output/test_extcall"
"/usr/lib/python2.2/test/output/test_frozen"
"/usr/lib/python2.2/test/output/test_future"
"/usr/lib/python2.2/test/output/test_gettext"
"/usr/lib/python2.2/test/output/test_global"
"/usr/lib/python2.2/test/output/test_httplib"
"/usr/lib/python2.2/test/output/test_threadedtempfile"
"/usr/lib/python2.2/test/output/test_longexp"
"/usr/lib/python2.2/test/output/test_mimetools"
"/usr/lib/python2.2/test/output/test_mmap"
"/usr/lib/python2.2/test/output/test_openpty"
"/usr/lib/python2.2/test/output/test_poll"
"/usr/lib/python2.2/test/output/test_posixpath"
"/usr/lib/python2.2/test/output/test_profile"


 

The log gets quite full with all this stuff how do i edit my

 

 policy file soo it stops checking these files cause i think 

 

all they are is my cahce files from surfing: Thanks guys 



 



---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now

My system is a Red Hat 8.0 for a single user, which I obviously run
using my user rather than root account. I am wanting to design a cron
script to get tripwire to do regular integrity checks for my whole
system which would require it to scan system files that my user account
settings are not allowed to access. Is it (a) feasible to write a script
to do this in the background *as if* root were logged on (but actually
isn't) and then (b) to mail me (the user) a report upon completion? I
hope that this is making sense, and just to make sure without being
redundant: cron script to check system integrity recursively (requiring
root privileges) with output mailed to user *without* having to invoke
'su' each time it runs?
Thanks. 
-- 
ahimsa <ah...@on...>

CQ0KCQ0KtOe9xb+hsNQgssAguMK0wiDAzsXNs90gvcW5ri4uLi4uv/i09ceuISEgvsiz58fPvLy/
5C4gwM7FzbPdIL3Fua7G98W7IL/4tPXHriAod3d3LldvbmRlcmZ1bC5jby5rcikNCjxodHRwOi8v
d3d3LndvbmRlcmZ1bC5jby5rcj4gIL/uv7XA2sDUtM+02S4gDQooIL/4tPXHriC+97mrIMCluN7A
zyA8aHR0cDovL3d3dy53b25kZXJmdWwuY28ua3IvMHAvd2VibWFpbC5hc3A+ICAvILTjtOfA2rje
wM8NCjxtYWlsdG86YWRtaW53ZWJAaGFubWlyLmNvbT4gKSAJDQrDucKwLCC/+LT1x67AuiDAzsXN
s90gvcW5rsDHIMb3xbu758DMxq7A1LTPtNkuIL/4tPXHriAod3d3LldvbmRlcmZ1bC5jby5rcikN
CjxodHRwOi8vd3d3LndvbmRlcmZ1bC5jby5rcj4gIAkNCiA8aHR0cDovL3d3dy53b25kZXJmdWwu
Y28ua3I+ICAxLiDBvsfVLCC02b7nLCC9xbzTIDogDQoNCrjwtecgutC+37+hILDJw8QsIMDOxc2z
3SC9xbmuwMcgwda/5LHiu+e/zSDBwcC6IMGkuri4piDB98GiIL+ssOHHz7+0vcC0z7TZLiANCg0K
Mi4gxu24rsfRIMDOxc3G5MDMvbogOiANCg0Kv6m3ryDAzsXNs90gvcW5rrXpwLsgxKvF17DtuK6/
oSC1+7bzIMbQxbDB9rnmvcTAuLfOIMGmsPjHz7nHt84gwMy/68DatMIgx9G5+L+hIL+pt68gwM7F
zbPdIL3Fua7AuyDA0MC7ILz2IMDWvcC0z7TZLiANCg0KMy4gT25lIFN0b3AgvK268b26IDogDQoN
CrHXILnbv6G1tSDG98W7u+fAzMauLCDA/LmuvO7Hzrj0LCCx4rD8L7Tcw7y17iCw/LfDIMDOxc2z
3bvnwMzGrrimIMDOxc2z3SC9xbmusPogx9SysiDBprD4x8+/qSDBvsfVwPvAziDBpLq4wMy/68C7
ILW1uPDH1bTPtNkuIA0KDQo0LiC89sHYs/TAuiC5rsitxMHF2cP3IDogDQoNCr3Ft9q1tSCz9MC6
ILvnwMzGrrXpuLjAuyC+9ryxx8+/tLHiv6EgvPbB2LP0wLogua7IrcTBxdnD97imIMHxseYgvPYg
wNa9wLTPtNkuIA0KDQo1LiC5q7fhwMy45ywgyLi/+L+hILChwNTH0iDHyr/ktbUgvvi9wLTPtNku
IAkNCrXRwrAgsbmzu7/cIMCvvPbAxyDAzsXNs90gwPqzzsDMILmuyK0gwPy/tb+qv6EgsMnDxCDB
prD4tcu0z7TZLiC/+LT1x64gKHd3dy5Xb25kZXJmdWwuY28ua3IpDQo8aHR0cDovL3d3dy53b25k
ZXJmdWwuY28ua3I+ICAJDQoov7kpIL7Gt6G/oSDH2LTnx8+0wiDA/LmuutC+38DHIMDOxc2z3SDA
+rPOwMwgsMXAxyC067rOutAguLXFqbXHvu4gwNa9wLTPtNkuIA0KDQrAz7CjvcW5riAuIMGkxKHA
+rPOILG5waYvus/H0SAuILn9t/zA+rPOIC4gu+fIuLPrtb8gLiDIr7DmuriwxyAuIL+pvLrA+rPO
IC4gx9i/3LDmwaYgLiCw5sGmwPqzziAuIMOivvfA+rPOIC4NCrG4wM6xuMH3IC4gus61v7vqwPqz
ziAuILe5wPrA+rPOIC4gv6nH4MD6s84gLiC17rvqwPqzziAuIL26xbDA+rPOIC4gvbrEq8DMIC4g
vbrE7bn2wPqzziAuILnZtc/A+rPOIC4gu+q+x8DawPywxSAuDQqw5ri2sOa3+yAuILi2tvPF5sD6
s84gLiC+1r/Ptb+5sCAuILnmvNu/rL+5IC4gv7XIrcD6s84gLiC068HfwL2+xyAuIMWst6G9xLG5
vscgLiC5zLz6wPqzziAuILvnwfjA+rPOIC4gv6yx2LnCwfbEwyAuDQq5rsfQwPqzziAuIMO2x9DA
+rPOIC4gw+CxuMD6s84gLiC+37G4wPqzziAuILnosbjA+rPOIC4gs/OxuMD6s84gLiCw8cfBwPqz
ziAuIL26xvfD973Fua4gLiDG0LzHwPqzziAuILnMv+vA+rPOIC4NCsCwvsbA+rPOIC4gv/61+cD6
s84gLiDAzsXXuK6+7iAuIL/kuK4vwL234SAuILTZwMy+7sauIC4gwNq1v8L3wPqzziAuILmuyK3A
+rPOIC4gsbPAsMD6s84gLiC068fQwPqzziAuIMO7vNKz4r3Fua4gLg0KvNKz4r3Fua4gLiCy2bev
seK48MC9IC4gwK++xrGzwLAgLiCw7b3DwPqzziAuILHivPrA+rPOIC4gwaS6uMD6s84gLiDExMe7
xc3A+rPOIC4guau8scXrvcUgLiC18MDawM7A+rPOIC4guri+yMD6s84gLg0KtbW43sDOwPqzziAu
IMDHx9DA+rPOIC4gwMfH0Mb3xbsgLiCwx7CtxvfFuyAuILDHsK3A+rPOIC4gs+vAzsD6s84gLiC/
ocDMwe7A+rPOIC4gvs8gwPqzziAuIMShsPrA+rPOIC4gx9G55sD6s84gLg0KwMe+4MD6s84gLiAJ
DQq8vMKwLCCwx7Ctx8+w7SDAr8DNx9EgxMHF2cP3sKEgtOe9xb+hsNQgseLIuLimILi4tem+7iDB
2SCwzcDUtM+02S4gv/i09ceuICh3d3cuV29uZGVyZnVsLmNvLmtyKQ0KPGh0dHA6Ly93d3cud29u
ZGVyZnVsLmNvLmtyPiAgCQ0Ksc3Hz8DHIMfjtvQgvvjAzCC43sDPwLsgurizu7DUILXIIMGhIMGk
wd/I9yC757D6teW4s7TPtNkuIA0KIA0KPGh0dHA6Ly93d3cud29uZGVyZnVsLmNvLmtyLzBtYWls
L21haWxyZWplY3QuYXNwP2VtYWlsPXRyaXB3aXJlLWFubm91bmNlDQpAbGlzdHMuc291cmNlZm9y
Z2UubmV0PiANCg==

Ladies and Gents,
    Problem I'm facing, is every morning I come in and have my tripwire =
email box full of emails that are REALLY big, because tripwire is =
finding "time modifications" on a ton of root config files.  This is not =
just on one server.  I reinitialize the DB with
        tripwire --check --interactive   =20
then run the check again, check the email I get, and everything works =
great.  Next morning, abour 18 hours has passed, it finds all of those =
time changes.  WHAT"S GOING ON?

I can attach a sample log file if you're curious.


Regards,
Vasiliy Boulytchev
Colorado Information Technologies Inc.

I hope this is the correct forum for this sort of thing.  If not, please 
accept my apologies and if possible direct me to an appropriate forum. 
 I'm new to the list and to using tripwire, so please bear with me.

I am running tripwire in an environment where some things change quite a 
lot, which causes tripwire to got upset.  There are some files which 
regularly have an alert on 'Num Links'.  This is expected behavior in my 
environment, and tripwire throws an alert every time (as it should).

I'm looking for a way to make tripwire ignore this change (only this 
change, I still want to know if perms/owner, almost anything else 
changes).  Is there a way I can do that, or do I need to decide between 
continaully accpeting the changes via 'tripwire --update' and flat-out 
ignoring these files altogether?

Thanks in advance for your feedback.

On Mon, Mar 04, 2002 at 11:15:00PM -0400, Juan L. Buligovich wrote:
> Where is a version of tripwire that can be compiled on Red Hat Linux 6.2 ?
> Does that version exist anywhere ?

You have two options:

1) Download the rpm: 
	http://www.tripwire.org/files/rpm3/tripwire-2.3-47.i386.tar.gz

2) Install gcc-2.95.2, which you can do without disturbing your
current compiler by installing it into a different tree on your
system.

If you do #1, you'll get a version that is slightly out of date. If
you do #2, you'll be much happier because you'll have a modern
compiler, the latest tripwire, and can build new versions as they come
out.

If you need tips on #2, email me and I will be happy to help.

rjf&

I need some help.

I'm interested to deploy tripwire on a PC running Red Hat Linux 6.2.
The version I've downloaded (tripwire-2.3.1-2) requires gcc version
2.95.s or better, but the gcc version on Red Hat 6.2 is egcs-2.91.66,
and consequently "make release" doesn't complete his work.

Where is a version of tripwire that can be compiled on Red Hat Linux 6.2 ?
Does that version exist anywhere ?

Thanks in advance for any information

---
Juan L. Buligovich \/\_/\/.

I need some help.

I'm interested to deploy tripwire on a PC running Red Hat Linux 6.2.
The version I've downloaded (tripwire-2.3.1-2) requires gcc version
2.95.s or better, but the gcc version on Red Hat 6.2 is egcs-2.91.66,
and consequently "make release" doesn't complete his work.

Where is a version of tripwire that can be compiled on Red Hat Linux 6.2
?
Does that version exist anywhere ?

Thanks in advance for any information

---
Juan L. Buligovich \/\_/\/.

    The file twcfg.txt references my computer's HOSTNAME for =
LOCALKEYFILE,
DBFILE, REPORTFILE, but my computer uses DHCP, so my HOSTNAME changes
everytime I connect. HOSTNAME is also referenced in twpol.txt. Is this =
going
to cause a problem, if so, what's the solution?

On Fri, Apr 27, 2001 at 11:51:12AM -0700, Eric Parusel wrote:
> The only problem is that there's no installation instructions in the
> INSTALL file! (I saw that this was in the bug report section of
> sourceforge)

Eric, unfortunately the current installtion method is manual. I have
been on-and-off hacking at the install.sh/cfg to make it a little
easier on a generic system. I will try and finish that up sometime
soon, but in the meantime, manual installation isn't all that tough:

- build the binaries
- decide where you want them to live, put them there (adjust permissions)
- generate site and local keys, see docs (on sourceforge)
- create a twcfg.txt, using the doc's as a reference, sign it with twadmin
- edit the policy/twpol.txt to taste, and sign it with twadmin
- initialize a database
- install in cron or however you want to run it.

Again, I realize this is less than optimal -- if you have problems,
shoot the list some email and I will be happy to help.

rjf&

P.S. The docs are on sourceforge:

   http://prdownloads.sourceforge.net/tripwire/tripwire-2.3.0-docs-pdf.tar.gz

Hi there,

    I've compiled tripwire on FreeBSD 4.3 according to the
instructions, no problems there.

The only problem is that there's no installation instructions in the
INSTALL file! (I saw that this was in the bug report section of
sourceforge)

Could I get those instructions?  I know there's an install.sh file,
but is there a certain way I should run it?  Without finding any sort
of documentation I'd rather not push buttons at random :)

Thanks,

Eric Parusel
Systems Administrator

Yo All!

Well, I think I found a way to debug these twadmin crashes I am getting.
Turning off the default terminate and unexpected handlers does the trick.
With them in the "backtrace" feature of gdb is broken.  With them gone
I can just run to the crash and then backtrace to the problem.

Here is the patch for version 2.3.1-2:

hobbes:/usr/local/src/tripwire-2.3.1-2/src/twadmin# diff -u twadminmain.c=
pp.dis
t twadminmain.cpp
--- twadminmain.cpp.dist        Wed Apr 11 17:07:50 2001
+++ twadminmain.cpp     Wed Apr 11 17:56:15 2001
@@ -91,8 +91,10 @@
         #else
             #define EXCEPTION_NAMESPACE std::
         #endif
+#ifndef _DEBUG
         EXCEPTION_NAMESPACE set_terminate(tw_terminate_handler);
         EXCEPTION_NAMESPACE set_unexpected(tw_unexpected_handler);
+#endif

         twInit.Init( argv[0] );
                TSS_Dependency( cTWAdmin );


I suggest doing this everywhere the set_terminate() and set_unexpected()
are used.

Then I can get a good backtrace from gdb.

Here is my /etc/tripwire/twcfg.txt that fails.

ROOT          =3D/usr/sbin
POLFILE       =3D/etc/tripwire/tw.pol
DBFILE        =3D/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE    =3D/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE   =3D/etc/tripwire/site.key
LOCALKEYFILE  =3D/etc/tripwire/hobbes-local.key
EDITOR        =3D/bin/vi
LATEPROMPTING =3Dfalse
LOOSEDIRECTORYCHECKING =3Dfalse
MAILNOVIOLATIONS =3Dtrue
EMAILREPORTLEVEL =3D3
REPORTLEVEL   =3D3
MAILMETHOD    =3DSENDMAIL
SYSLOGREPORTING =3Dfalse
MAILPROGRAM   =3D/usr/lib/sendmail -oi -t
GLOBALEMAIL   =3D ge...@re...


/etc/tripwire# gdb /usr/sbin/twadmin

(gdb) run -m F -S site.key twcfg.txt
[...]
Program received signal SIGABRT, Aborted.
0x8143621 in __kill ()
(gdb) bt

#0  0x8143621 in __kill ()
#1  0x814343c in raise (sig=3D6) at ../sysdeps/posix/raise.c:27
#2  0x814370e in abort () at ../sysdeps/generic/abort.c:88
#3  0x813c6fb in __default_terminate ()
#4  0x813c71c in __terminate ()
#5  0x813d1ae in __throw ()
#6  0x80df7c3 in cUnixFSServices::Stat (this=3D0x83b4a68,
    strName=3D<incomplete type>, stat=3D@0xbffff2d0)
    at unix/unixfsservices.cpp:323
#7  0x80b1d3a in cFileUtil::IsRegularFile (fileName=3D@0xbffff41c)
    at fileutil.cpp:129
#8  0x8072281 in WriteObject (filename=3D0x83acb80 "/etc/tripwire/./tw.cf=
g",
    pObjHeader=3D0x0, obj=3D@0xbffff6c4, fileHeader=3D@0xbffff574, bEncry=
pt=3Dtrue,
    pPrivateKey=3D0x83bb720) at twutil.cpp:171
#9  0x8076f4e in cTWUtil::WriteConfigText (
    filename=3D0x83acb80 "/etc/tripwire/./tw.cfg",
    configText=3D{<_String_base<char,_STL::allocator<char> >> =3D {
        _M_start =3D 0xbffff770 "\030",
        _M_finish =3D 0x1 <Address 0x1 out of bounds>,
        _M_end_of_storage =3D {<allocator<char>> =3D {},
          _M_data =3D 0x83babe0 "=C8\230;\b=C8\230;\b"}},
      static npos =3D <optimized out>}, bEncrypt=3Dtrue, pPrivateKey=3D0x=
83bb720)
    at twutil.cpp:599
#10 0x804c057 in cTWAModeCreateCfg::Execute (this=3D0x83babe0,
    pQueue=3D0xbffff9ac) at twadmincl.cpp:433
#11 0x80601d1 in main (argc=3D6, argv=3D0xbffffa34, envp=3D0xbffffa50)
    at twadminmain.cpp:202
#12 0x8140375 in __libc_start_main (main=3D0x805f974 <main>, argc=3D6,
    argv=3D0xbffffa34, init=3D0x80480b4 <_init>, fini=3D0x8210f68 <_fini>=
,
    rtld_fini=3D0, stack_end=3D0xbffffa2c) at ../sysdeps/generic/libc-sta=
rt.c:92
(gdb)

After the crash I have no file called /etc/tripwire/./tw.cfg.
Funny filename eh? Also no clue why it should fail.  I am running as
root and root has write permissions:

drwxr-x---   2 root     root         1024 Apr 11 19:13 /etc/tripwire

Any ideas?

RGDS
GARY
-------------------------------------------------------------------------=
--
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	ge...@re...  Tel:+1(541)382-8588 Fax: +1(541)382-8676

On Wed, Apr 11, 2001 at 04:56:40PM -0700, Gary E. Miller wrote:
> You misunderstand.  I do not want to increase the verbosity of the
> email report, I want to increase the verbosity of the report on
> stdout.  If I have just been hacked I probably turned off SMTP and
> maybe even TCP/IP.  I just need a local report, fast.

Ah, my bad. Yeah, I think the only way to do that is to modify the
REPORTLEVEL variable in the config file, setting it to 4 for max
verbosity.

> I tried changing twcfg.txt and I am back to this dreaded place:
> 
> dogbert:/etc/tripwire# twadmin -m F -S site.key twcfg.txt
> Please enter your site passphrase:
> Incorrect site passphrase.
> Please enter your site passphrase:
> ### Internal Error.
> ### Terminate Handler called.
> ### Exiting...

Whoa. Would you mind sending me your config file? You are using the
very latest, 2.3.1-2, right?

> Oh, yeah, I love reading PDFs on Linux routers that have no X. :-)

Yeah, well, PDF isn't the greatest thing in the world, but you must
have access to some system you can print them out on...:)

I will see what I can do about a more palatable format. Until then you
might checkout:

   http://atrey.karlin.mff.cuni.cz/~clock/twibright/pdf2html/

rjf&

Yo Ron!

On Wed, 11 Apr 2001, Ron Forrester wrote:

> On Wed, Apr 11, 2001 at 01:24:47PM -0700, Gary E. Miller wrote:
> > with the new tripwire.  The problem we both had is that there is no
> > obvious way to increase the verbosity when you do a simple run
> > like this:
> > 	tripwire -m c

> So something like the following:
>
>    ./tripwire --check --email-report --email-report-level 3

You misunderstand.  I do not want to increase the verbosity of the
email report, I want to increase the verbosity of the report on
stdout.  If I have just been hacked I probably turned off SMTP and
maybe even TCP/IP.  I just need a local report, fast.

> > My main problem with the emailto is that the report is sent as a
> > blank message with an attachment.  This means I have to dowload and
> > read the attachment separately.  Is there really a point to this?
> > Just put in in line.
>
> Hmmm. I get them inline. Are you using a MAILMETHOD of SMTP, or
> SENDMAIL?
The default, SENDMAIL.

I tried changing twcfg.txt and I am back to this dreaded place:

dogbert:/etc/tripwire# twadmin -m F -S site.key twcfg.txt
Please enter your site passphrase:
Incorrect site passphrase.
Please enter your site passphrase:
### Internal Error.
### Terminate Handler called.
### Exiting...


> If you can, use SMTP, in which case you will also need the SMTPHOST
> variable to point to your mail server.
I always run local sendmail, so that just points back to localhost.
If I ever get past "### Internal Error." I will try it.

> If you still have problems with this, let me know.

> A FAQ would be nice. In the meantime, have you read the PDF doc's on
> sourceforge? They are quite good:
>
>    http://prdownloads.sourceforge.net/tripwire/tripwire-2.3.0-docs-pdf.tar.gz

Oh, yeah, I love reading PDFs on Linux routers that have no X. :-)

If PDFs are not good enough for the IETF and RFCs then they are not good
enough for me.  The lack of a portable way to search or edit PDF files
makes them a huge pain. Finding the3 right reader that reads the right
version of the current PDF is also a huge pain.  Give me ASCII, man
pages or html.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	ge...@re...  Tel:+1(541)382-8588 Fax: +1(541)382-8676

On Wed, Apr 11, 2001 at 01:24:47PM -0700, Gary E. Miller wrote:
> with the new tripwire.  The problem we both had is that there is no
> obvious way to increase the verbosity when you do a simple run
> like this:
> 	tripwire -m c

./tripwire --help --check:
  .
  .
  .
  -M                   --email-report
  -t { 0|1|2|3|4 }     --email-report-level { 0|1|2|3|4 }

So something like the following:

   ./tripwire --check --email-report --email-report-level 3

should do the trick. If not, there is a bug.

> One problem that should also be in a FAQ is how to just set a global
> emailto for the entire run.  Putting it in every subsection is a
> pain.  I think this was just added as a feature but should be made
> simpler.  Maybe just a command line option?

Yes, the global email feature was just added. Adding the following:

GLOBALEMAIL = root,rj...@th...

to you config file, for instance, sends an email report to the two
recipients listed, after every integrity check.

There is a really good reason we don't just add command line options
arbitrarily, and prefer the config file route. There are known
exploits involved in spoofing command lines, etc. So we tend to use
the signed config files to help avoid these types of problems.

> My main problem with the emailto is that the report is sent as a
> blank message with an attachment.  This means I have to dowload and
> read the attachment separately.  Is there really a point to this?
> Just put in in line.

Hmmm. I get them inline. Are you using a MAILMETHOD of SMTP, or
SENDMAIL?

If you can, use SMTP, in which case you will also need the SMTPHOST
variable to point to your mail server.

If you still have problems with this, let me know.

> These may seem like simple things to you guys that have been using
> Ver 2 for a while, but they are major hurdles for newbies and
> upgraders.

A FAQ would be nice. In the meantime, have you read the PDF doc's on
sourceforge? They are quite good:

   http://prdownloads.sourceforge.net/tripwire/tripwire-2.3.0-docs-pdf.tar.gz

rjf&

Yo Ron!

On Wed, 11 Apr 2001, Ron Forrester wrote:

> I really think if you explore the EMAILREPORTLEVEL values from 0 to 4 you
> will find one
> that you can live with until Gary and I come up with something better, and
> in the meantime
> at least your system(s) are more secure for having tripwire running on them.

I think the frustration he has here is similar to one I initially had
with the new tripwire.  The problem we both had is that there is no
obvious way to increase the verbosity when you do a simple run
like this:
	tripwire -m c

Is there?  The only ways I found to get the expanded reports
were to do the EMAILREPORT thing, or run a separate "twreport".  So
maybe one thing to do is to increase the default verbosity.

One problem that should also be in a FAQ is how to just set a
global emailto for the entire run.  Putting it in every subsection is
a pain.  I think this was just added as a feature but should be made
simpler.  Maybe just a command line option?

My main problem with the emailto is that the report is sent
as a blank message with an attachment.  This means I have to dowload
and read the attachment separately.  Is there really a point to this?
Just put in in line.

These may seem like simple things to you guys that have been using
Ver 2 for a while, but they are major hurdles for newbies and upgraders.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	ge...@re...  Tel:+1(541)382-8588 Fax: +1(541)382-8676

On Wed, 11 Apr 2001, Ron Forrester wrote:
> > The main (& the HUGEST)  bad changes in report was tat I 
> > CAN'T know from it what it WAS & what it NOW. I _NEED_ this information
> > for all parameters set to be checked. 
> Maybe I misunderstand you Olli, but here is an excerpt from a 2.3 report:
>   Property:            Expected                    Observed    
>   -------------        -----------                 ----------- 
>   Object Type          Regular File                Regular File
>   Device Number        769                         769   
>   Inode Number         104008                      104008
>   Mode                 -rwxr-xr-x                  -rwxr-xr-x
>   Num Links            1                           1
>   UID                  0                           0   
>   GID                  0                           0   
> * Size                 1151                        1316
> * Modify Time          Thu Feb 15 13:47:41 2001    Mon Apr  9 06:05:32 2001
>   Blocks               4                           4
> * CRC32                DSBqPk                      AwneSj
> * MD5                  B9C6iM+h+k7koU+m6zwtpt      D/jgBrXJwzYnwxmq9CJP1j
> It clearly shows what the properties were (Expected), and what they are now
> (observed), 
> and marks the changed ones with an '*' to highlight them. Is this not what
> you are asking for above?
yep. The only thing left for this is not to say what has not
changed. Probably with special variable from config?

> > What da hell means /bin/ls has changed? What of MANY 
> > parameters changed. & HOW them where changed. :? I've some scripts running
> from 
> I am beginning to think you have your report level set at something below 3.
> You need
> to add to your config file:
> EMAILREPORTLEVEL = 4
If it is really the case I'll have to sorry for things I said... To check
this I'll reinstall tripwire again.

> and I think you will get a lot more information (too much according to some
> <cough><g>).
 
> > These new reports are USELESS. I decided to remove tripwire 
> > because old one with fine reports has bugs with non-"C"-locale-based file 
> > names & the new one is just a WASTE of CPU cicles & human reading time.
> With all due respect, that is really just plain silly. I mean, come on. You
> are going to compromise you system security policy because the reports are 
> a little _too_ verbose?
If them where meaningfully verbose (at least saing all quoted above) I
won't remove tripwire then. I meant what I said - without the subject of
changes reading reports is wasting of time. I'll reinstall tripwire again
& check what you said. If that's why I got so dumb reports - I'll say "I'm
sorry for producing my stupid noise at the list".

> I really think if you explore the EMAILREPORTLEVEL values from 0 to 4 you
> will find one that you can live with until Gary and I come up with 
> something better, and in the meantime  at least your system(s) are more
> secure for having tripwire running on them.
The system security doesn't rase if I install tripwire (& any other
passive intrusion detection tool). It rases by, for example www.openwall.org
kernel patches, libsafe preloading & strict login / group / passwprd /
permissions / software_installation_policy & so on things.
But monitoring the system for changes is really required thing, I
agree. Without this I'm at risk lose the moment of intrusion. I'm not
happy that I was unable to use new tripwire reports. Thank you, I'll
install it again & look if my problem was in verbosity level.

-- 
Bye.Olli
MISiS Telecommunications
phone:   +7(095)955-0087

> The main (& the HUGEST)  bad changes in report was tat I 
> CAN'T know from it what it WAS & what it NOW. I _NEED_ this information
for 
> all parameters set to be checked. 

Maybe I misunderstand you Olli, but here is an excerpt from a 2.3 report:

  Property:            Expected                    Observed    
  -------------        -----------                 ----------- 
  Object Type          Regular File                Regular File
  Device Number        769                         769   
  Inode Number         104008                      104008
  Mode                 -rwxr-xr-x                  -rwxr-xr-x
  Num Links            1                           1
  UID                  0                           0   
  GID                  0                           0   
* Size                 1151                        1316
* Modify Time          Thu Feb 15 13:47:41 2001    Mon Apr  9 06:05:32 2001
  Blocks               4                           4
* CRC32                DSBqPk                      AwneSj
* MD5                  B9C6iM+h+k7koU+m6zwtpt      D/jgBrXJwzYnwxmq9CJP1j

It clearly shows what the properties were (Expected), and what they are now
(observed), 
and marks the changed ones with an '*' to highlight them. Is this not what
you are asking
for above?

> What da hell means /bin/ls has changed? What of MANY 
> parameters changed. & HOW them where changed. :? I've some scripts running
from 

I am beginning to think you have your report level set at something below 3.
You need
to add to your config file:

EMAILREPORTLEVEL = 4

and I think you will get a lot more information (too much according to some
<cough><g>).

> These new reports are USELESS. I decided to remove tripwire 
> because old one with fine reports has bugs with non-"C"-locale-based file 
> names & the new one is just a WASTE of CPU cicles & human reading time.

With all due respect, that is really just plain silly. I mean, come on. You
are going
to compromise you system security policy because the reports are a little
_too_ verbose?

I really think if you explore the EMAILREPORTLEVEL values from 0 to 4 you
will find one
that you can live with until Gary and I come up with something better, and
in the meantime
at least your system(s) are more secure for having tripwire running on them.

rjf&

On Tue, 10 Apr 2001, Gary E. Miller wrote:
> 1. too much white space.
agree.
 
> 2. NOTHING usefull is at the top.  I know what the hostname is. It
> was in the from address of the email.  Same for the IP, and the date.
> Remove all this.  I want meat and I want it at the top.
agree.
 
> 3.   Summaries?  This is useless. I want facts, not aggregates.  Knowing
> that 5 files were changed is useless.  I need to know WHICH 5 files
> and what was changed, in one glance.  I often get good reports when 1,000
> files were changed and bad reports when only 1 file is changed.   That
> is not useful information.
agree!

> 4. Then WAY too much details.  I already get reports that are 100k in
> the OLD format. The new format is WAY to much stuff to wade through.
> It takes 20 lines to provide almost the same detail as the OLD report does
> in one line.  Multiply by 1000 changed files and the results are
> horrendous.  Looking at 1 change to a screen is just not possible.
agree.

> > Can you point out what about this report is lacking? I'm happy to hack up
> > the format until we all agree it is as concise as possible.
> It is lacking a consistent focus on the important details in a compact
> format.  The pseudo "ls" format of the top half is the old report
> is the ideal starting point.  Any sysadmin worth his salt can grok
> a huge "ls" in seconds and pick out the important stuff.  It is a
> format that he already feels in his bones.  Learning UNIX is learning
> not to reinvent wheels.
> Instead of seeing what I need in one or two screens I now need
> to read 20 or 40 screens.  This is not good.  It makes it very
> hard to eyeball the type and scope of changes.  If someone has changed
> a lot in the system then the new format is just HUGE.
> If some people like the new format then keep it, but a LOT of us
> have many years of experience with the old one and are having a hard
agree.

The main (& the HUGEST)  bad changes in report was tat I CAN'T know from
it what it WAS & what it NOW. I _NEED_ this information for all parameters
set to be checked. 

What da hell means /bin/ls has changed? What of MANY parameters changed. &
HOW them where changed. :? I've some scripts running from crond. I've new
installed software. I've a huge .bash_history & so on. So many things may
cause changes but only a small amount are illegal changes that tripwire
should track. Instead of showing the DETAILED subject of changes new
version just gives me a list of files. Some day I see thousands of files &
what? I should WASTE my time to dig EACHE ONE of these THOUSANDS files &
investigate what was the subject of reporting that change has happen. 

These new reports are USELESS. I decided to remove tripwire because old
one with fine reports has bugs with non-"C"-locale-based file names & the
new one is just a WASTE of CPU cicles & human reading time. Anyway I'm
steel on the announce list - hope somewhen the reports will go to the
better view? :?

-- 
Bye.Olli
MISiS Telecommunications
phone:   +7(095)955-0087