What is the proper way to configure Tripwire to handle automatic log rotations?

Chris Pappalardo

2/15/24, 4:55 PM

I installed tripwire by following this online documentation on a fresh ubuntu 22.x server. I followed the above documentation exactly and did not add any custom mods to either the cfg or the pol files.

I received the following exceptions shortly thereafter which appear to me to be basic log rotations:

Rule Name: System boot changes (/var/log)
Severity Level: 100

Added:
"/var/log/syslog.3.gz"
"/var/log/mail.log.3.gz"
"/var/log/auth.log.3.gz"
"/var/log/kern.log.3.gz"

Modified:
"/var/log/auth.log"
"/var/log/auth.log.1"
"/var/log/auth.log.2.gz"
"/var/log/kern.log"
"/var/log/kern.log.1"
"/var/log/kern.log.2.gz"
"/var/log/mail.log"
"/var/log/mail.log.1"
"/var/log/mail.log.2.gz"
"/var/log/syslog"
"/var/log/syslog.1"
"/var/log/syslog.2.gz"

My question is, what is the proper way to configure / policy tripwire so log rotations do not trigger report exceptions. Log rotation is a basic function that comes standard with most linux distributions and do not seem to be something that tripwire, meant to detect unauthorized changes to key components (e.g. rootkits), should report as severity level 100 exceptions.

1 + 0

security

linux

configuration

logging

tripwire

Score:1

Server

user83536

5/2/24, 8:28 PM

In your tripwire policy configuration file (debian or ubuntu: /etc/tripwire/twpol.txt) under the 'rulename = "System boot changes",' changing

/var/log -> $(SEC_CONFIG) ;

/var/log -> $(IgnoreAll) ;

will effectively ignore all changes to the log files. [ Ref: man twpolicy ]

The log filename must still exist, but any content changes will be ignored. The normal logfile rotation name swaps will be ignored once they have been established.

But any new or deleted log file or directory NAMES will be reported. In your example above, the Added entries will still be reported, but the Modified entries will be ignored.

As a security consideration, I hope you are also syslogging to a remote server. An intruder can truncate these local logfiles to a zerosize and tripwire will cheerfully ignore it.

Also: Don't forget to do a sudo tripwire -m p -Z low /etc/tripwire/twpol.txt (or equivalent) after making the txt file changes to make it active.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is the proper way to configure Tripwire to handle automatic log rotations?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.