[prev in list] [next in list] [prev in thread] [next in thread]
List: osiris
Subject: [osiris] Re: Why doesn't it detect anything?
From: David Vasil <dmvasil () ornl ! gov>
Date: 2007-02-08 16:31:46
Message-ID: 45CB5072.5000706 () ornl ! gov
[Download RAW message or body]
Gregor Mosheh wrote:
> Hi, all. I'm new to Osiris, from the world of AIDE and Tripwire. I am
> having some odd results, in that Osiris isn't detecting changes. For
> example, I can initialize the host, then run this very danngerous script:
> cd /var/run
> touch foof
> chmod 666 foof
> chmod u+s foof
> ...then run start-scan and find no changes!
>
> Given my configuration file (see below) it should have been picked up,
> being setuid. Meanwhile, other changes are going unnoticed as well, such
> as changes to /etc/fstab
>
> Any ideas?
Which what is the name of this config? Also, what does 'config
<hostname>' return from the osiris command lin
> # /var, minus the log directories
> <Directory /var>
> Exclude file(^/var/lib/slocate/slocate.db$)
> </Directory>
Try removing the block for <Directory /var>. I'm not certain that
Osiris handles multiple redefinitions for a directory correctly.
> <Directory /var/log>
> Include executable
> Include script
> Include perl
> Include python
> ExcludeAll
> </Directory>
> <Directory /var/run>
> Include executable
> Include script
> Include perl
> Include python
> ExcludeAll
> </Directory>
This may be part of the problem as well. Your config is only including
executables and scripts. That file you created was only 4666.
> # /etc should be relatively static, except for the mtab file
> # changes will happen, but are important enough to be noteworthy
> <Directory /etc>
> Exclude file(^/etc/mtab$)
> </Directory>
It should pick up fstab changing in this block. Is your osiris host
showing any changed files anywhere on the system?
--
-dave
_______________________________________________
osiris mailing list
osiris@lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic