Tripwire on Ubuntu
Posted Sat, 06 Dec 2008
The config that comes with tripwire's source code specifically skips monitoring /proc for obvious reasons, so it was someone downstream (debian? ubuntu?) who decided /proc should be monitored. Monitoring non-process directories in /proc on Linux is probably reasonable, but all of /proc is just silly. Here's the output of "tripwire --check" with the default ubuntu config:
Added: "/proc/21472/task/24343" "/proc/21472/task/24343/root" "/proc/21472/task/24343/status" < hundreds of lines of pointless /proc/PID/ entries lines edited out >Terrible default setting. You're guaranteed to have this report every time even on a 100% idle system, because tripwire's process entry will show up different every time it runs.