Search this site


Metadata

Articles

Projects

Presentations

Tripwire on Ubuntu

While looking over the default tripwire policy that comes with Ubuntu, I noticed someone decided that it was important to monitor all of /proc. So, if you use the default policy in Ubuntu, expect to get emails every time 'tripwire --check' runs becuase /proc doesn't stay constant.

The config that comes with tripwire's source code specifically skips monitoring /proc for obvious reasons, so it was someone downstream (debian? ubuntu?) who decided /proc should be monitored. Monitoring non-process directories in /proc on Linux is probably reasonable, but all of /proc is just silly. Here's the output of "tripwire --check" with the default ubuntu config:

Added:
"/proc/21472/task/24343"
"/proc/21472/task/24343/root"
"/proc/21472/task/24343/status"
< hundreds of lines of pointless /proc/PID/ entries lines edited out >
Terrible default setting. You're guaranteed to have this report every time even on a 100% idle system, because tripwire's process entry will show up different every time it runs.