[cis193@server1-01 cis193]$ su - Password: [root@server1-01 root]# cd /boot/grub/conf -bash: cd: /boot/grub/conf: No such file or directory [1]+ Done /etc/bastille-tmpdir-defense.sh 1238 [root@server1-01 root]# ls anaconda-ks.cfg install.log install.log.syslog journal mbox rpms [root@server1-01 root]# cat /boot/grub/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/sda3 # initrd /initrd-version.img #boot=/dev/sda password --md5 $1$.iKAO$/p1rT24slXQimbWkwT5ER1 default=0 timeout=10 splashimage=(hd0,0)/grub/splash.xpm.gz title Red Hat Linux (2.4.20-8) root (hd0,0) kernel /vmlinuz-2.4.20-8 ro root=LABEL=/ hdc=ide-scsi initrd /initrd-2.4.20-8.img [root@server1-01 root]# cd /etc/tripwire/ [root@server1-01 tripwire]# ls delfiles site.key twcfg.txt tw.pol.bak fix tw.cfg twinstall.sh twpol.bak server1-01.localdomain-local.key tw.cfg.2376.bak tw.pol twpol.txt [root@server1-01 tripwire]# ls /var/lib/tripwire/ report server1-01.localdomain.twd server1-01.localdomain.twd.bak [root@server1-01 tripwire]# tripwire --check Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... ### Warning: File system error. ### Filename: /etc/tripwire/server01.localdomain-local.key ### No such file or directory ### Continuing... Wrote report file: /var/lib/tripwire/report/server1-01.localdomain-20080305-101048.twr Tripwire(R) 2.3.0 Integrity Check Report Report generated by: root Report created on: Wed 05 Mar 2008 10:10:48 AM GMT-8 Database last updated on: Never ===============================================================================Report Summary: =============================================================================== Host name: server1-01.localdomain Host IP address: 127.0.0.1 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/server1-01.localdomain.twd Command line used: tripwire --check ===============================================================================Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 * Tripwire Data Files 100 1 0 0 Critical devices 100 0 0 0 * User binaries 66 0 0 10 Tripwire Binaries 100 0 0 0 * Libraries 66 0 0 2 Operating System Utilities 100 0 0 0 Critical system boot files 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 Shell Related Programs 100 0 0 0 Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical configuration files 100 0 0 0 * System boot changes 100 7 1 57 OS executables and libraries 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 * Root config files 100 1 1 1 Total objects scanned: 31652 Total violations found: 81 ===============================================================================Object Summary: =============================================================================== -------------------------------------------------------------------------------# Section: Unix File System ------------------------------------------------------------------------------- -------------------------------------------------------------------------------Rule Name: User binaries (/usr/sbin) Severity Level: 66 ------------------------------------------------------------------------------- Modified: "/usr/sbin/vmware-checkvm" "/usr/sbin/vmware-guestd" "/usr/sbin/vmware-tools-upgrader" "/usr/sbin/vmware-vmdesched" -------------------------------------------------------------------------------Rule Name: Libraries (/usr/lib) Severity Level: 66 ------------------------------------------------------------------------------- Modified: "/usr/lib/libvmGuestLib.so" "/usr/lib/libvmGuestLibJava.so" -------------------------------------------------------------------------------Rule Name: User binaries (/usr/bin) Severity Level: 66 ------------------------------------------------------------------------------- Modified: "/usr/bin/vmware-hgfsclient" "/usr/bin/vmware-toolbox" "/usr/bin/vmware-tpvmlp" "/usr/bin/vmware-user" "/usr/bin/vmware-xferlogs" -------------------------------------------------------------------------------Rule Name: User binaries (/sbin) Severity Level: 66 ------------------------------------------------------------------------------- Modified: "/sbin/mount.vmhgfs" -------------------------------------------------------------------------------Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/lib/tripwire/server1-01.localdomain.twd.bak" -------------------------------------------------------------------------------Rule Name: System boot changes (/var/log) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/log/rpmpkgs.4" "/var/log/messages.4" "/var/log/secure.4" "/var/log/maillog.4" "/var/log/spooler.4" "/var/log/boot.log.4" "/var/log/cron.4" Modified: "/var/log/boot.log" "/var/log/boot.log.1" "/var/log/boot.log.2" "/var/log/boot.log.3" "/var/log/cron" "/var/log/cron.1" "/var/log/cron.2" "/var/log/cron.3" "/var/log/gdm/:0.log" "/var/log/gdm/:0.log.1" "/var/log/gdm/:0.log.2" "/var/log/gdm/:0.log.3" "/var/log/gdm/:0.log.4" "/var/log/ksyms.0" "/var/log/ksyms.1" "/var/log/ksyms.2" "/var/log/ksyms.3" "/var/log/ksyms.4" "/var/log/ksyms.5" "/var/log/ksyms.6" "/var/log/maillog" "/var/log/maillog.1" "/var/log/maillog.2" "/var/log/maillog.3" "/var/log/messages" "/var/log/messages.1" "/var/log/messages.2" "/var/log/messages.3" "/var/log/rpmpkgs" "/var/log/rpmpkgs.1" "/var/log/rpmpkgs.2" "/var/log/rpmpkgs.3" "/var/log/secure" "/var/log/secure.1" "/var/log/secure.2" "/var/log/secure.3" "/var/log/spooler" "/var/log/spooler.1" "/var/log/spooler.2" "/var/log/spooler.3" "/var/log/wtmp" "/var/log/wtmp.1" -------------------------------------------------------------------------------Rule Name: System boot changes (/var/lock/subsys) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/var/lock/subsys/local" "/var/lock/subsys/sm-client" -------------------------------------------------------------------------------Rule Name: System boot changes (/var/lock/subsys/anacron) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/var/lock/subsys/anacron" -------------------------------------------------------------------------------Rule Name: System boot changes (/var/lock/subsys/atd) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/var/lock/subsys/atd" -------------------------------------------------------------------------------Rule Name: System boot changes (/var/lock/subsys/crond) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/var/lock/subsys/crond" -------------------------------------------------------------------------------Rule Name: System boot changes (/var/lock/subsys/sendmail) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/var/lock/subsys/sendmail" -------------------------------------------------------------------------------Rule Name: System boot changes (/var/lock/subsys/xfs) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/var/lock/subsys/xfs" -------------------------------------------------------------------------------Rule Name: System boot changes (/var/run) Severity Level: 100 ------------------------------------------------------------------------------- Removed: "/var/run/sudo/root/1" Modified: "/var/run/atd.pid" "/var/run/console/cis193" "/var/run/console.lock" "/var/run/crond.pid" "/var/run/gdm.pid" "/var/run/sendmail.pid" "/var/run/sm-client.pid" "/var/run/xfs.pid" -------------------------------------------------------------------------------Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/root/.xauthPnZN7p" Removed: "/root/.xauthhTSRZV" Modified: "/root/.tmpdirs/server1-01.localdomain" ===============================================================================Error Report: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- 1. File system error. Filename: /etc/tripwire/server01.localdomain-local.key No such file or directory -------------------------------------------------------------------------------*** End of report *** Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. [root@server1-01 tripwire]# date Wed Mar 5 10:25:52 GMT-8 2008 [root@server1-01 tripwire]# ls /var/lib/tripwire/ report server1-01.localdomain.twd server1-01.localdomain.twd.bak [root@server1-01 tripwire]# ls /var/lib/tripwire/report/ server1-01.localdomain-20080305-052255.twr server1-01.localdomain-20080305-101048.twr [root@server1-01 tripwire]# ls -l /var/lib/tripwire/report/ total 28 -rw-r--r-- 1 root root 12886 Mar 5 05:24 server1-01.localdomain-20080305-052255.twr -rw-r----- 1 root root 12878 Mar 5 10:13 server1-01.localdomain-20080305-101048.twr [root@server1-01 tripwire]# tripwire --update -r /var/lib/tripwire/report/server1-01.localdomain-20080305-101048.twr Please enter your local passphrase: Wrote database file: /var/lib/tripwire/server1-01.localdomain.twd [root@server1-01 tripwire]# ls -l /var/lib/tripwire/ total 2887 drwxr-xr-x 2 root root 1024 Mar 5 10:13 report -rw-r----- 1 root root 1469604 Mar 5 10:43 server1-01.localdomain.twd -rw-r----- 1 root root 1469604 Mar 5 10:43 server1-01.localdomain.twd.bak [root@server1-01 tripwire]#