I have tripwire installed on one of my servers (Debian Stable), and I've managed to get the configuration pretty quiet, but I'm having a little problem with one or two of them.
The particular section of tw.config looks like: /var @@AW !/var/log/ksymoops/ /var/log @@LOGSEARCH /var/lib @@LOGSEARCH /var/backups @@LOGSEARCH !/var/spool !/var/run !/var/cache !/var/lock !/var/state/ where @@AW is: @@define AW +pinugsm17-ac2345689 The problem is that I still get: Changed files/directories include: added: -r--r--r-- root 32630 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.ksyms added: -r--r--r-- root 78 Mar 10 06:25:03 2002 /var/log/ksymoops/20020310062503.modules added: -r--r--r-- root 32630 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.ksyms added: -r--r--r-- root 78 Mar 11 06:25:02 2002 /var/log/ksymoops/20020311062502.modules deleted: -r--r--r-- root 32630 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.ksyms deleted: -r--r--r-- root 78 Mar 8 06:25:01 2002 /var/log/ksymoops/20020308062501.modules deleted: -r--r--r-- root 32630 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.ksyms deleted: -r--r--r-- root 78 Mar 5 06:25:02 2002 /var/log/ksymoops/20020305062502.modules deleted: -r--r--r-- root 32630 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.ksyms deleted: -r--r--r-- root 78 Mar 7 06:25:02 2002 /var/log/ksymoops/20020307062502.modules changed: -rw-r--r-- root 52 Mar 11 06:25:02 2002 /var/state/logrotate/status Now, according to my understanding, the ! in front of /var/log/ksymoops/ should be telling tripwire to ignore things under there, right? Obviously, it's not. Additionally: Is there a file-security scanner like tripwire (or like AIDE) that works across a network? I'm envisioning something that does local file scanning, then transmits the resulting table to a remote (more secure) host where the verification is done. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]