7

When initializing the db with tripwire --init it spat out a bunch of errors pertaining to /proc:

### Warning: File system error.
### Filename: /proc/16982/fd/4
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/16982/fdinfo/4
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/16982/task/16982/fd/4
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/16982/task/16982/fdinfo/4
### No such file or directory
### Continuing...
### Warning: Duplicate object encountered.
### /proc/sys/net/ipv6/neigh

This feels like noise. The twpol.txt file has the following clause:

#
# Critical devices
#
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
)
{
        /dev            -> $(Device) ;
        /proc           -> $(Device) ;
}

Which, if I understand it right, is going to cause tripwire to care deeply about the entire contents of /proc. Shouldn't it just care about the static parts of /proc like the drivers and such, and not the per-pid stuff? Why does it ship like this?

dsadinoff
  • 265
  • 3
  • 9

2 Answers2

8

I found this post on LinuxQuestions.

Modify so only intreresting parts of proc will be examined

# /proc -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
leiflundgren
  • 238
  • 2
  • 9
  • Although that answers "How do I resolve this issue?", it does not answer the question: "Why is `/proc` included?". But I would imagine it's more of a mistake and lack of fixing tripwire long term... (since it's still there 10 years later) – Alexis Wilke Aug 13 '22 at 01:30
2

If its that much of a bother to you, you can modify your policy to exclude the folder from its scans....

to exclude /proc you could add something like:

   !/proc

to your policy and rebuild the database.

LloydOliver
  • 736
  • 4
  • 9