Many violations in Tripwire

Question

I've installed Tripwire yesterday (I'm new to Tripwire) in my new VPS (created two days ago). I've followed the steps of this tutorial to setup Tripwire and all worked fine and my report doesn't had any violations or errors.

Today, I run tripwire checking again and I got a surprise: the report showed 2624 violations, including boot scripts. The report is very big, so I put only the main parts here.

===============================================================================
Report Summary:
===============================================================================

Command line used:            tripwire --check 

===============================================================================
Rule Summary: 
===============================================================================

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
* Other binaries                  66                0        0        75       
  Tripwire Binaries               100               0        0        0        
* Other libraries                 66                0        0        1271     
* Root file-system executables    100               0        0        5        
  Tripwire Data Files             100               0        0        0        
* System boot changes             100               4        0        1        
  (/var/log)
* Root file-system libraries      100               40       0        18       
  (/lib)
* Critical system boot files      100               1159     0        6        
* Other configuration files       66                1        1        22       
  (/etc)
* Boot Scripts                    100               0        0        4        
  Security Control                66                0        0        0        
* Root config files               100               0        0        1        
* Devices & Kernel information    100               15       1        0        
  Invariant Directories           66                0        0        0        

Total objects scanned:  17460
Total violations found:  2624

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Other binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/usr/sbin"
"/usr/sbin/dnsmasq"

-------------------------------------------------------------------------------
Rule Name: Other libraries (/usr/lib)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/usr/lib/git-core"
"/usr/lib/git-core/git"
"/usr/lib/git-core/git-add"
"/usr/lib/git-core/git-add--interactive"
"/usr/lib/git-core/git-am"
Many other files of /usr/lib/git-core
"/usr/lib/gnupg"
"/usr/lib/gnupg/gpgkeys_curl"
"/usr/lib/gnupg/gpgkeys_finger"
"/usr/lib/gnupg/gpgkeys_hkp"
"/usr/lib/gnupg/gpgkeys_ldap"
"/usr/lib/gnupg/gpgkeys_mailto"
"/usr/lib/pm-utils/sleep.d"
"/usr/lib/pm-utils/sleep.d/000record-status"
"/usr/lib/policykit-1"
"/usr/lib/policykit-1/polkit-agent-helper-1"
"/usr/lib/policykit-1/polkitd"
"/usr/lib/python3/dist-packages"
"/usr/lib/python3/dist-packages/__pycache__"
"/usr/lib/python3/dist-packages/__pycache__/apport_python_hook.cpython-35.pyc"
"/usr/lib/python3/dist-packages/__pycache__/problem_report.cpython-35.pyc"
"/usr/lib/python3/dist-packages/apport"
Many other files of /usr/lib/python-3/dist-packages
"/usr/lib/ssl"
"/usr/lib/ssl/misc"
"/usr/lib/ssl/misc/CA.pl"
"/usr/lib/ssl/misc/CA.sh"
"/usr/lib/ssl/misc/c_hash"
"/usr/lib/ssl/misc/c_info"
"/usr/lib/ssl/misc/c_issuer"
"/usr/lib/ssl/misc/c_name"
"/usr/lib/ssl/misc/tsget"
"/usr/lib/ssl/openssl.cnf"
"/usr/lib/x86_64-linux-gnu"
"/usr/lib/x86_64-linux-gnu/libelf-0.165.so"
"/usr/lib/x86_64-linux-gnu/libelf.so.1"
"/usr/lib/x86_64-linux-gnu/libmagic.so.1"
"/usr/lib/x86_64-linux-gnu/libmagic.so.1.0.0"
"/usr/lib/x86_64-linux-gnu/libperl.so.5.22"
"/usr/lib/x86_64-linux-gnu/libperl.so.5.22.1"
"/usr/lib/x86_64-linux-gnu/libpng12.so.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-agent-1.so.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-agent-1.so.0.0.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-backend-1.so.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-backend-1.so.0.0.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-gobject-1.so.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-gobject-1.so.0.0.0"
"/usr/lib/x86_64-linux-gnu/libstdc++.so.6"
"/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/lib4758cca.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libaep.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libatalla.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libcapi.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libchil.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libcswift.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgmp.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libnuron.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpadlock.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libsureware.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libubsec.so"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B/Concise.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B/Showlex.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B/Terse.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B/Xref.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/CORE"
Many other files of /usr/lib/x86_64-linux-gnu/perl
"/usr/lib/x86_64-linux-gnu/perl-base"
"/usr/lib/x86_64-linux-gnu/perl-base/AutoLoader.pm"
"/usr/lib/x86_64-linux-gnu/perl-base/Carp"
"/usr/lib/x86_64-linux-gnu/perl-base/Carp/Heavy.pm"
"/usr/lib/x86_64-linux-gnu/perl-base/Carp.pm"
Many other files of /usr/lib/x86_64-linux-gnu/perl-base
"/usr/lib/x86_64-linux-gnu/polkit-1/extensions"
"/usr/lib/x86_64-linux-gnu/polkit-1/extensions/libnullbackend.so"

-------------------------------------------------------------------------------
Rule Name: Other binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/usr/bin"
"/usr/bin/apport-bug"
"/usr/bin/apport-cli"
"/usr/bin/apport-collect"
"/usr/bin/apport-unpack"
"/usr/bin/c2ph"
"/usr/bin/c_rehash"
"/usr/bin/corelist"
"/usr/bin/cpan"
"/usr/bin/cpan5.22-x86_64-linux-gnu"
"/usr/bin/enc2xs"
"/usr/bin/encguess"
"/usr/bin/file"
Many other files of /usr/bin/

-------------------------------------------------------------------------------
Rule Name: Root file-system executables (/sbin)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin"
"/sbin/sysctl"

-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/log)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/log/mail.err"
"/var/log/syslog.1"
"/var/log/mail.log"
"/var/log/unattended-upgrades/unattended-upgrades-dpkg.log"

Modified:
"/var/log/syslog"

-------------------------------------------------------------------------------
Rule Name: Root file-system libraries (/lib)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/lib/modprobe.d/blacklist_linux_4.4.0-130-generic.conf"
"/lib/firmware/4.4.0-130-generic"
"/lib/firmware/4.4.0-130-generic/whiteheat_loader.fw"
"/lib/firmware/4.4.0-130-generic/korg"
"/lib/firmware/4.4.0-130-generic/korg/k1212.dsp"
"/lib/firmware/4.4.0-130-generic/qlogic"
"/lib/firmware/4.4.0-130-generic/qlogic/sd7220.fw"
"/lib/firmware/4.4.0-130-generic/qlogic/1280.bin"
"/lib/firmware/4.4.0-130-generic/qlogic/1040.bin"
"/lib/firmware/4.4.0-130-generic/qlogic/12160.bin"
Many other files of /lib/firmware/4.4.0-130-generic

Modified:
"/lib/firmware"
"/lib/modprobe.d"
"/lib/systemd/system"
"/lib/systemd/system/apport-forward.socket"
"/lib/systemd/system/apport-forward@.service"
"/lib/systemd/system/polkitd.service"
"/lib/udev/rules.d"
"/lib/udev/rules.d/50-apport.rules"
"/lib/udev/rules.d/60-gnupg.rules"
"/lib/x86_64-linux-gnu"
"/lib/x86_64-linux-gnu/libcrypto.so.1.0.0"
"/lib/x86_64-linux-gnu/libgcrypt.so.20"
"/lib/x86_64-linux-gnu/libgcrypt.so.20.0.5"
"/lib/x86_64-linux-gnu/libpng12.so.0"
"/lib/x86_64-linux-gnu/libpng12.so.0.54.0"
"/lib/x86_64-linux-gnu/libprocps.so.4"
"/lib/x86_64-linux-gnu/libprocps.so.4.0.0"
"/lib/x86_64-linux-gnu/libssl.so.1.0.0"

-------------------------------------------------------------------------------
Rule Name: Critical system boot files (/lib/modules)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/lib/modules/4.4.0-130-generic"
"/lib/modules/4.4.0-130-generic/modules.alias"
"/lib/modules/4.4.0-130-generic/initrd"
"/lib/modules/4.4.0-130-generic/modules.alias.bin"
"/lib/modules/4.4.0-130-generic/kernel"
"/lib/modules/4.4.0-130-generic/kernel/lib"
"/lib/modules/4.4.0-130-generic/kernel/lib/xz"
"/lib/modules/4.4.0-130-generic/kernel/lib/xz/xz_dec_test.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/ts_fsm.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/test_static_keys.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/test_bpf.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/reed_solomon"
"/lib/modules/4.4.0-130-generic/kernel/lib/reed_solomon/reed_solomon.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/842"
"/lib/modules/4.4.0-130-generic/kernel/lib/842/842_compress.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/842/842_decompress.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/test_printf.ko"
Many other files of /lib/modules/4.4.0-130-generic/

Modified:
"/lib/modules"

-------------------------------------------------------------------------------
Rule Name: Other configuration files (/etc)
Severity Level: 66
-------------------------------------------------------------------------------

Added:
"/etc/ssh/sshd_config.save"

Removed:
"/etc/tripwire/twpol.txt"

Modified:
"/etc"
"/etc/apport"
"/etc/apport/blacklist.d"
"/etc/apt/apt.conf.d"
"/etc/apt/apt.conf.d/01autoremove-kernels"
"/etc/bash_completion.d"
"/etc/cron.daily"
"/etc/dbus-1/system.d"
"/etc/default"
"/etc/init"
"/etc/ld.so.cache"
"/etc/logrotate.d"
"/etc/pam.d"
"/etc/perl/Net"
"/etc/polkit-1/localauthority.conf.d"
"/etc/polkit-1/nullbackend.conf.d"
"/etc/ssh"
"/etc/ssh/ssh_config"
"/etc/ssh/sshd_config"
"/etc/ssl"
"/etc/sysctl.d"
"/etc/tripwire"

-------------------------------------------------------------------------------
Rule Name: Boot Scripts (/etc/init.d)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/init.d"
"/etc/init.d/.depend.boot"
"/etc/init.d/.depend.start"
"/etc/init.d/.depend.stop"

-------------------------------------------------------------------------------
Rule Name: Critical system boot files (/boot)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/boot/retpoline-4.4.0-130-generic"
"/boot/abi-4.4.0-130-generic"
"/boot/config-4.4.0-130-generic"
"/boot/System.map-4.4.0-130-generic"
"/boot/initrd.img-4.4.0-130-generic"
"/boot/vmlinuz-4.4.0-130-generic"

Modified:
"/boot"
"/boot/grub"
"/boot/grub/grub.cfg"
"/boot/grub/menu.lst"
"/boot/grub/menu.lst~"

-------------------------------------------------------------------------------
Rule Name: Root file-system executables (/bin)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/bin"
"/bin/kill"
"/bin/ps"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/root/.nano/search_history"

-------------------------------------------------------------------------------
Rule Name: Devices & Kernel information (/dev/pts)
Severity Level: 100
-------------------------------------------------------------------------------

Removed:
"/dev/pts/1"

-------------------------------------------------------------------------------
Rule Name: Devices & Kernel information (/proc/sys)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/proc/sys/fs/xfs"
"/proc/sys/fs/xfs/error_level"
"/proc/sys/fs/xfs/filestream_centisecs"
"/proc/sys/fs/xfs/inherit_noatime"
"/proc/sys/fs/xfs/inherit_nodefrag"
"/proc/sys/fs/xfs/inherit_nodump"
"/proc/sys/fs/xfs/inherit_nosymlinks"
"/proc/sys/fs/xfs/inherit_sync"
"/proc/sys/fs/xfs/irix_sgid_inherit"
"/proc/sys/fs/xfs/irix_symlink_mode"
"/proc/sys/fs/xfs/panic_mask"
"/proc/sys/fs/xfs/rotorstep"
"/proc/sys/fs/xfs/speculative_prealloc_lifetime"
"/proc/sys/fs/xfs/stats_clear"
"/proc/sys/fs/xfs/xfssyncd_centisecs"

===============================================================================
Error Report: 
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

These file changes are normal? They can means that my VPS was hacked? I didn't make any changes to system between the two checkings. I also followed several security measures, such as enable SSH keys, disable password based authentication and setup a firewall (UFW).

You probably have automatic system updates enabled. – AlexD Jul 26 '18 at 16:55 — AlexD, Jul 26 '18 at 16:55
@AlexD Thank you so much. I checked it and you are right :) – user3753202 Jul 26 '18 at 20:33 — user3753202, Jul 26 '18 at 20:33

Many violations in Tripwire

0 Answers0