When initializing the db with tripwire --init it spat out a bunch of errors pertaining to /proc:
### Warning: File system error.
### Filename: /proc/16982/fd/4
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/16982/fdinfo/4
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/16982/task/16982/fd/4
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /proc/16982/task/16982/fdinfo/4
### No such file or directory
### Continuing...
### Warning: Duplicate object encountered.
### /proc/sys/net/ipv6/neigh
This feels like noise. The twpol.txt
file has the following clause:
#
# Critical devices
#
(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
)
{
/dev -> $(Device) ;
/proc -> $(Device) ;
}
Which, if I understand it right, is going to cause tripwire to care deeply about the entire contents of /proc. Shouldn't it just care about the static parts of /proc like the drivers and such, and not the per-pid stuff? Why does it ship like this?
I found this post on LinuxQuestions.
Modify so only intreresting parts of proc will be examined
If its that much of a bother to you, you can modify your policy to exclude the folder from its scans....
to exclude /proc you could add something like:
to your policy and rebuild the database.