I'm trying to tune tripwire (under debian testing) to give me less
unneccessary errors. At the moment /var/log/syslog and files in
/var/log/cups, exim4, tiger are all being listed as being modified.
Obviously this is fine, since they're logs, so I don't want to be
notified of this. In the standard twpol.txt file, there is a variable
called 'SEC_LOG' which it says is for files which should grow but not
change ownership which sounds like these. In the default there was a
section which looked like this:
/var/lock -> $(SEC_CONFIG) ;
/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
So I changed it to look like this:
/var/lock -> $(SEC_CONFIG) ;
/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_LOG) ;
/var/log/cups -> $(SEC_LOG) ;
/var/log/exim4 -> $(SEC_LOG) ;
/var/log/tiger -> $(SEC_LOG) ;
But I'm still getting warnings about files in these directories being
modified. Is it because the logs are being rotated, archived etc?
What's the best way to deal with this - do I even need to be notified
about anything in /var/log?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
