[ale] /dev/tty1 modified?

Tue Jul 22 08:45:38 EDT 2003

On Monday 21 July 2003 06:26 pm, Christopher Fowler wrote:
> On Mon, Jul 21, 2003 at 06:04:28PM -0400, Mike Millson wrote:
> > I saw the following in my Tripwire report from last night. I updated
> > the database at 11:15 p.m., and the cron job that produces it runs at
> > 4:00 a.m., so I didn't expect anything to change. What does this mean
> > happen to my system? Is there some hacking advantage to changing the
> > mode of files?
> >
> >
> > ----------------------------------------
> >  Modified Objects: 1
> > ----------------------------------------
> >
> > Modified object name:  /dev/tty1
> >
> > Property               Expected              Observed
> > --------               --------              --------
> > * Mode                 crw-------            crw--w----
> > * GID                  tty (5)               root (0)
> >
> > Mike
>
> This is okay.  When tripwire ran you must have been logged on as root
> on tty1.  When the system logs in a user it will change the group and
> uid of the device to be owned by the user that is logining in. On logout
> the device is changed back to the original settings.

Which means that the tripwire policy file is slightly wrong.  The ownership 
and permissions of /dev/tty[n] are expected to change when you log into 
the console, so tripwire should be set up to ignore those attributes.

Michael

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale