I want to only check /dev directory and not the contents, so I changed #=/dev @@DIRM /dev @@DEVM to =/dev @@DIRM #/dev @@DEVM Then running tripwire in any mode results in segment fault. e.g. [root@hypatia /root]# tripwire -update /etc ### Phase 1: Reading configuration file ### Phase 2: Generating file list Segmentation fault [root@hypatia /root]# tripwire -q Segmentation fault If I change it back the way it was, all is OK. John S. Weber System Administrator Center for Computational Mathematics University of Colorado at Denver Phone: (303)556-5394 Fax: (303)556-8550 jweber.edu http://www-math.cudenver.edu/~jweber
I ran into the same problem, for the same reason. The default tw.config in the tripwire RPM should have looser checks on a number of files that change in a multiuser environment, like !/etc/X11/xdm/authdir/ !/etc/issue !/etc/ssh_random_seed !/etc/ntp/drift !/etc/mtab =/dev @@DIRM Apparently,there's a script twdb_check.pl that needs to be run if the tw.config file changes. I've seen a message to this effect towards the end of tripwire -initialize runs. But the script isn't included with the Tripwire RPM :-(. The easiest workaround I've found is to install tripwire with rpm --noscripts, (to prevent the automatic tripwire -initialize that happens on installation), and the edit the tw.config file and run tripwire -initialize manually. If I could figure out how to unpack a src rpm, modify it, and repack it, I'd submit a fix. John
I tried the workaround (rpm -Uvh --noscripts), but I still get a segment fault when I manually initialize (tripwire -initialize). Previously, I had tried deleting the /var/spool/tripwire DB file and reinitializing (also get segment fault), but I'm not sure if this is any different than gibson.edu's workaround. I'm still only changing the the /dev entry as per my above message. Once again it seems to be OK if I restore /etc/tw.config to the RPM default version. John Weber
I rebuilt a package for our RHCE folks without any initializing, and it worked for them. I suppose the moral of the story is not to initialize in the spec file, I'll leave that for the user to do. Check rawhide in a bit to see a change for this. Tim