Application Enablement Services (AES): Tripwire log messages "file has been modified illegally" and "file has been added to the system in an illegal directory" for integrity checks.

Doc ID		SOLN194497
Version:		36.0
Status:		Published
Published date:		28 Apr 2023
Created Date:		29 Feb 2012

Author:

Zsolt Balog

Details

All version of AES. PSN was created for 3.x but pertains to versions released after the release date (2007) -> PSN001124u.

This is reported in all versions of AES 3.x and higher

Problem Clarification

The following log messages are found in a Tripwire integrity check:
Platform Critical "ACORE00046 GSYSL00057 Security: a file has been added to the system in an illegal directory."
Platform Major "ACORE00044 GSYSL00052 Security: a file has been modified illegally."

Cause

The files being modified and created are the results of the Tripwire integrity check.

Critical "ACORE00046 GSYSL00057 Security: a file has been added to the system in an illegal directory."
Major "ACORE00044 GSYSL00052 Security: a file has been modified illegally."

The following is an example of Tripwire's integrity check as reported in the syslog:
Jul 22 04:03:10 aes-001 twcheck[14197]: Filename: /usr/lib/rpm/db/__db.001 File Modified [severity 300]
Jul 22 04:03:10 aes-001 twcheck[14197]: Filename: /var/lib/tripwire/aes-001.twd File Added [severity 4000]
Jul 22 04:03:10 aes-001 tripwire[14198]: Integrity Check Complete: /var/lib/tripwire/aes-001.twd TWReport aes-001 20060722040303 V:80 S:4000 A:53 R:1 C:26

• The first line reports the update to the rpm database file.
• In the second line, the file "cc-aes-001.twd" is the Tripwire report that is generated whenever an integrity check is performed by Tripwire.
• In the third line, Tripwire reports the completion of the integrity check." (QQ109960)

It should be noted that this may not always be the case, and it should always be verified that the files tripping the alarm are not being altered by other processes/means.

Note: Issue could be caused after a SP or LSU was applied. When these are applied the integrity of the filesystem will be changed and that can affect the Tripwire policy. Strongly advised to run a check and update the Tripwire DB after the check finished based on the new twr file.

Solution

Ignore if you verified that the alarm has been tripped due to an integrity check and was expected. To eliminate the alarm, it needs to update the database. Refer to the part named "Updating the Tripwire database" of "Avaya Aura® Application Enablement Services Administration and Maintenance Guide" for more details.

1. Access the AES via putty, and su to a root user.
2. Move to the directory /var/lib/tripwire/report
3. Run the following command ‘ tripwire -m u --twrfile /var/lib/tripwire/report/<filename> ‘
4. If you want to test that the alarm is no longer visible, you can run an integrity check ‘ tripwire --check ‘

SOLN194497

Steps to update TW database:

Stop the Tripwire service

· #service tripwire stop

Delete the Tripwire key files

· #rm /etc/tripwire/tw.cfg

· #rm /etc/tripwire/tw.pol

· #rm /etc/tripwire/*.key

Delete the Tripwire database file

· #rm /var/lib/tripwire/*.twd

Configure Tripwire

#/etc/tripwire/cmds/twinstall.sh

Enter your new pass phrases (key, local & site) when prompted. After entering passphrase the first time, note it down as it will be needed again.

Create a new Tripwire database

· #tripwire --init (ignore 'No such file' or directory errors)

Start the Tripwire service

· #service tripwire start

FYI: These alarms can also be seen when A2R is used for SAL onboarding. This process is normal and expected during onboarding. When an asset is onboarded it can now alarm, send test alarms and can also be used for health checks which can be performed via the support site.

Legacy ID

KB01130782

Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy