freebsd security - Mar 2010 - tripwire and device numbers

While getting a box ready for deployment, I noticed on two occasions, 
I would get some exception reports flagging all files as the 
underlying device number through reboots had changed.  Is this 
"normal" for Tripwire and FreeBSD ? (RELENG_7)

The file system is on
da0 at twa0 bus 0 target 0 lun 0
da0: <AMCC 9650SE-2LP DISK 4.08> Fixed Direct Access SCSI-5 device
da0: 100.000MB/s transfers
da0: 238408MB (488259584 512 byte sectors: 255H 63S/T 30392C)
SMP: AP CPU #1 Launched!


eg.

Rule Name: Local files (/usr/local/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
   ----------------------------------------
   Modified Objects: 10
   ----------------------------------------

Modified object name:  /usr/local/sbin

   Property:            Expected                    Observed
   -------------        -----------                 -----------
   Object Type          Directory                   Directory
* Device Number        92                          98
   Inode Number         2637949                     2637949
   Mode                 drwxr-xr-x                  drwxr-xr-x
   Num Links            2                           2
   UID                  root (0)                    root (0)
   GID                  wheel (0)                   wheel (0)
   Size                 512                         512
   Modify Time          Wed Mar  3 15:24:02 2010    Wed Mar  3 15:24:02 2010
   Blocks               4                           4


         ---Mike



--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

Mike Tancsa <mike@sentex.net> writes:
> While getting a box ready for deployment, I noticed on two occasions,
> I would get some exception reports flagging all files as the
> underlying device number through reboots had changed.  Is this
> "normal" for Tripwire and FreeBSD ?
FreeBSD does not have fixed device numbers, they are allocated on the
fly as each device attaches.  I don't know if there is a way around
this.

DES
-- 
Dag-Erling Sm?rgrav - des@des.no

In message <201003041953.o24JrDhi038522@lava.sentex.ca>, Mike Tancsa
writes:
>While getting a box ready for deployment, I noticed on two occasions, 
>I would get some exception reports flagging all files as the 
>underlying device number through reboots had changed.  Is this 
>"normal" for Tripwire and FreeBSD ? (RELENG_7)
Yes, device numbers in freebsd carry no meaning,  unless it is
a compat /dev directory to boot ancient systems (SunOS, very
old FreeBSD etc) diskless.

In general, tripwire should ignore devfs and possibly all pseudo-fs
mount-points.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.