Mr. Adam ALLEN wrote:
On Wed, 2003-08-13 at 13:13, Leonard den Ottolander wrote:
>Hi Tommy,
>
>
>
>>Maybe just setup a magic policy directory (ala /etc/tripwire.d ) .. that
>>each RPM can drop its "specs" into and have the policy generated
>>automatically or something..
>>
>>
I think it's dangerous to automatically rebuild the database, but
something like:
- get the rpm to dump into /etc/tripwire.d
- alert the user that they should run something like (or aide)
tripwire --rebuild --parse-specs
- it would probably be a safe idea to have RH sign the spec file, with
the same key used to sign the RPM, and the only process files out of
/etc/tripwire.d which can have their digital signatures verified. Users
might trust the /etc/tripwire.d contents too much- which is why I think
this step might be necessary.
Agreed.. you dont want anyone just dropping stuff into there
Need to be really careful that my rpm doesn't drop in a new /etc/passwd.
Since the specfile would list /etc/passwd as a file- would this instruct
tripwire to re-calculate the checksums on /etc/passwd. (Which may have
all the accounts deleted).
Just a quick not-really thought through pitfalls that might exist.
Such are the pitfalls of trying to make this "easy" .. tripwire may no
be a feasable solution, but I was trying to suggest something that
reminded me of "logrotate.d"
--
Tommy McNeely -- Tommy.McNeely(a)Sun.COM
Sun Microsystems -- IT CTO
Phone/Fax: x51837 / 303-395-3361