AIDE/Tripwire
Mr. Adam ALLEN
adam at dynamicinteraction.co.uk
Wed Aug 13 13:11:56 UTC 2003
On Wed, 2003-08-13 at 13:13, Leonard den Ottolander wrote:
> Hi Tommy,
>
> > Maybe just setup a magic policy directory (ala /etc/tripwire.d ) .. that
> > each RPM can drop its "specs" into and have the policy generated
> > automatically or something..
>
I think it's dangerous to automatically rebuild the database, but
something like:
- get the rpm to dump into /etc/tripwire.d
- alert the user that they should run something like (or aide)
tripwire --rebuild --parse-specs
- it would probably be a safe idea to have RH sign the spec file, with
the same key used to sign the RPM, and the only process files out of
/etc/tripwire.d which can have their digital signatures verified. Users
might trust the /etc/tripwire.d contents too much- which is why I think
this step might be necessary.
Need to be really careful that my rpm doesn't drop in a new /etc/passwd.
Since the specfile would list /etc/passwd as a file- would this instruct
tripwire to re-calculate the checksums on /etc/passwd. (Which may have
all the accounts deleted).
Just a quick not-really thought through pitfalls that might exist.
--
Regards,
Adam Allen.
adam at dynamicinteraction.co.uk
pgp http://search.keyserver.net:11371/pks/lookup?op=vindex&search=adam%40dynamicinteraction.co.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20030813/c9ae814c/attachment.bin
More information about the test
mailing list