AIDE/Tripwire

Mr. Adam ALLEN adam at dynamicinteraction.co.uk
Wed Aug 13 15:45:02 UTC 2003


On Wed, 2003-08-13 at 16:11, Michael Schwendt wrote:
> On 13 Aug 2003 14:11:56 +0100, Mr. Adam ALLEN wrote:  
> > I think it's dangerous to automatically rebuild the database,
>
> I think nobody has suggested to rebuild the database automatically.

No nobody has, but a logical next step I guessed might be that if we
have the files that rpm modified (/etc/tripwire.d) then why not just
take care of it automatically.

> The question I have raised earlier is whether to ship a default
> policy file that covers a full install of the distribution? And in
> case this is desired, whether and how to create it manually or
> automatically? Especially Tripwire uses policy directives which
> sort files into different security levels.

The closest to an answer I have is to create the a full policy- shipped
with a small perl(or your favourite language) script to remove files not
installed on the system before feeding that list to tripwire. Though
this list would of course need to be maintained as you point out. 


> Tommy McNeely's suggestion to tie RPM to the IDE by using a ``magic
> policy directory (ala /etc/tripwire.d ) .. that each RPM can drop
> its "specs" into'' is ridiculous IMHO. Just note, that a) the
> Tripwire project page looks abandoned for a long time, that b)
> the information in those tripwire.d files is very likely not
> different from what is contained within the rpmdb-redhat already,
> and that c) nobody would maintain extra information which could
> not be extracted from src.rpms/rpmdb automatically.
> 

If on an upgrade of apache the new files are listed in
/etc/tripwire.d/apache then the updates the tripwire database using this
information as a template- that could make it easier to just update the
upgraded files. 

Of course, all that is really needed is the name of the rpm that has
been upgraded, the spec file really isn't required.

> Every solution which requires additional maintenance is out of
> question.

I can see the usefulness of it- though the implementation details needs
careful thought. Of course, just having the files listed in the rpm
isn't good enough since log files need to be identified from binaries.

If it's worth development time- is another question.

-- 
Regards,
Adam Allen.

adam at dynamicinteraction.co.uk
pgp http://search.keyserver.net:11371/pks/lookup?op=vindex&search=adam%40dynamicinteraction.co.uk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20030813/babdf687/attachment.bin 


More information about the test mailing list