what to use instead of tripwire?t

Robert P. J. Day rpjday at mindspring.com
Mon Oct 13 13:02:03 UTC 2003 

On Mon, 13 Oct 2003, Paul Morgan wrote:

> On Mon, 2003-10-13 at 06:54, Göran Uddeborg wrote:
> > Why would the medium have to be read-only?  Wouldn't it be enough that
> > one boots from this trusted medium and only uses binaries from it?  (I
> > assume of course the medium is not present when not booted from.)
> 
> A sophisticated cracker who really wanted your system could conceivably
> root your box and install a rogue version of rpm to falsely report the
> rpm -V status of trojaned files as being ok. The same could be said of
> any verification software, including Tripwire.
> 
> That is why---for paranoid systems---it is recommended to baseline the
> box using Tripwire or other software immediately after configuration
> (but before ever plugging in the network cable) and then copy the
> tripwire databases to cd-r media. Future changes to the system would
> follow a cycle of 
> 1. unplug from the network
> 2. boot and test integrity using read-only media
> 3. make config changes
> 4. update integrity db and copy to cd-r
> 5. re-plug to network
> 
> For static servers (rarely-changing config, no local data), one could of
> course create a live cd of the server. That's another topic, though. Has
> anybody tried this with Fedora yet?

as a trivial start, you can start with mounting your entire /usr 
filesystem read-only, not so much as a security measure, but just to
see if it's feasible for you.

remember, according to the FHS, /usr is defined as static, shareable
data, so that, unless you're installing new software, nothing under
/usr should be changing.  one of the changes i made to my system was
to move all of the kernel and RPM stuff out of /usr/src and into
my home directory, so that i can build/rebuild both kernels and
RPMs as a regular user.  granted, i still need to become root to
*install* them, but trying this will at least show you whether it's
reasonable to have /usr write protected.  if so, given that almost
all of your software is under /usr, think about a read-only /usr
media.

just a thought.

rday

More information about the test mailing list