[OT] Tripwire passphrase
Aleksandar Milivojevic
amilivojevic at pbl.ca
Tue Dec 14 14:42:26 UTC 2004
Scot L. Harris wrote:
> It's not that bad. Remember the passphrase is not used as a password,
> it is a key that is used to sign the database, config, and policy
> files. It does not take that much effort to initialize the database or
> sign the config and policy files when you want to change the keys.
I tought that passphrase was used to protect the key, not as a key?
> Probably the hardest thing about using tripwire is getting the policy
> setup correctly the first time. The default policy is pretty bad since
> it usually includes many files that are not installed on a typical
> system and the rules in place for the root account and for log files
> require much adjustment.
I second that. The default RedHat policy file was horrible. Instead of
checking for everything in /bin, /sbin, /etc and other important places
(and having exceptions for few "special" files to keep noise low), it
had lists of files to check. It generated tons of errors if you didn't
had full distro installed, and it had gaping holes in files it hasn't
checked (not to mention it was unable to detect addition of files).
If tripwire gets included into the distro again (and it should, there is
still no good replacement for it), that default policy file should be
built from the scratch.
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the users
mailing list