tripwire

[alan]

On Thu, 20 May 2004, billg wrote:

> On Thu, 20 May 2004 11:07:42 -0700, "Jonathan Gardner"
> <jgardner at jonathangardner.net> said:
> > On Wednesday 19 May 2004 03:00 pm, Michael Yep wrote:
> > > Does anyone know why tripwire is not included in fedora?  I there
> > > something better?
> > 
> > rpm -V
> 
> 
>  Can rpm be used to verify an entire filesystem with one command,
>  including anything not controlled or installed by rpm? ?   rpm -V seems
>  to want a package name.

"rpm -Va" will check everything installed by rpm.  It will not check 
things not installed by rpm.

It is a useful test, but it does have some problems.

1) You will get false positives on config files modified since 
installation.

2) If you have been rooted, the rootkit can modify the rpm database to 
match the rootkit versions.  (I have seen at least one case where this has 
happened.  I have also seen a case where they hopelessly bjorked the rpm 
database trying to do this.)

It is a good test if you installed something from a "make install" that 
you later feared that it overlayed something from an rpm package.

Now what really needs to happen is the ability of using an rpm database 
and a pile of rpms to bring a system back into a more or less clean 
state.  (For example, if a person just happened to delete /bin as 
superuser.  (Which I have had to repair at least once on newbie users 
machines.))

Using the rpm database to say "fix this system" would be a useful feature.