[OT] Tripwire passphrase
Scot L. Harris
webid at cfl.rr.com
Tue Dec 14 15:12:50 UTC 2004
On Tue, 2004-12-14 at 09:42, Aleksandar Milivojevic wrote:
> Scot L. Harris wrote:
> > It's not that bad. Remember the passphrase is not used as a password,
> > it is a key that is used to sign the database, config, and policy
> > files. It does not take that much effort to initialize the database or
> > sign the config and policy files when you want to change the keys.
>
> I tought that passphrase was used to protect the key, not as a key?
>
I probably did a horribly job trying to explain that. The passphrase
does protect the key but as I understand it it is not like a standard
password that is kept in a separate file somewhere. I also believe it
is in effect incorporated in the key itself. Could be wrong about that.
> > Probably the hardest thing about using tripwire is getting the policy
> > setup correctly the first time. The default policy is pretty bad since
> > it usually includes many files that are not installed on a typical
> > system and the rules in place for the root account and for log files
> > require much adjustment.
>
> I second that. The default RedHat policy file was horrible. Instead of
> checking for everything in /bin, /sbin, /etc and other important places
> (and having exceptions for few "special" files to keep noise low), it
> had lists of files to check. It generated tons of errors if you didn't
> had full distro installed, and it had gaping holes in files it hasn't
> checked (not to mention it was unable to detect addition of files).
>
Yup, same that I found here. Getting the right options for the various
log files seemed to take me the most time. I have gotten pretty good at
editing the policy file after the first run of tripwire removing rules
that don't apply since I don't have many of the packages the default
policy file is looking for. I also suspect that very little work has
gone into crafting the default policy, has not seemed to change in the
last several releases.
> If tripwire gets included into the distro again (and it should, there is
> still no good replacement for it), that default policy file should be
> built from the scratch.
I agree, tripwire should be included. AIDE does not seem to be a valid
option yet. Once you get it set up tripwire requires minimal care and
feeding. But getting it setup correctly is the hard part. I also use a
filter in email that helps flag a violation so I know when something has
changed without having to read each tripwire report. At one time I had
it setup in Big Brother as well so there was a visual alert.
--
Scot L. Harris
webid at cfl.rr.com
YOW!! Up ahead! It's a DONUT HUT!!
More information about the fedora-list
mailing list