AIDE/Tripwire

[Tommy McNeely]

Michael Schwendt wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 13 Aug 2003 14:11:56 +0100, Mr. Adam ALLEN wrote:
>
>  
>
>>>>Maybe just setup a magic policy directory (ala /etc/tripwire.d ) .. that
>>>>each RPM can drop its "specs" into and have the policy generated
>>>>automatically or something..
>>>>        
>>>>
>  
>  
>
>>I think it's dangerous to automatically rebuild the database
>>    
>>

>I think nobody has suggested to rebuild the database automatically.
>

I sortof did, but that's obviously not really a good idea ;)

>
>The question I have raised earlier is whether to ship a default
>policy file that covers a full install of the distribution? And in
>case this is desired, whether and how to create it manually or
>automatically? Especially Tripwire uses policy directives which
>sort files into different security levels.
>
>Users of Tripwire and Red Hat Linux moan about a default policy file
>that covers files which are not installed actually. This creates
>security reports which include many "file does not exist" warnings.
>The tools to drop such files from the config are not included. You
>can create a rough Perl script yourself or try to find an existing
>one via Google. But that only shows that the package is incomplete
>and needs enhancement.
>
>Tommy McNeely's suggestion to tie RPM to the IDE by using a ``magic
>policy directory (ala /etc/tripwire.d ) .. that each RPM can drop
>its "specs" into'' is ridiculous IMHO. Just note, that a) the
>Tripwire project page looks abandoned for a long time, that b)
>the information in those tripwire.d files is very likely not
>different from what is contained within the rpmdb-redhat already,
>and that c) nobody would maintain extra information which could
>not be extracted from src.rpms/rpmdb automatically.
>

was just a random thought :) .. and by "specs" I meant simply a small 
piece of the text based (or possibly Red Hat signed and encrypted) twpol 
file that contains the files that should be in the policy for the 
specific package.. not the rpm spec :)

Although maybe a solution is to build the *initial* policy directly from 
the rpmdb (not -redhat, as that contains everything, right?) using a 
python or similar script that can semi-intelligently determine whether a 
file is a binary/config/log/other (based on location?) .. directly after 
the user completes the install (if they check the "build my default 
tripwire for me" box?). I suggest we stray away from including a text 
version of the config file due to the reason mentioned above.. if the 
user decides not to install "everything" then they get all the file not 
found stuff. If we are going to parse rpmdb to find out what files 
should be taken out of the default everything policy, why not just parse 
the db to figure out what to put into it.. less maint. I think?

For maintaining the policy, that could require extra "intellegence"  .. 
or possibly script kiddies.. just installing an RPM or modifying rpm or 
its database somehow to trip up the tripwire policy "generator" .. or 
like you say.. listing /etc/passwd because you have added an account, 
but meanwhile someone else has added another "root" account or deleted 
all the others.. and you magically OK that file beign changed because it 
was "supposed to"

>
>Every solution which requires additional maintenance is out of
>question.
>
heh, any solution is going to require extra maint.. it just depends on 
how much and who does it :)

>Red Hat have dropped Tripwire due to resource constraints. Resource
>constraints are not specific to Red Hat. A community packager is
>also affected by resource constraints. 
>
tripwire by name may not be what we need to persue.. maybe aide? or some 
other tool.. but the generating default policy and maintaining it are 
still going to be a problem


>
>- -- 
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.2 (GNU/Linux)
>
>iD8DBQE/OlUe0iMVcrivHFQRAihEAJ9Qq7sMxPmVUDVc0gT8sQP6tX6IbwCfUc09
>B6Tx6ZNjsrZF+ThGnztGWVA=
>=wtpd
>-----END PGP SIGNATURE-----
>
>
>--
>Rhl-beta-list mailing list
>Rhl-beta-list at redhat.com
>http://www.redhat.com/mailman/listinfo/rhl-beta-list
>  
>

-- 
Tommy McNeely   --   Tommy.McNeely at Sun.COM
Sun Microsystems   --   IT CTO
Phone/Fax: x51837 / 303-395-3361