what to use instead of tripwire?t
Paul Morgan
paul.morgan at jumanjihouse.com
Mon Oct 13 12:41:40 UTC 2003
On Mon, 2003-10-13 at 06:54, Göran Uddeborg wrote:
> Why would the medium have to be read-only? Wouldn't it be enough that
> one boots from this trusted medium and only uses binaries from it? (I
> assume of course the medium is not present when not booted from.)
A sophisticated cracker who really wanted your system could conceivably
root your box and install a rogue version of rpm to falsely report the
rpm -V status of trojaned files as being ok. The same could be said of
any verification software, including Tripwire.
That is why---for paranoid systems---it is recommended to baseline the
box using Tripwire or other software immediately after configuration
(but before ever plugging in the network cable) and then copy the
tripwire databases to cd-r media. Future changes to the system would
follow a cycle of
1. unplug from the network
2. boot and test integrity using read-only media
3. make config changes
4. update integrity db and copy to cd-r
5. re-plug to network
For static servers (rarely-changing config, no local data), one could of
course create a live cd of the server. That's another topic, though. Has
anybody tried this with Fedora yet?
More information about the fedora-test-list
mailing list