what to use instead of tripwire?t

Owen Taylor otaylor at redhat.com
Sun Oct 12 18:53:36 UTC 2003


On Sun, 2003-10-12 at 13:22, Craig Ringer wrote:
> >>> sorry, let me rephrase that.  now that tripwire is not shipped
> >>> *automatically* with fedora, is there an alternate file integrity
> >>> checker covered by the GPL that would be a good replacement?
> >>
> >> For everything in RPM format you can use rpm --verify
> > 
> > But that will signal every config file you have changed from it's 
> > default settings. And it will miss config files that aren't part of the 
> > RPM.
> 
> For that matter, it can be easily bypassed by a modified RPM database or 
> binary.
> 
> It's a useful check against corruption, but probably not skilled & 
> determined deliberate modification.

Any method that doesn't involve booting from a read-only medium
and checking against data on that read-only medium is basically 
only proof against casual/incompetent intruders. Luckily, that seems
to be quite a large percentage.

Any method that does involve booting from a read-only medium
is unlikely to get used, since who can afford to regularly reboot
their servers?

Ways out:

 - "drm" style techniques ... the bios can only load signed boot
   sectors, the boot sectors can only load signed kernels, the
   kernel can only load signed modules, etc.

 - SELinux style compartmentalization ... if most root exploits
   don't actually exploit the part of root that allows changing
   binaries / kernel modules / etc, then verification can
   be a lot more meaningful.

Without such techniques any standardized tripwire-style
verification can be circumvented. The best hope may be to cook
up something custom and hide it so that the intruder doesn't
find it...

Regards,
					Owen







More information about the fedora-test-list mailing list