what to use instead of tripwire?t
Owen Taylor
otaylor at redhat.com
Sun Oct 12 18:53:36 UTC 2003
On Sun, 2003-10-12 at 13:22, Craig Ringer wrote:
> >>> sorry, let me rephrase that. now that tripwire is not shipped
> >>> *automatically* with fedora, is there an alternate file integrity
> >>> checker covered by the GPL that would be a good replacement?
> >>
> >> For everything in RPM format you can use rpm --verify
> >
> > But that will signal every config file you have changed from it's
> > default settings. And it will miss config files that aren't part of the
> > RPM.
>
> For that matter, it can be easily bypassed by a modified RPM database or
> binary.
>
> It's a useful check against corruption, but probably not skilled &
> determined deliberate modification.
Any method that doesn't involve booting from a read-only medium
and checking against data on that read-only medium is basically
only proof against casual/incompetent intruders. Luckily, that seems
to be quite a large percentage.
Any method that does involve booting from a read-only medium
is unlikely to get used, since who can afford to regularly reboot
their servers?
Ways out:
- "drm" style techniques ... the bios can only load signed boot
sectors, the boot sectors can only load signed kernels, the
kernel can only load signed modules, etc.
- SELinux style compartmentalization ... if most root exploits
don't actually exploit the part of root that allows changing
binaries / kernel modules / etc, then verification can
be a lot more meaningful.
Without such techniques any standardized tripwire-style
verification can be circumvented. The best hope may be to cook
up something custom and hide it so that the intruder doesn't
find it...
Regards,
Owen
More information about the fedora-test-list
mailing list