what to use instead of tripwire?t
Robert P. J. Day
rpjday at mindspring.com
Mon Oct 13 13:02:03 UTC 2003
On Mon, 13 Oct 2003, Paul Morgan wrote:
> On Mon, 2003-10-13 at 06:54, Göran Uddeborg wrote:
> > Why would the medium have to be read-only? Wouldn't it be enough that
> > one boots from this trusted medium and only uses binaries from it? (I
> > assume of course the medium is not present when not booted from.)
>
> A sophisticated cracker who really wanted your system could conceivably
> root your box and install a rogue version of rpm to falsely report the
> rpm -V status of trojaned files as being ok. The same could be said of
> any verification software, including Tripwire.
>
> That is why---for paranoid systems---it is recommended to baseline the
> box using Tripwire or other software immediately after configuration
> (but before ever plugging in the network cable) and then copy the
> tripwire databases to cd-r media. Future changes to the system would
> follow a cycle of
> 1. unplug from the network
> 2. boot and test integrity using read-only media
> 3. make config changes
> 4. update integrity db and copy to cd-r
> 5. re-plug to network
>
> For static servers (rarely-changing config, no local data), one could of
> course create a live cd of the server. That's another topic, though. Has
> anybody tried this with Fedora yet?
as a trivial start, you can start with mounting your entire /usr
filesystem read-only, not so much as a security measure, but just to
see if it's feasible for you.
remember, according to the FHS, /usr is defined as static, shareable
data, so that, unless you're installing new software, nothing under
/usr should be changing. one of the changes i made to my system was
to move all of the kernel and RPM stuff out of /usr/src and into
my home directory, so that i can build/rebuild both kernels and
RPMs as a regular user. granted, i still need to become root to
*install* them, but trying this will at least show you whether it's
reasonable to have /usr write protected. if so, given that almost
all of your software is under /usr, think about a read-only /usr
media.
just a thought.
rday
More information about the fedora-test-list
mailing list