[NTLUG:Discuss] rpm instead of tripwire?

[Richard Cobbe]

Hello, all.

I'm starting to work on securing my system, and I just had a thought I'd
like feedback on.

Most security-related documents I've seen suggest downloading tripwire or a
similar utility to watch system files against modification.  So far as I
can tell, these utilities don't do much except calculate md5 checksums for
all of the files, then store the sums, ownership info, and permissions into
a database.  To check, recalculate the sums and check against the database.

Well, I use RedHat, and rpm already does all of that stuff.  So: I was
thinking, rather than dl'ing a new program, I'd just use the one I have.
Obviously, I'd keep a copy of the RPM database and the rpm executable on
some sort of removal medium, probably CD-RW, so that any intruder can't zap
my database.  Then, to check, just pop in the CD, mount it, and run rpm
-Va, pointing it to my stored copy of the database.

Are there any security problems with this that I'm overlooking?  The rpm
executable, as installed, is already statically linked, so a modified or
Trojaned library wouldn't compromise this.  The only problem I can see is
that rpm isn't aware of a few crucial system files, like the kernel image
and modules that I use.  Those I'd have to handle manually, but there are
only a few such files, so that's pretty easy.

Another issue is that RPM is (blissfully?) unaware of my Win95 partition,
but overwriting system files is necessary on a fairly standard basis on
that OS.

Comments?  Thoughts?  Problems?

Thanks in advance,

Richard