[NTLUG:Discuss] rpm instead of tripwire?

[Matt Midboe]

Richard Cobbe wrote:
> Are there any security problems with this that I'm overlooking?  The rpm
> executable, as installed, is already statically linked, so a modified or
> Trojaned library wouldn't compromise this.  The only problem I can see is

Well rpm doesn't keep track of files like /etc/hosts.equiv, /.rhosts,
/etc/passwd, /etc/hosts etc. Tripwire can watch those files. Also tripwire
understands log files and has rules that allow them to grow and not generate
false positives when they change. However you are right about rpm keeping hashes
on installed files as far as I know. You could take the file monitoring to the
next level by having tripwire watch everything, and then having rpm monitor the
tripwire application.

Matt
matt at snsnet.net