[NTLUG:Discuss] rpm instead of tripwire?

[Lee Heath]

Matt Midboe wrote:
> 
> Richard Cobbe wrote:
> > Are there any security problems with this that I'm overlooking?  The rpm
> > executable, as installed, is already statically linked, so a modified or
> > Trojaned library wouldn't compromise this.  The only problem I can see is
> 
> Well rpm doesn't keep track of files like /etc/hosts.equiv, /.rhosts,
> /etc/passwd, /etc/hosts etc. Tripwire can watch those files. Also tripwire
> understands log files and has rules that allow them to grow and not generate
> false positives when they change. However you are right about rpm keeping hashes
> on installed files as far as I know. You could take the file monitoring to the
> next level by having tripwire watch everything, and then having rpm monitor the
> tripwire application.

There is also the issue that if you install something not an RPM.  Or
things in users home directories.  I agree that using RPM is a good
idea, but will not cover everything you need to watch.  You may want to
look at cfengine (http://www.iu.hioslo.no/cfengine/).
This is a great tool.  It has the tripwire like stuff built in, but will
also allow you to use it's scripting language to check symlinks, clean
tmp areas of files older than X days, check configs (like timezone, file
permissions and ownership) easily manage files and lot-o-stuff.  I am
currently working on a frontend for it to help generate the scripts. 
The nice thing about cfengine is that it is designed to work on a single
host, or on a group of hosts, where you can have a central server that
can manage all the other hosts.

-- 
MadHat