[NTLUG:Discuss] rpm instead of tripwire?

[Christopher Browne]

Matt Midboe wrote:
> Richard Cobbe wrote:
> > Are there any security problems with this that I'm overlooking?  The rpm
> > executable, as installed, is already statically linked, so a modified or
> > Trojaned library wouldn't compromise this.  The only problem I can see is
> 
> Well rpm doesn't keep track of files like /etc/hosts.equiv, /.rhosts,
> /etc/passwd, /etc/hosts etc. Tripwire can watch those files. Also tripwire
> understands log files and has rules that allow them to grow and not generate
> false positives when they change. However you are right about rpm keeping has
hes
> on installed files as far as I know. You could take the file monitoring to th
e
> next level by having tripwire watch everything, and then having rpm monitor t
he
> tripwire application.

I think I'd use cfengine for this instead; it also has the merit of being 
useful for controlling individual facilities, effectively providing a way for 
the system to, at least to some degree, "heal itself."
--
"A touchstone to determine the  actual worth of an ``intellectual'' --
find out how he feels about astrology."  - Lazarus Long
cbbrowne at hex.net - <http://www.hex.net/~cbbrowne/lsf.html>