On Tue, 2004-12-14 at 09:42, Aleksandar Milivojevic wrote: > Scot L. Harris wrote: > > It's not that bad. Remember the passphrase is not used as a password, > > it is a key that is used to sign the database, config, and policy > > files. It does not take that much effort to initialize the database or > > sign the config and policy files when you want to change the keys. > > I tought that passphrase was used to protect the key, not as a key? > I probably did a horribly job trying to explain that. The passphrase does protect the key but as I understand it it is not like a standard password that is kept in a separate file somewhere. I also believe it is in effect incorporated in the key itself. Could be wrong about that. > > Probably the hardest thing about using tripwire is getting the policy > > setup correctly the first time. The default policy is pretty bad since > > it usually includes many files that are not installed on a typical > > system and the rules in place for the root account and for log files > > require much adjustment. > > I second that. The default RedHat policy file was horrible. Instead of > checking for everything in /bin, /sbin, /etc and other important places > (and having exceptions for few "special" files to keep noise low), it > had lists of files to check. It generated tons of errors if you didn't > had full distro installed, and it had gaping holes in files it hasn't > checked (not to mention it was unable to detect addition of files). > Yup, same that I found here. Getting the right options for the various log files seemed to take me the most time. I have gotten pretty good at editing the policy file after the first run of tripwire removing rules that don't apply since I don't have many of the packages the default policy file is looking for. I also suspect that very little work has gone into crafting the default policy, has not seemed to change in the last several releases. > If tripwire gets included into the distro again (and it should, there is > still no good replacement for it), that default policy file should be > built from the scratch. I agree, tripwire should be included. AIDE does not seem to be a valid option yet. Once you get it set up tripwire requires minimal care and feeding. But getting it setup correctly is the hard part. I also use a filter in email that helps flag a violation so I know when something has changed without having to read each tripwire report. At one time I had it setup in Big Brother as well so there was a visual alert. -- Scot L. Harris webid@xxxxxxxxxx YOW!! Up ahead! It's a DONUT HUT!!
