Re: [suse-security] Tips zur tripwire config?
Hi all!
hier mal ein `df -h` meiner firewall....[snipped]
1) Nonsense? 2) Look in the /usr/share/doc/packages/tripwire for help and read how tripwire works and how to configure it. 3) Better use aide instead! 4) For all newbies, this is an english mailinglist, because of international users. 5) It is not polite to think everybody is speaking german or whatever here! reguards Philippe P.S.: What about a fund? 5â,¬ for each mail in german, 10â,¬ for offtopic mails! Would be enough money to have a big party after some weeks! :-)
Hi List,
* Philippe Vogel
Date: Wed, 14 Aug 2002 17:44:31 +0200 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Subject: Re: [suse-security] Tips zur tripwire config?
3) Better use aide instead!
I think i have understood the basics of tripwire.
Aide's docu is not very verbose, to say the least -
they say they provide some better functionality that
tw, but maybe this refers to an older version of tw...
1) What are the advantages/disadvantages of tripwire/aide respectively?
2) did i get it right that it's best to start with the provided conf
examples and then get rid of entries causing false alarms?
3) are there other options to think about than monitoring inclusions/
exclusions?
Thanx for your help,
Andreas
PS. Bear with me, i'm relatively newbie (fought my way through
installing mutt, postfix, snort, AntiVir, AVMailGate, nessus in the last
couple of weeks tho) and this is my first posting to the list...
I bet i'll come back with more detailed questions...
--
Andreas Wagner
Andreas Wagner
Hi List,
* Philippe Vogel
[020814 17:44]: Date: Wed, 14 Aug 2002 17:44:31 +0200 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Subject: Re: [suse-security] Tips zur tripwire config?
3) Better use aide instead!
I think i have understood the basics of tripwire. Aide's docu is not very verbose, to say the least - they say they provide some better functionality that tw, but maybe this refers to an older version of tw...
1) What are the advantages/disadvantages of tripwire/aide respectively? 2) did i get it right that it's best to start with the provided conf examples and then get rid of entries causing false alarms?
Yes you did. In theory you can even start with / R giving you lots and lots of false alarms and approaching step by step the configuration I've mailed by exluding files which change without any intrusion.
3) are there other options to think about than monitoring inclusions/ exclusions?
You should definitely think about where to store the tripwire database: It doesn't help to have a checksum for a file if the intruder may change file AND checksum. Regards, Matthias
Yes you did. In theory you can even start with
/ R
giving you lots and lots of false alarms and approaching step by step the configuration I've mailed by exluding files which change without any intrusion.
Paths taken from aide, but can be used with tripwire, too! To get less output and faster checking only setup needed paths for checking! Useful (change to your desired settings): Remark: "/" = use path "!/" = leave path out change to setting in tripwire (may be the same, I do not use it anymore, I use aide) /boot /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/games /lib /usr/lib /usr/local/lib !/dev/pts /dev !/var/run !/proc /etc/cron.daily /etc/cron.monthly /etc/cron.weekly /var/spool/cron /var/spool/cron/tabs /usr/man /usr/share/man /usr/local/man
You should definitely think about where to store the tripwire database: It doesn't help to have a checksum for a file if the intruder may change file AND checksum.
Simple: Make partition readonly and remove kernel capability with compardment or lcap. I take /boot for not letting attackers change my bootsystem and there is enough place for the checksumfile (under 4 MB needed). The only problem is you have to set capability to update database, if you made big updates and are shure, the update is O.K. For this you should make your own skripts. Philippe
Thanks a lot Philippe and Matthias, i will try my luck. (With tripwire first, maybe i can come back later and ask for the tripwire/aide issue) CU, Andreas
Hi again,
i've come across this nice site with a comparison of aide/tw and since i
found such info hard to obtain, i thought i'd post it here:
http://www.fbunet.de/aide.shtml
In my reading, the bottomline is: tripwire signs its database (while
aide doesn't) and has "nicer" reports, while aide supports more
algorithms and is considerably faster.
I think i'll have a look for what additional tools are there for tw and
go for it...
CU,
Andreas
* Andreas Wagner
Date: Fri, 16 Aug 2002 14:04:23 +0200 From: Andreas Wagner
To: suse-security@suse.com Message-ID: <20020816120423.GB5689@hermes.commontology.de> Reply-To: Andreas Wagner Mail-Followup-To: suse-security@suse.com User-Agent: Mutt/1.3.27i X-Uptime: 9:54am up 44 min, 6 users, load average: 0.05, 0.06, 0.16 X-Mailer: mutt/Linux hermes 2.4.18-4GB $1 Wed Mar 27 13:57:05 UTC 2002 i686 unknown X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.14.0.1; VDF: 6.14.0.18 at localhost has not found any known virus in this email. X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.14.0.1; VDF: 6.14.0.18 at localhost has not found any known virus in this email. Subject: Re: [suse-security] Tips zur tripwire config? X-MailScanner: Found to be clean Thanks a lot Philippe and Matthias, i will try my luck. (With tripwire first, maybe i can come back later and ask for the tripwire/aide issue)
CU, Andreas
-- heck the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
--
participants (3)
-
Andreas Wagner
-
Matthias Riese
-
Philippe Vogel