Re: [suse-security] Tips zur tripwire config? - openSUSE Security - openSUSE Mailing Lists

newer
how can i have public IPs in the...

Re: [suse-security] Tips zur tripwire config?

older
Transparent Proxy

Philippe Vogel

14 Aug 2002 14 Aug '02

15:44

Hi all!

hier mal ein `df -h` meiner firewall....[snipped]

1) Nonsense? 2) Look in the /usr/share/doc/packages/tripwire for help and read how tripwire works and how to configure it. 3) Better use aide instead! 4) For all newbies, this is an english mailinglist, because of international users. 5) It is not polite to think everybody is speaking german or whatever here! reguards Philippe P.S.: What about a fund? 5â,¬ for each mail in german, 10â,¬ for offtopic mails! Would be enough money to have a big party after some weeks! :-)

Reply

Sign in to reply online Use email software

Show replies by date

Andreas Wagner

14 Aug 14 Aug

23:25

New subject: [suse-security] Tips zur tripwire config?

Hi List, * Philippe Vogel [020814 17:44]:

Date: Wed, 14 Aug 2002 17:44:31 +0200 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Subject: Re: [suse-security] Tips zur tripwire config?

3) Better use aide instead!

I think i have understood the basics of tripwire. Aide's docu is not very verbose, to say the least - they say they provide some better functionality that tw, but maybe this refers to an older version of tw... 1) What are the advantages/disadvantages of tripwire/aide respectively? 2) did i get it right that it's best to start with the provided conf examples and then get rid of entries causing false alarms? 3) are there other options to think about than monitoring inclusions/ exclusions? Thanx for your help, Andreas PS. Bear with me, i'm relatively newbie (fought my way through installing mutt, postfix, snort, AntiVir, AVMailGate, nessus in the last couple of weeks tho) and this is my first posting to the list... I bet i'll come back with more detailed questions... -- Andreas Wagner Press any key to continue or any other key to quit... -- My Public PGP Keys: 1024 Bit DH/DSS: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x869F81BA 768 Bit RSA: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x1AD97BA5

Reply

Sign in to reply online Use email software

Matthias Riese

15 Aug 15 Aug

07:12

New subject: [suse-security] Tips zur tripwire config?

Andreas Wagner writes:

Hi List,

* Philippe Vogel [020814 17:44]:

...
Date: Wed, 14 Aug 2002 17:44:31 +0200 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Subject: Re: [suse-security] Tips zur tripwire config?

3) Better use aide instead!

I think i have understood the basics of tripwire. Aide's docu is not very verbose, to say the least - they say they provide some better functionality that tw, but maybe this refers to an older version of tw...

1) What are the advantages/disadvantages of tripwire/aide respectively? 2) did i get it right that it's best to start with the provided conf examples and then get rid of entries causing false alarms?

Yes you did. In theory you can even start with / R giving you lots and lots of false alarms and approaching step by step the configuration I've mailed by exluding files which change without any intrusion.

3) are there other options to think about than monitoring inclusions/ exclusions?

You should definitely think about where to store the tripwire database: It doesn't help to have a checksum for a file if the intruder may change file AND checksum. Regards, Matthias

Reply

Sign in to reply online Use email software

Philippe Vogel

11:38

New subject: [suse-security] Tips zur tripwire config?

Yes you did. In theory you can even start with

/ R

giving you lots and lots of false alarms and approaching step by step the configuration I've mailed by exluding files which change without any intrusion.

Paths taken from aide, but can be used with tripwire, too! To get less output and faster checking only setup needed paths for checking! Useful (change to your desired settings): Remark: "/" = use path "!/" = leave path out change to setting in tripwire (may be the same, I do not use it anymore, I use aide) /boot /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/games /lib /usr/lib /usr/local/lib !/dev/pts /dev !/var/run !/proc /etc/cron.daily /etc/cron.monthly /etc/cron.weekly /var/spool/cron /var/spool/cron/tabs /usr/man /usr/share/man /usr/local/man

You should definitely think about where to store the tripwire database: It doesn't help to have a checksum for a file if the intruder may change file AND checksum.

Simple: Make partition readonly and remove kernel capability with compardment or lcap. I take /boot for not letting attackers change my bootsystem and there is enough place for the checksumfile (under 4 MB needed). The only problem is you have to set capability to update database, if you made big updates and are shure, the update is O.K. For this you should make your own skripts. Philippe

Reply

Sign in to reply online Use email software

Andreas Wagner

16 Aug 16 Aug

12:04

New subject: [suse-security] Tips zur tripwire config?

Thanks a lot Philippe and Matthias, i will try my luck. (With tripwire first, maybe i can come back later and ask for the tripwire/aide issue) CU, Andreas

Reply

Sign in to reply online Use email software

Andreas Wagner

21 Aug 21 Aug

22:04

New subject: [suse-security] Tips zur tripwire config?

Hi again, i've come across this nice site with a comparison of aide/tw and since i found such info hard to obtain, i thought i'd post it here: http://www.fbunet.de/aide.shtml In my reading, the bottomline is: tripwire signs its database (while aide doesn't) and has "nicer" reports, while aide supports more algorithms and is considerably faster. I think i'll have a look for what additional tools are there for tw and go for it... CU, Andreas * Andreas Wagner [020816 14:08]:

Date: Fri, 16 Aug 2002 14:04:23 +0200 From: Andreas Wagner To: suse-security@suse.com Message-ID: <20020816120423.GB5689@hermes.commontology.de> Reply-To: Andreas Wagner Mail-Followup-To: suse-security@suse.com User-Agent: Mutt/1.3.27i X-Uptime: 9:54am up 44 min, 6 users, load average: 0.05, 0.06, 0.16 X-Mailer: mutt/Linux hermes 2.4.18-4GB $1 Wed Mar 27 13:57:05 UTC 2002 i686 unknown X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.14.0.1; VDF: 6.14.0.18 at localhost has not found any known virus in this email. X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.14.0.1; VDF: 6.14.0.18 at localhost has not found any known virus in this email. Subject: Re: [suse-security] Tips zur tripwire config? X-MailScanner: Found to be clean

Thanks a lot Philippe and Matthias, i will try my luck. (With tripwire first, maybe i can come back later and ask for the tripwire/aide issue)

CU, Andreas

-- heck the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- If God had intended man to smoke, He would have set him on fire. -- My Public PGP Keys: 1024 Bit DH/DSS: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x869F81BA 768 Bit RSA: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x1AD97BA5

Reply

Sign in to reply online Use email software

7920

Age (days ago)

7927

Last active (days ago)

Download

5 comments

3 participants

tags

participants (3)

Andreas Wagner
Matthias Riese
Philippe Vogel