Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] Tips zur tripwire config?
  • From: "Philippe Vogel" <filiaap@xxxxxxxxxx>
  • Date: Thu, 15 Aug 2002 13:38:20 +0200
  • Message-id: <002c01c24450$41b10d70$52ef5b86@xxxxxxxxxxxxxxxxxx>
>Yes you did. In theory you can even start with
>
>/ R
>
>giving you lots and lots of false alarms and approaching step by step
>the configuration I've mailed by exluding files which change without
>any intrusion.

Paths taken from aide, but can be used with tripwire, too!

To get less output and faster checking only setup needed paths for
checking!

Useful (change to your desired settings):

Remark: "/" = use path "!/" = leave path out change to setting in
tripwire (may be the same, I do not use it anymore, I use aide)

/boot
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
/usr/games
/lib
/usr/lib
/usr/local/lib
!/dev/pts
/dev
!/var/run
!/proc
/etc/cron.daily
/etc/cron.monthly
/etc/cron.weekly
/var/spool/cron
/var/spool/cron/tabs
/usr/man
/usr/share/man
/usr/local/man

> You should definitely think about where to store the tripwire
> database: It doesn't help to have a checksum for a file if the
> intruder may change file AND checksum.

Simple:

Make partition readonly and remove kernel capability with compardment or
lcap.
I take /boot for not letting attackers change my bootsystem and there is
enough place for the checksumfile (under 4 MB needed).
The only problem is you have to set capability to update database, if
you made big updates and are shure, the update is O.K.
For this you should make your own skripts.

Philippe



< Previous Next >
Follow Ups