Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] Tips zur tripwire config?
  • From: Matthias Riese <matthias.riese@xxxxxxxxxxxxx>
  • Date: 15 Aug 2002 09:12:43 +0200
  • Message-id: <m2sn1gegt0.fsf@xxxxxxxxx>
Andreas Wagner <A.Wagner@xxxxxxxxxxxxxxxxxxxxx> writes:

> Hi List,
>
> * Philippe Vogel <filiaap@xxxxxxxxxx> [020814 17:44]:
> > Date: Wed, 14 Aug 2002 17:44:31 +0200
> > X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> > Subject: Re: [suse-security] Tips zur tripwire config?
> >
> > 3) Better use aide instead!
>
> I think i have understood the basics of tripwire.
> Aide's docu is not very verbose, to say the least -
> they say they provide some better functionality that
> tw, but maybe this refers to an older version of tw...
>
> 1) What are the advantages/disadvantages of tripwire/aide respectively?
> 2) did i get it right that it's best to start with the provided conf
> examples and then get rid of entries causing false alarms?

Yes you did. In theory you can even start with

/ R

giving you lots and lots of false alarms and approaching step by step
the configuration I've mailed by exluding files which change without
any intrusion.

> 3) are there other options to think about than monitoring inclusions/
> exclusions?

You should definitely think about where to store the tripwire
database: It doesn't help to have a checksum for a file if the
intruder may change file AND checksum.

Regards, Matthias


< Previous Next >
Follow Ups