tripwire: paranoid setup - key file vulnerability?
Should the site.key and <hostname>-local.key files be deleted following --init?
Following installing and initialising Tripwire. There are a number of files that may pose a security threat if not deleted. The twpol.txt and twcfg.txt definately need to be deleted. The site.key and <hostname>-local.key files are needed to perform a cron initiated --check. However the existence of the site.key allows the twpol.txt to be recreated from the tw.pol file (without the entry of a passphrase). Thus an intruder who has root privilege's can avoid detection by modifying a file I am not checking. Which files can safely be readable to an intruder? Can I have a cron --check job without compromising my system? Should I run two parallel tripwire databases, one paranoid on a CD-R and one for daily checks. Can anyone suggest a lightweight policy set for daily checks? |
Remote tripwire check
1) Type the following in a file named "remtripcheck"
#!/usr/bin/expect -- set timeout 180 set machine [lindex $argv 0] set password [lindex $argv 1] spawn ssh root@$machine tripwire --check expect "root@$machine's password: " send "$password\n" interact 2) make it an executable script chmod 711 remtripcheck 3) Make it a command mv remtripcheck /bin 4)then If you want to run tripwire check on any remote machine, the syntax is remtripcheck <Mach ip address> <root password> 5) Done Now you can write another script to execute this command in your machines cron rather than on the machine where the tripwire is installed. |
All times are GMT -5. The time now is 09:06 AM. |