tripwire: paranoid setup - key file vulnerability?
 

Should the site.key and <hostname>-local.key files be deleted following --init?

Following installing and initialising Tripwire. There are a number of files that may pose a security threat if not deleted. The twpol.txt and twcfg.txt definately need to be deleted.
The site.key and <hostname>-local.key files are needed to perform a cron initiated --check. However the existence of the site.key allows the twpol.txt to be recreated from the tw.pol file (without the entry of a passphrase). Thus an intruder who has root privilege's can avoid detection by modifying a file I am not checking.

Which files can safely be readable to an intruder?
Can I have a cron --check job without compromising my system?
Should I run two parallel tripwire databases, one paranoid on a CD-R and one for daily checks. Can anyone suggest a lightweight policy set for daily checks?

Remote tripwire check
 

1) Type the following in a file named "remtripcheck"

#!/usr/bin/expect --

set timeout 180
set machine [lindex $argv 0]
set password [lindex $argv 1]
spawn ssh root@$machine tripwire --check
expect "root@$machine's password: "
send "$password\n"
interact

2) make it an executable script

chmod 711 remtripcheck

3) Make it a command

mv remtripcheck /bin

4)then If you want to run tripwire check on any remote machine, the syntax is

remtripcheck <Mach ip address> <root password>

5) Done

Now you can write another script to execute this command in your machines cron rather than on the machine where the tripwire is installed.