tripwire: paranoid setup - key file vulnerability?
Should the site.key and <hostname>-local.key files be deleted following --init?
Following installing and initialising Tripwire. There are a number of files that may pose a security threat if not deleted. The twpol.txt and twcfg.txt definately need to be deleted.
The site.key and <hostname>-local.key files are needed to perform a cron initiated --check. However the existence of the site.key allows the twpol.txt to be recreated from the tw.pol file (without the entry of a passphrase). Thus an intruder who has root privilege's can avoid detection by modifying a file I am not checking.
Which files can safely be readable to an intruder?
Can I have a cron --check job without compromising my system?
Should I run two parallel tripwire databases, one paranoid on a CD-R and one for daily checks. Can anyone suggest a lightweight policy set for daily checks?
|