[wplug] System file permission,
owner and group auditing utility - Options
Poyner, Brandon
bpoyner at ccac.edu
Tue Apr 12 10:19:41 EDT 2005
I wouldn't say nobody can touch your Tripwire configuration, it's just
that most script kiddies wouldn't know any better. Assuming I have the
file permission rights (right after the r00tkit is installed) I could
certainly go in and blow away your tripwire configuration and replace it
with my own and even reinitialize the database so that everything looks
clean after a 'tripwire --check'. You might not even know better until
you try to go in and make configuration changes and the passwords no
longer work. That's part of the reason they recommend you keep a recent
copy of the .twd file some place else, say a CD-R.
For what it's worth there is also commercial support for Tripwire and it
can run on multiple platforms (Windows included). Tripwire is located
in the Fedora Core Extras beginning with Core 3.
Brandon Poyner
Network Engineer III
CCAC - College Office
412-237-3086
-----Original Message-----
From: wplug-bounces+bpoyner=ccac.edu at wplug.org
[mailto:wplug-bounces+bpoyner=ccac.edu at wplug.org] On Behalf Of Maloney,
Brad
Sent: Tuesday, April 12, 2005 5:45 AM
To: General user list
Subject: RE: [wplug] System file permission,owner and group auditing
utility - Options
I'm actually in the process of developing a deployment procedure for
Tripwire. All I can say is that it can be pretty time consuming to set
it up for the first time (I'm still setting it up). It comes highly
recommended, however.
>From my internal testing, I chose Tripwire over AIDE because you can
sign your Tripwire configuration/database. With AIDE, someone can
compromise your system and alter your AIDE configuration and you
wouldn't know what happened. What's the point of having an IDS when it
can be so easily circumvented? No one can touch your Tripwire config
without knowing the right set of passphrases.
If this doesn't matter to you, then choose AIDE. AIDE is almost two
times faster than Tripwire, as far as scanning. For the paranoid such
as myself, I will choose security over performance (especially in an
IDS). :)
Good luck with your decision.
Brad Maloney <bmaloney at accessdc.com>
Phone: 412.968.4021 Fax: 412.967.9504
Access Data Corporation - Technology Center
90 Beta Dr., Pittsburgh PA 15238
> Thanks for the responses.
> Tripwire looks like an option. however, I was wondering if anyone had
experience with aide > http://www.cs.tut.fi/~rammer/aide.html or osiris
http://www.shmoo.com/osiris/
> Reed
> Reed Reavis - Software Configuration Management
> Phone: 412-859-2259
> Email: rreavis at fedex.com
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list