Red Hat Bugzilla – Bug 76877
tripwire needs to be "rpm aware"
Last modified: 2007-04-18 12:47:59 EDT
Description of Problem: Setting up tripwire is a lot of work initially, as the default twpol.txt file looks like it was created based on an "everything" installation, so during the initial setup on a more typical system, a lot of references need to be commented so that the the database will initialize cleanly and the nightly reports will not show row after row of things like this: ### Warning: File system error. ### Filename: /proc/rtc ### No such file or directory ### Continuing... If each RPM package dropped a portion of a config file into /etc/tripwire.d (for sake of discussion purposes) and the files in that directory were later combined to create /etc/tripwire/twpol.txt, or tripwire was able to read those files directly, this would not only solve the initial configuration issue, but also the case where a package is later added to the system, and the policy file needs to be updated to reflect it. It is very easy to imagine that a new package is installed during an errata update and the sysadmin may not think to update the policy file, or may only partially update it since there are so many sections to touch, or may add the wrong files to the wrong sections of the policy file. Version-Release number of selected component (if applicable): tripwire-2.3.1-5
I agree 100% with Andrew's comments. Currently, twpol.txt is a BEAST to maintain. I think that one of the following two techniques should be used: 1. (Andrew's idea) RPM packages install twpol.txt fragments into /etc/tripwire.d. The problem is that every RPM package would need to be modified to provide this information to tripwire. Any people who don't use tripwire might not want their systems cluttered with this otherwise useless data. 2. Write a tool that queries a system's RPM database and generates a reasonable twpol.txt. An administrator could review this file and initialize tripwire using it. This is really what package management tools like RPM are for, right? They should provide users with information about what is on their systems. Combining ideas one and two, RPM could even be enhanced with security-related database entries. These entries could be queried using the new, streamlined version 2.0 of the tool developed for technque two. Imagine: # rpm -qz util-linux /bin/arch ReadOnly /bin/dmesg ReadOnly /etc/fdprm Dynamic ... /var/log/just_to_prove_a_point Growing ... # rpm -qz some_package ERROR: Package author has not provided security information Now THAT's cool (but would require additions to the RPM specification).
Hint: rpm-4.1 verifies digital signatures whenever a header is read. Headers contain MD5 sums for files. So on the todo list is to teach tripwire how to read an rpm database. and to teach rpm --verify to do a couple more tasks that tripwire does.
*** Bug 58910 has been marked as a duplicate of this bug. ***
Closing bug, since tripwire hasn't been shipped for so long, only in Legacy releases.