Red Hat Bugzilla – Bug 76877
tripwire needs to be "rpm aware"
Last modified: 2007-04-18 12:47:59 EDT
Description of Problem:
Setting up tripwire is a lot of work initially, as the default twpol.txt file
looks like it was created based on an "everything" installation, so during the
initial setup on a more typical system, a lot of references need to be
commented so that the the database will initialize cleanly and the nightly
reports will not show row after row of things like this:
### Warning: File system error.
### Filename: /proc/rtc
### No such file or directory
If each RPM package dropped a portion of a config file into /etc/tripwire.d
(for sake of discussion purposes) and the files in that directory were later
combined to create /etc/tripwire/twpol.txt, or tripwire was able to read those
files directly, this would not only solve the initial configuration issue, but
also the case where a package is later added to the system, and the policy file
needs to be updated to reflect it.
It is very easy to imagine that a new package is installed during an errata
update and the sysadmin may not think to update the policy file, or may only
partially update it since there are so many sections to touch, or may add the
wrong files to the wrong sections of the policy file.
Version-Release number of selected component (if applicable):
I agree 100% with Andrew's comments. Currently, twpol.txt is a BEAST to
maintain. I think that one of the following two techniques should be used:
1. (Andrew's idea) RPM packages install twpol.txt fragments into
/etc/tripwire.d. The problem is that every RPM package would need to be
modified to provide this information to tripwire. Any people who don't use
tripwire might not want their systems cluttered with this otherwise useless data.
2. Write a tool that queries a system's RPM database and generates a reasonable
twpol.txt. An administrator could review this file and initialize tripwire
using it. This is really what package management tools like RPM are for, right?
They should provide users with information about what is on their systems.
Combining ideas one and two, RPM could even be enhanced with security-related
database entries. These entries could be queried using the new, streamlined
version 2.0 of the tool developed for technque two. Imagine:
# rpm -qz util-linux
# rpm -qz some_package
ERROR: Package author has not provided security information
Now THAT's cool (but would require additions to the RPM specification).
Hint: rpm-4.1 verifies digital signatures
whenever a header is read. Headers contain MD5
sums for files.
So on the todo list is to teach tripwire how to
read an rpm database. and to teach rpm --verify
to do a couple more tasks that tripwire does.
*** Bug 58910 has been marked as a duplicate of this bug. ***
Closing bug, since tripwire hasn't been shipped for so long, only in Legacy