Bug 76877 - tripwire needs to be "rpm aware"
Summary: tripwire needs to be "rpm aware"
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tripwire
Version: 7.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Florian La Roche
QA Contact: David Lawrence
: 58910 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2002-10-28 16:47 UTC by Red Hat Production Operations
Modified: 2007-04-18 16:47 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2006-04-22 00:48:52 UTC

Attachments (Terms of Use)

Description Need Real Name 2002-10-28 16:47:29 UTC
Description of Problem:

Setting up tripwire is a lot of work initially, as the default twpol.txt file
looks like it was created based on an "everything" installation, so during the
initial setup on a more typical system, a lot of references need to be 
commented so that the the database will initialize cleanly and the nightly
reports will not show row after row of things like this:

### Warning: File system error.
### Filename: /proc/rtc
### No such file or directory
### Continuing...

If each RPM package dropped a portion of a config file into /etc/tripwire.d
(for sake of discussion purposes) and the files in that directory were later
combined to create /etc/tripwire/twpol.txt, or tripwire was able to read those
files directly, this would not only solve the initial configuration issue, but
also the case where a package is later added to the system, and the policy file
needs to be updated to reflect it.  

It is very easy to imagine that a new package is installed during an errata
update and the sysadmin may not think to update the policy file, or may only
partially update it since there are so many sections to touch, or may add the
wrong files to the wrong sections of the policy file.

Version-Release number of selected component (if applicable):


Comment 1 W. Michael Petullo 2002-11-11 15:52:39 UTC
I agree 100% with Andrew's comments.  Currently, twpol.txt is a BEAST to
maintain.    I think that one of the following two techniques should be used:

1.  (Andrew's idea)  RPM packages install twpol.txt fragments into
/etc/tripwire.d.  The problem is that every RPM package would need to be
modified to provide this information to tripwire.  Any people who don't use
tripwire might not want their systems cluttered with this otherwise useless data.

2.  Write a tool that queries a system's RPM database and generates a reasonable
twpol.txt.  An administrator could review this file and initialize tripwire
using it.  This is really what package management tools like RPM are for, right?
 They should provide users with information about what is on their systems.  

Combining ideas one and two, RPM could even be enhanced with security-related
database entries.  These entries could be queried using the new, streamlined
version 2.0 of the tool developed for technque two.  Imagine:

# rpm -qz util-linux
/bin/arch ReadOnly
/bin/dmesg ReadOnly
/etc/fdprm Dynamic
/var/log/just_to_prove_a_point Growing

# rpm -qz some_package
ERROR: Package author has not provided security information

Now THAT's cool (but would require additions to the RPM specification).

Comment 2 Jeff Johnson 2002-11-11 16:04:11 UTC
Hint: rpm-4.1 verifies digital signatures
whenever a header is read. Headers contain MD5
sums for files.

So on the todo list is to teach tripwire how to
read an rpm database. and to teach rpm --verify
to do a couple more tasks that tripwire does.

Comment 3 Jeff Johnson 2002-11-16 20:32:44 UTC
*** Bug 58910 has been marked as a duplicate of this bug. ***

Comment 4 John Thacker 2006-04-22 00:48:52 UTC
Closing bug, since tripwire hasn't been shipped for so long, only in Legacy

Note You need to log in before you can comment on or make changes to this bug.