On Fri, 2003-01-10 at 08:29, Lorne wrote: > On Thursday 09 January 2003 10:29 pm, Jack Coates wrote: > > On Thu, 2003-01-09 at 20:54, Lorne wrote: > > > I'm having trouble finding a simple piece of information on tripwire. > > > Since the existing config files aren't designed with Mandrake in mind, it > > > is pretty useless out of the box. I've got it figured out now, but since > > > I'm not a total linux gear head yet I have a dumb question perhaps. > > > > > > Is it safe to assume that /sbin and /bin should have no files ever > > > change? If that is the case, then I need to add every single one to the > > > file. Obviously files change in /var etc, but I'm a little unsure of all > > > the files I need to add system wide. > > > > /sbin and /bin shouldn't change unless a security patch does it. > > Tripwire has a directory-level setting, you don't have to enter every > > singel file. > > > Well that is what I thought, but then why do they follow up in the red hat > version and mark every single file and give it a rating of say SEC_CRIT ?? > Is that redundant? I guess I can test this theory by finding a file not > currently listed in the pol file, then over writing it with another and run a > check and see if it catches it eh? > > Later.... I just did a test of the above theory. BINGO! You are absolutely > correct. I detected an add sure enough. Do you know why they have all those > individual files listed with a SEC_CRIT? >
Going way out on a limb, and I should really look it up in Ye Olde Textbook, but I would guess that the directory level check only alerts that something in the directory changed, but not what that file was, whereas a file-level check would tell you "/bin/ls" just got updated or backd00red." I'm probably wrong though :-) -- Jack Coates Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
