On Friday 10 January 2003 09:47 am, Jack Coates wrote: > On Fri, 2003-01-10 at 08:29, Lorne wrote: > > On Thursday 09 January 2003 10:29 pm, Jack Coates wrote: > > > On Thu, 2003-01-09 at 20:54, Lorne wrote: > > > > I'm having trouble finding a simple piece of information on tripwire. > > > > Since the existing config files aren't designed with Mandrake in > > > > mind, it is pretty useless out of the box. I've got it figured out > > > > now, but since I'm not a total linux gear head yet I have a dumb > > > > question perhaps. > > > > > > > > Is it safe to assume that /sbin and /bin should have no files ever > > > > change? If that is the case, then I need to add every single one to > > > > the file. Obviously files change in /var etc, but I'm a little > > > > unsure of all the files I need to add system wide. > > > > > > /sbin and /bin shouldn't change unless a security patch does it. > > > Tripwire has a directory-level setting, you don't have to enter every > > > singel file. > > > > Well that is what I thought, but then why do they follow up in the red > > hat version and mark every single file and give it a rating of say > > SEC_CRIT ?? Is that redundant? I guess I can test this theory by finding > > a file not currently listed in the pol file, then over writing it with > > another and run a check and see if it catches it eh? > > > > Later.... I just did a test of the above theory. BINGO! You are > > absolutely correct. I detected an add sure enough. Do you know why they > > have all those individual files listed with a SEC_CRIT? > > Going way out on a limb, and I should really look it up in Ye Olde > Textbook, but I would guess that the directory level check only alerts > that something in the directory changed, but not what that file was, > whereas a file-level check would tell you "/bin/ls" just got updated or > backd00red." > > I'm probably wrong though :-)
hmm.... the real problem I've had is the lack of documentation. It seems the trip wire folks have done them selves a disservice by not having more information out there. ?? If you know of a book name or source I can go find, I'm all over that. :)
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
