Tripwire is only good as a forensic tool not for intrusion detection.
If an attacker gains superuser access to a system, having the Tripwire
database on a read-only media won't do you any good since the attacker
can always run Tripwire with a different configuration file, or fake
the output, or other dozens of interesting things. It is also true that
it would be helpful to catch the stupid intruder, which is a good thing.
Said that, I normally email the first Tripwire database, when I build
a system, to a server where I keep and eventually archive all the Tripwire
databases and I leave a copy of the database, on the system where Tripwire is
running, in a directory readable only by root. Each time a change is made
on the system, a new copy of the database is emailed to the archive server.
I prefer email versus ssh since I need to have an automated process (imagine
hundreds of web servers) and I don't want to leave an open ssh access on
the archive server. This way I also maintain a history of all the changes
that occurred on a system. This is fairly secure, and it is good for forensic
analysis. You still need to have a IDS in place though.
--
Alberto U. Begliomini Email: [EMAIL PROTECTED]
Coldstone Consulting, LLC Phone: 650-400-3990
Internet Technologies, Security, Systems Management Fax: 650-654-5938
"Kempter, Lynda L." wrote:
>
> Since the floppy drive on my Solaris system has resolutely refused to
> cooperate any more, I am looking at another procedure for keeping my
> tripwire database files secure. I could mount a separate disk read-only
> I suppose, but it seems a waste for a file the size of a few Kilobytes.
>
> I could look at burning it on to a CD, but then every time I update the
> file, I have to create a new one.
>
> How do other people do this?
>
> Cheers,
> Lyn
>
> <*> [EMAIL PROTECTED]
> "Expect me when you see me."
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
