Re: [expert] mandrake snf mnf and Tripwire
On Friday 10 January 2003 09:47 am, Jack Coates wrote: > On Fri, 2003-01-10 at 08:29, Lorne wrote: > > On Thursday 09 January 2003 10:29 pm, Jack Coates wrote: > > > On Thu, 2003-01-09 at 20:54, Lorne wrote: > > > > I'm having trouble finding a simple piece of information on tripwire. > > > > Since the existing config files aren't designed with Mandrake in > > > > mind, it is pretty useless out of the box. I've got it figured out > > > > now, but since I'm not a total linux gear head yet I have a dumb > > > > question perhaps. > > > > > > > > Is it safe to assume that /sbin and /bin should have no files ever > > > > change? If that is the case, then I need to add every single one to > > > > the file. Obviously files change in /var etc, but I'm a little > > > > unsure of all the files I need to add system wide. > > > > > > /sbin and /bin shouldn't change unless a security patch does it. > > > Tripwire has a directory-level setting, you don't have to enter every > > > singel file. > > > > Well that is what I thought, but then why do they follow up in the red > > hat version and mark every single file and give it a rating of say > > SEC_CRIT ?? Is that redundant? I guess I can test this theory by finding > > a file not currently listed in the pol file, then over writing it with > > another and run a check and see if it catches it eh? > > > > Later I just did a test of the above theory. BINGO! You are > > absolutely correct. I detected an add sure enough. Do you know why they > > have all those individual files listed with a SEC_CRIT? > > Going way out on a limb, and I should really look it up in Ye Olde > Textbook, but I would guess that the directory level check only alerts > that something in the directory changed, but not what that file was, > whereas a file-level check would tell you "/bin/ls" just got updated or > backd00red." > > I'm probably wrong though :-) hmm the real problem I've had is the lack of documentation. It seems the trip wire folks have done them selves a disservice by not having more information out there. ?? If you know of a book name or source I can go find, I'm all over that. :) Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] mandrake snf mnf and Tripwire
On Fri, 2003-01-10 at 08:29, Lorne wrote: > On Thursday 09 January 2003 10:29 pm, Jack Coates wrote: > > On Thu, 2003-01-09 at 20:54, Lorne wrote: > > > I'm having trouble finding a simple piece of information on tripwire. > > > Since the existing config files aren't designed with Mandrake in mind, it > > > is pretty useless out of the box. I've got it figured out now, but since > > > I'm not a total linux gear head yet I have a dumb question perhaps. > > > > > > Is it safe to assume that /sbin and /bin should have no files ever > > > change? If that is the case, then I need to add every single one to the > > > file. Obviously files change in /var etc, but I'm a little unsure of all > > > the files I need to add system wide. > > > > /sbin and /bin shouldn't change unless a security patch does it. > > Tripwire has a directory-level setting, you don't have to enter every > > singel file. > > > Well that is what I thought, but then why do they follow up in the red hat > version and mark every single file and give it a rating of say SEC_CRIT ?? > Is that redundant? I guess I can test this theory by finding a file not > currently listed in the pol file, then over writing it with another and run a > check and see if it catches it eh? > > Later I just did a test of the above theory. BINGO! You are absolutely > correct. I detected an add sure enough. Do you know why they have all those > individual files listed with a SEC_CRIT? > Going way out on a limb, and I should really look it up in Ye Olde Textbook, but I would guess that the directory level check only alerts that something in the directory changed, but not what that file was, whereas a file-level check would tell you "/bin/ls" just got updated or backd00red." I'm probably wrong though :-) -- Jack Coates Monkeynoodle: A Scientific Venture... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] mandrake snf mnf and Tripwire
On Thursday 09 January 2003 10:29 pm, Jack Coates wrote: > On Thu, 2003-01-09 at 20:54, Lorne wrote: > > I'm having trouble finding a simple piece of information on tripwire. > > Since the existing config files aren't designed with Mandrake in mind, it > > is pretty useless out of the box. I've got it figured out now, but since > > I'm not a total linux gear head yet I have a dumb question perhaps. > > > > Is it safe to assume that /sbin and /bin should have no files ever > > change? If that is the case, then I need to add every single one to the > > file. Obviously files change in /var etc, but I'm a little unsure of all > > the files I need to add system wide. > > /sbin and /bin shouldn't change unless a security patch does it. > Tripwire has a directory-level setting, you don't have to enter every > singel file. > Well that is what I thought, but then why do they follow up in the red hat version and mark every single file and give it a rating of say SEC_CRIT ?? Is that redundant? I guess I can test this theory by finding a file not currently listed in the pol file, then over writing it with another and run a check and see if it catches it eh? Later I just did a test of the above theory. BINGO! You are absolutely correct. I detected an add sure enough. Do you know why they have all those individual files listed with a SEC_CRIT? > > Thanks in adance. > > > > > > > > > > Want to buy your Pack or Services from MandrakeSoft? > > Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] mandrake snf mnf and Tripwire
On Thu, 2003-01-09 at 20:54, Lorne wrote: > I'm having trouble finding a simple piece of information on tripwire. Since > the existing config files aren't designed with Mandrake in mind, it is pretty > useless out of the box. I've got it figured out now, but since I'm not a > total linux gear head yet I have a dumb question perhaps. > > Is it safe to assume that /sbin and /bin should have no files ever change? If > that is the case, then I need to add every single one to the file. Obviously > files change in /var etc, but I'm a little unsure of all the files I need to > add system wide. > /sbin and /bin shouldn't change unless a security patch does it. Tripwire has a directory-level setting, you don't have to enter every singel file. > Thanks in adance. > > > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com -- Jack Coates Monkeynoodle: A Scientific Venture... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[expert] mandrake snf mnf and Tripwire
I'm having trouble finding a simple piece of information on tripwire. Since the existing config files aren't designed with Mandrake in mind, it is pretty useless out of the box. I've got it figured out now, but since I'm not a total linux gear head yet I have a dumb question perhaps. Is it safe to assume that /sbin and /bin should have no files ever change? If that is the case, then I need to add every single one to the file. Obviously files change in /var etc, but I'm a little unsure of all the files I need to add system wide. Thanks in adance. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
