is tripwire reliable ???

From: bvm (na_at_na.na)
Date: 11/24/04

Next message: Neil Cherry: "Re: Unix NOT secure against Viruses on home PCs"
Previous message: Jean Lutrin: "configuring a secure web browsing environment"
Next in thread: bvm: "Re: is tripwire reliable ???"
Reply: bvm: "Re: is tripwire reliable ???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 24 Nov 2004 21:49:36 +0100

I installed tripwire-2.3.1-20.fdr.1.2.i386.rpm from rpm.pbone.net on my
FC2.
It worked fine after having done "tripwire --check" several times. But
after the automatic run during the night done by cron.daily, tripwire
generated twr-fil stating the 4 tripwire binaries (tripwire, twprint,
twadmin og siggen) had changed.

This made me scratch the computer and reinstall fedora core 2.

Now i have installed tripwire-2.3.1-18.fdr.3.1.src.rpm from
download.fedora.us. Again everything seemd to work, I did several
"tripwire --check" and I executed the tripwire script in cron.daily.
And everything still OK.

Now after the automatic night run tripwire states the 4 tripwire
binaries has changed.

Here is a snit from the twr-file:

-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
   ----------------------------------------
   Modified Objects: 1
   ----------------------------------------

Modified object name: /usr/sbin/tripwire

Property: Expected Observed
------------- ----------- -----------
* Inode Number 1496334 1495498
* Size 1299716 1310392
* Blocks 2552 2568
* CRC32 AKzg5H BrSICE
* MD5 CzamYmlh92bvSrJXRixJ4m BxqhTs1Mc+FlPMLmoKQsvm

And she is right - here is a result of a "sum" and "ls -l" before the
nightly tripwire job:

46326 1270 /usr/sbin/tripwire
42056 1120 /usr/sbin/twadmin
48271 1001 /usr/sbin/twprint
15848 920 /usr/sbin/siggen
-rwxr-xr-x 1 root root 1024228 Nov 23 20:39 /usr/sbin/twprint
-rwxr-xr-x 1 root root 1146628 Nov 23 20:39 /usr/sbin/twadmin
-rwxr-xr-x 1 root root 1299716 Nov 23 20:39 /usr/sbin/tripwire
-rwxr-xr-x 1 root root 941156 Nov 23 20:39 /usr/sbin/siggen

And this is what show up now:

sum /usr/sbin/tripwire /usr/sbin/twadmin /usr/sbin/twprint /usr/sbin/siggen
57980 1280 /usr/sbin/tripwire
05639 1131 /usr/sbin/twadmin
18027 1011 /usr/sbin/twprint
52046 930 /usr/sbin/siggen

ls -l /usr/sbin/tripwire /usr/sbin/twadmin /usr/sbin/twprint
/usr/sbin/siggen
-rwxr-xr-x 1 root root 951592 Nov 23 20:39 /usr/sbin/siggen
-rwxr-xr-x 1 root root 1310392 Nov 23 20:39 /usr/sbin/tripwire
-rwxr-xr-x 1 root root 1157128 Nov 23 20:39 /usr/sbin/twadmin
-rwxr-xr-x 1 root root 1034904 Nov 23 20:39 /usr/sbin/twprint

Weird - can anyone explain this???

Is tripwire reliable at all ?

Next message: Neil Cherry: "Re: Unix NOT secure against Viruses on home PCs"
Previous message: Jean Lutrin: "configuring a secure web browsing environment"
Next in thread: bvm: "Re: is tripwire reliable ???"
Reply: bvm: "Re: is tripwire reliable ???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

tripwire config
... A few questions about configuring Tripwire ... the tripwire binaries or database so that rootkits, ... Install/configure OS and server apps on the box. ...
(Security-Basics)
Tripwire signatures
... I have a RH73 server that runs Tripwire on a nightly basis. ... short Perl script that checks the signatures of the Tripwire binaries ... Tripwire binaries changed. ...
(RedHat)