Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 76877

Summary: tripwire needs to be "rpm aware"
Product: [Retired] Red Hat Linux Reporter: Red Hat Production Operations <soc>
Component: tripwireAssignee: Florian La Roche <laroche>
Status: CLOSED WONTFIX QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: k.georgiou
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-04-22 00:48:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Need Real Name 2002-10-28 16:47:29 UTC
Description of Problem:

Setting up tripwire is a lot of work initially, as the default twpol.txt file
looks like it was created based on an "everything" installation, so during the
initial setup on a more typical system, a lot of references need to be 
commented so that the the database will initialize cleanly and the nightly
reports will not show row after row of things like this:

### Warning: File system error.
### Filename: /proc/rtc
### No such file or directory
### Continuing...

If each RPM package dropped a portion of a config file into /etc/tripwire.d
(for sake of discussion purposes) and the files in that directory were later
combined to create /etc/tripwire/twpol.txt, or tripwire was able to read those
files directly, this would not only solve the initial configuration issue, but
also the case where a package is later added to the system, and the policy file
needs to be updated to reflect it.  

It is very easy to imagine that a new package is installed during an errata
update and the sysadmin may not think to update the policy file, or may only
partially update it since there are so many sections to touch, or may add the
wrong files to the wrong sections of the policy file.

Version-Release number of selected component (if applicable):


Comment 1 W. Michael Petullo 2002-11-11 15:52:39 UTC
I agree 100% with Andrew's comments.  Currently, twpol.txt is a BEAST to
maintain.    I think that one of the following two techniques should be used:

1.  (Andrew's idea)  RPM packages install twpol.txt fragments into
/etc/tripwire.d.  The problem is that every RPM package would need to be
modified to provide this information to tripwire.  Any people who don't use
tripwire might not want their systems cluttered with this otherwise useless data.

2.  Write a tool that queries a system's RPM database and generates a reasonable
twpol.txt.  An administrator could review this file and initialize tripwire
using it.  This is really what package management tools like RPM are for, right?
 They should provide users with information about what is on their systems.  

Combining ideas one and two, RPM could even be enhanced with security-related
database entries.  These entries could be queried using the new, streamlined
version 2.0 of the tool developed for technque two.  Imagine:

# rpm -qz util-linux
/bin/arch ReadOnly
/bin/dmesg ReadOnly
/etc/fdprm Dynamic
/var/log/just_to_prove_a_point Growing

# rpm -qz some_package
ERROR: Package author has not provided security information

Now THAT's cool (but would require additions to the RPM specification).

Comment 2 Jeff Johnson 2002-11-11 16:04:11 UTC
Hint: rpm-4.1 verifies digital signatures
whenever a header is read. Headers contain MD5
sums for files.

So on the todo list is to teach tripwire how to
read an rpm database. and to teach rpm --verify
to do a couple more tasks that tripwire does.

Comment 3 Jeff Johnson 2002-11-16 20:32:44 UTC
*** Bug 58910 has been marked as a duplicate of this bug. ***

Comment 4 John Thacker 2006-04-22 00:48:52 UTC
Closing bug, since tripwire hasn't been shipped for so long, only in Legacy