Hi,
I literally have about 36 machines running CentOS on a private network, and will probably change the remaining 30 or so away from Whitebox or RH in the near term.
One thing I just noticed was when I tried to search out Tripwire RPM's, that none seemed evident.
Can anyone point me in the direction of an Tripwire RPM that works with CentOS 4.3, or advise me on how to create one from the Tripwire source download on Sourceforge?
-karlski
Can anyone point me in the direction of an Tripwire RPM that works with CentOS 4.3, or advise me on how to create one from the Tripwire source download on Sourceforge?
The http://centos.karan.org/ repository carries it.
On Wed, 2006-06-14 at 12:40 -0700, karl@klxsystems.net wrote:
Hi,
I literally have about 36 machines running CentOS on a private network, and will probably change the remaining 30 or so away from Whitebox or RH in the near term.
One thing I just noticed was when I tried to search out Tripwire RPM's, that none seemed evident.
In the kbs-CentOS-Extra repository.
<snip>
HTH
karl@klxsystems.net wrote:
Can anyone point me in the direction of an Tripwire RPM that works with CentOS 4.3, or advise me on how to create one from the Tripwire source download on Sourceforge?
Know you've found the answer to your specific question, but have you also considered something better supported and more network-friendly than Tripwire? IIRC, the open source version is pretty dated. The for-a-price Tripwire stuff is network manageable, but there are other nice alternatives such as Osiris (hostintegrity.org) and Samhain (http://la-samhna.de/samhain/). You might want to look at those as well.
Just $0.02 US. -Alan
Thanks to everyone who responded earlier with locations of the RPM bits. In thanks, here's a step-by-step of how I got things working. 6 minute response by two separate people shows this is a thriving community. rad.
This how-to covers my current method for installing Tripwire 2.3 on our CentOS servers. It's working great, feel free to clarify/ comment on the steps if you see something mis-stated.
1. Get the RPM, done from the /tmp directory: wget http://centos.karan.org/el4/extras/stable/i386/RPMS/tripwire-2.3.1-21.i386.r... (would be nice to have an MD5 checksum to verify this package is secure)
2. Install the Tripwire RPM: rpm -ivh tripwire-2.3.1-21.i386.rpm
3. Configure your two tw files:
cd /etc/tripwire
vi twcfg.txt MAILMETHOD =SMTP SMTPHOST =yourhost
(fqdn wasn't required in mine, but might be for you)
This basically sets up delivery of mail reports for you, it works in concert with twpol.txt's per-item alert entries. Your needs may be different, but I have a central host that manages mail for this kind of thing.
vi twpol.txt enter your email address where required, it usually looks like this:
rulename = "Tripwire Binaries", severity = $(SIG_HI), emailto = yourname@yourdomain.com
Beware, if there's a line _immediately_below it, put a comma at the end of your email address or you'll get syntax errors. Most of these chunks don't, but line 990 does. There are a million entries, so use search/replace or sed if you want to save time.
4. Create the Site Key for this box. /usr/sbin/tripwire-setup-keyfiles (Enter a pass phrase).
5. Make a config file that will work with this specific key: twadmin --create-cfgfile --site-keyfile /etc/tripwire/site.key twcfg.txt
6. Edit the Tripwire Policy file for any last changes, just a re-check of what you did, maybe lessen the severity for example of something you know isn't a big deal.
7. Invoke the policy file to work on this instance of Tripwire: twadmin --create-polfile twpol.txt
8. Initialize the Tripwire Database: tripwire init (If you see errors that mention files not found, comment them out of the twpol.txt file and rerun step 7 command, and the above tripwire --init).
9. Testing it out at the command line: tripwire --check interactive
Rad, it works.
10. Go and check out your /etc/cron.daily for a file called twipwire-check, should be dated April 27, 2005, I think TW puts it there. I think this just runs by default, will know tomorrow.
Basically this is a jump in the right direction, good luck, feel free to comment, and thanks to the list for the help on locating the tool, as well as the recommendations on the other similar tools.
-karlski
On Wed, 2006-06-14 at 17:33 -0700, karl@klxsystems.net wrote:
Thanks to everyone who responded earlier with locations of the RPM bits. In thanks, here's a step-by-step of how I got things working. 6 minute response by two separate people shows this is a thriving community. rad.
This how-to covers my current method for installing Tripwire 2.3 on our CentOS servers. It's working great,<snip>
(would be nice to have an MD5 checksum to verify this package is secure)
Hope I'm not wasting your time here. I thought GPG signing was sufficient for this stuff!?
I'm new at this stuff,but from "man yum.conf" there is this
gpgcheck Either ‘1’ or ‘0’. This tells yum whether or not it should per- form a GPG signature check on packages. When this is set in the [main] section it sets the default for all repositories. This option also determines whether or not an install of a package from a local RPM file will be GPG signature checked. The default is ‘0’.
In my yum.repos.d repo files, I have it enabled. Would this not satisfactorily accomplish what is needed? I presume you can run it manually if not using yum.
I always use yum to do basic installs, but as stated, I'm pretty new to this stuff. Still spend an inordinate amount of time in mans, howtos, etc. <*sigh*>
- Install the Tripwire RPM: rpm -ivh tripwire-2.3.1-21.i386.rpm
Out of curiosity, I perused (lightly) "man rpm". Since it permits signing, I presume that it also depends on GPG for verification (along with other checks embedded in the processes?). From that I generated and ran this little script
for N in $(rpm -qa gpg-pubkey*|sed -e 's/.(none)//') ; do rpm -qi $N |less done
to see if Karan had a key that I had imported.
It revealed several instances of GPG signatures with this summary
gpg(Karanbir Singh (http://www.karan.org/) kbsingh@karan.org)
There must certainly have been instructions on either CentOS or Karanbir's site as I would not have enough knowledge of my own to get these set up... well maybe imported while using mail. That's possible.
Ah! But I recall now when I first started I got failures because I had *not* imported keys (although I *thought* I had) for one of the repositories. I think that confirms that GPG does suffice for validation. Doesn't it?
Anyway, I haven't reviewed the web sites for a long time, but I suspect the files are signed and I suspect that should meet the need. And I suspect that you need to do an rpm import of the keys? Instructions and keys are on the sites, IIRC.
Something I'm missing, being ignorant and new and shameless about it?
Anyway, here, all the repos had keys except atrpm, which I have not used, so I would not have done the rpm import yet for that.
<snip>
-karlski
<snip sig stuff>
Hope I wasn't wasting your time.
karl@klxsystems.net wrote: <snip>
- Get the RPM, done from the /tmp directory: wget
http://centos.karan.org/el4/extras/stable/i386/RPMS/tripwire-2.3.1-21.i386.r... (would be nice to have an MD5 checksum to verify this package is secure)
<snip>
the normal way of doing this check is via a GPG Key check installing packages via yum. If you look at the home page at http://centos.karan.org/ there are instructions on howto enable the repository, that will also import the gpg key the first time its needed ( look in the .repo file ).
- KB
There is also AIDE, http://sourceforge.net/projects/aide.
On 6/14/06, Alan Sparks asparks@doublesparks.net wrote:
karl@klxsystems.net wrote:
Can anyone point me in the direction of an Tripwire RPM that works with CentOS 4.3, or advise me on how to create one from the Tripwire source download on Sourceforge?
Know you've found the answer to your specific question, but have you also considered something better supported and more network-friendly than Tripwire? IIRC, the open source version is pretty dated. The for-a-price Tripwire stuff is network manageable, but there are other nice alternatives such as Osiris (hostintegrity.org) and Samhain (http://la-samhna.de/samhain/). You might want to look at those as well.
Just $0.02 US. -Alan
-- Alan Sparks, UNIX/Linux Systems Integration and Administration asparks@doublesparks.net
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Alan Sparks -
Jim Perrin -
Joshua Gimer -
Karanbir Singh -
karl@klxsystems.net -
William L. Maltby