[CentOS] Tripwire on CentOS: Installation/Config Step-by-Step

William L. Maltby BillsCentOS at triad.rr.com
Thu Jun 15 12:50:52 UTC 2006


On Wed, 2006-06-14 at 17:33 -0700, karl at klxsystems.net wrote:
> Thanks to everyone who responded earlier with locations of the RPM bits. 
> In thanks, here's a step-by-step of how I got things working.  6 minute
> response by two separate people shows this is a thriving community.  rad.
> 
> This how-to covers my current method for installing Tripwire 2.3 on our
> CentOS servers.  It's working great,<snip>

> (would be nice to have an MD5 checksum to verify this package is secure)

Hope I'm not wasting your time here. I thought GPG signing was
sufficient for this stuff!?

I'm new at this stuff,but from "man yum.conf" there is this

gpgcheck
   Either ‘1’ or ‘0’. This tells yum whether or not it should per-
   form a GPG signature check on packages. When this is set in the
   [main]  section  it sets the default for all repositories. This
   option also determines whether or not an install of  a  package
   from  a  local  RPM  file  will  be  GPG signature checked. The
   default is ‘0’.

In my yum.repos.d repo files, I have it enabled. Would this not
satisfactorily accomplish what is needed? I presume you can run it
manually if not using yum.

I always use yum to do basic installs, but as stated, I'm pretty new to
this stuff. Still spend an inordinate amount of time in mans, howtos,
etc. <*sigh*>

> 
> 
> 2.	Install the Tripwire RPM:
> 	rpm -ivh tripwire-2.3.1-21.i386.rpm

Out of curiosity, I perused (lightly) "man rpm". Since it permits
signing, I presume that it also depends on GPG for verification (along
with other checks embedded in the processes?). From that I generated and
ran this little script

   for N in $(rpm -qa gpg-pubkey*|sed -e 's/\.(none)//') ; do
     rpm -qi $N |less
   done

to see if Karan had a key that I had imported.

It revealed several instances of GPG signatures with this summary

   gpg(Karanbir Singh (http://www.karan.org/) <kbsingh at karan.org>)

There must certainly have been instructions on either CentOS or
Karanbir's site as I would not have enough knowledge of my own to get
these set up... well maybe imported while using mail. That's possible.

Ah! But I recall now when I first started I got failures because I had
*not* imported keys (although I *thought* I had) for one of the
repositories. I think that confirms that GPG does suffice for
validation. Doesn't it?

Anyway, I haven't reviewed the web sites for a long time, but I suspect
the files are signed and I suspect that should meet the need. And I
suspect that you need to do an rpm import of the keys? Instructions and
keys are on the sites, IIRC.

Something I'm missing, being ignorant and new and shameless about it?

Anyway, here, all the repos had keys except atrpm, which I have not
used, so I would not have done the rpm import yet for that.

> <snip>


> -karlski
> <snip sig stuff>

Hope I wasn't wasting your time.
-- 
Bill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060615/cdb9a09b/attachment.sig>


More information about the CentOS mailing list