I keep chanting over and over, NEVER RELY ON THOSE CD's, no matter how new
the release. The trouble is, most of the linux distro's released on Cd
are by the release of the item, outdated. And hence, since one should and
better, after doing an CD install reachout and grab all the latest fixed
packages for their distro and all the latest kernel patches or a current
<stable? depending upon needs> and patchup. I'm still watching folks
install off of older 5.0/5.1 CD's from red hat in particular and watching
as folks get hit with basic mountd/bind exploits and wonder what the hell
happened to em. So, being that once one has done this, their checksums,
MD5 or other, will not matchup with the outdated CD no longer, perhaps
<again, depending upon needs, though strongly advised> might as well stop
out and grab the free version of tripwire or some other product similiar
and install that also.
Thanks,
Ron DuFresne
On Wed, 29 Mar 2000, Bennett Todd wrote:
> 2000-03-29-16:15:22 Loren MacGregor:
> > I'm going to sound like a broken record, [...]
>
> Lots of that going around, I'll sing the chorus:-)
>
> > [...] but I really think (especially if you're using Redhat Linux)
> > that the Tripwire for Linux product will serve you admirably.
>
> I think Red Hat Linux users are in an especially good position to
> have something better than tripwire available to them.
>
> RPMs include MD5 checksums. So if you have the CDROM you installed
> your Linux from, you can check everything installed with RPM, that's
> nearly everything there is. Make sure you RPM all the stuff you add,
> and keep offline copies of those (good for rebuilding, upgrading,
> making more identical boxes, etc.) and all you have left is the
> handful of security-critical files that you don't manage with RPM.
> Save them offline.
>
> The hardest part of doing Tripwire right is properly managing the
> database for good security. That hard part comes as a free benefit
> of proper package management when you have good checksums in your
> packaging tool.
>
> > You should upgrade your Red Hat server, though. :)
>
> And write a security policy:-).
>
> -Bennett
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
