tripwire in Debian

Debian continues to just really impress me. Most times when I install a package and start looking at how it works, it's clear that someone really thought about how everything should work together and has it configured so that the obvious just does the right thing.

I first tried to play with aide, since I'm not very fond of the Tripwire people, but aide is ugly and just doesn't do what I want. It could probably be made to do what I want, but it's just not worth the hassle. So on to Tripwire.

Tripwire has apparently now put together a mechanism where even if you store your databases on local disk, there's some degree of security. It looks like it generates a key pair and uses that to sign the configuration and policy file and also prevent modifications to the database. Of course, someone could always just replace the whole database and all its keys, but then the next time I went to update Tripwire, I'd notice that the password was different. (And if they did that, they could just replace the Tripwire binary itself, of course.)

It looks like the old -update mode is gone, which I do miss, and which means that the new version of Tripwire is probably not suitable for widespread use on our servers. However, the new -interactive mode (which is now --check --interactive) is really cool. It gives you the list of files that have changed in a "ballot" format in an editor and lets you review them there and delete the x in front of the ones that you don't want to update. Extremely convenient to use.

One thing that I definitely don't like is the report format, though. The old report was far more readable and convenient. I suppose it's GPL'd software and I could fix that if it continues bothering me, though. (This new one would be much harder to process automatically, plus one has to page down just to see if there are any inconsistencies.)

But overall, it just works, with some minor tweaking to the policy file.