Re: [CentOS] Tripwire on CentOS: Installation/Config Step-by-Step

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 2006-06-14 at 17:33 -0700, karl@xxxxxxxxxxxxxx wrote:
> Thanks to everyone who responded earlier with locations of the RPM bits. 
> In thanks, here's a step-by-step of how I got things working.  6 minute
> response by two separate people shows this is a thriving community.  rad.
> 
> This how-to covers my current method for installing Tripwire 2.3 on our
> CentOS servers.  It's working great,<snip>

> (would be nice to have an MD5 checksum to verify this package is secure)

Hope I'm not wasting your time here. I thought GPG signing was
sufficient for this stuff!?

I'm new at this stuff,but from "man yum.conf" there is this

gpgcheck
   Either ‘1’ or ‘0’. This tells yum whether or not it should per-
   form a GPG signature check on packages. When this is set in the
   [main]  section  it sets the default for all repositories. This
   option also determines whether or not an install of  a  package
   from  a  local  RPM  file  will  be  GPG signature checked. The
   default is ‘0’.

In my yum.repos.d repo files, I have it enabled. Would this not
satisfactorily accomplish what is needed? I presume you can run it
manually if not using yum.

I always use yum to do basic installs, but as stated, I'm pretty new to
this stuff. Still spend an inordinate amount of time in mans, howtos,
etc. <*sigh*>

> 
> 
> 2.	Install the Tripwire RPM:
> 	rpm -ivh tripwire-2.3.1-21.i386.rpm

Out of curiosity, I perused (lightly) "man rpm". Since it permits
signing, I presume that it also depends on GPG for verification (along
with other checks embedded in the processes?). From that I generated and
ran this little script

   for N in $(rpm -qa gpg-pubkey*|sed -e 's/\.(none)//') ; do
     rpm -qi $N |less
   done

to see if Karan had a key that I had imported.

It revealed several instances of GPG signatures with this summary

   gpg(Karanbir Singh (http://www.karan.org/) <kbsingh@xxxxxxxxx>)

There must certainly have been instructions on either CentOS or
Karanbir's site as I would not have enough knowledge of my own to get
these set up... well maybe imported while using mail. That's possible.

Ah! But I recall now when I first started I got failures because I had
*not* imported keys (although I *thought* I had) for one of the
repositories. I think that confirms that GPG does suffice for
validation. Doesn't it?

Anyway, I haven't reviewed the web sites for a long time, but I suspect
the files are signed and I suspect that should meet the need. And I
suspect that you need to do an rpm import of the keys? Instructions and
keys are on the sites, IIRC.

Something I'm missing, being ignorant and new and shameless about it?

Anyway, here, all the repos had keys except atrpm, which I have not
used, so I would not have done the rpm import yet for that.

> <snip>


> -karlski
> <snip sig stuff>

Hope I wasn't wasting your time.
-- 
Bill

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux