Tripwire

 


Overview

Tripwire software can help to ensure the integrity of critical system files and directories by identifying all changes made to them. Tripwire configuration options include the ability to receive alerts via email if particular files are altered and automated integrity checking via a cron job. Using Tripwire for intrusion detection and damage assessment helps you keep track of system changes and can speed the recovery from a break-in by reducing the number of files restore to repair the system.

Tripwire compares files and directories against a baseline database of file locations, dates modified, and other data. It generates the baseline by taking a snapshot of specified files and directories in a known secure state. (For maximum security, Tripwire should be installed and the baseline created before the system is at risk from intrusion.) After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions.

 


Configuration

  1. Install Tripwire and customize the policy file

    If not already done, install the tripwire RPM (see the section called RPM Installation Instructions). Then, customize the sample configuration ( /etc/tripwire/twcfg.txt) and policy ( /etc/tripwire/twpol.txt) files and run the configuration script ( /etc/tripwire/twinstall.sh).

  2. Initialize the Tripwire database

    Build a database of critical system files to monitor based on the contents of the new, signed Tripwire policy file ( /etc/tripwire/tw.pol).

  3. Run a Tripwire integrity check

    Compare the newly-created Tripwire database with the actual system files, looking for missing or altered files.

  4. Examine the Tripwire report file

    View the Tripwire report file using twprint to note integrity violations.

  5. Take appropriate security measures

    If monitored files have been altered inappropriately, you can either replace the originals from backups or reinstall the program.

  6. Update the Tripwire database file

    If the integrity violations are intentional and valid, such as if you intentionally edited a file or replaced a particular program, you should tell Tripwire's database file to not report them as violations in future reports.

  7. Update the Tripwire policy file

    If you need to change the list of files Tripwire monitors or how it treats integrity violations, you should update your sample policy file ( /etc/tripwire/twpol.txt), regenerate a signed copy (/etc/tripwire/tw.pol), and update your Tripwire database.


 

Home