Tripwire software can help to ensure the integrity of critical system files and directories by identifying all changes made to them. Tripwire configuration options include the ability to receive alerts via email if particular files are altered and automated integrity checking via a cron job. Using Tripwire for intrusion detection and damage assessment helps you keep track of system changes and can speed the recovery from a break-in by reducing the number of files restore to repair the system.
Tripwire compares files and directories against a baseline database of file locations, dates modified, and other data. It generates the baseline by taking a snapshot of specified files and directories in a known secure state. (For maximum security, Tripwire should be installed and the baseline created before the system is at risk from intrusion.) After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions.
- Install Tripwire and customize the policy file
If not already done, install the tripwire RPM (see the section called RPM Installation Instructions). Then, customize the sample configuration ( /etc/tripwire/twcfg.txt) and policy ( /etc/tripwire/twpol.txt) files and run the configuration script ( /etc/tripwire/twinstall.sh).
- Initialize the Tripwire database
Build a database of critical system files to monitor based on the contents of the new, signed Tripwire policy file ( /etc/tripwire/tw.pol).
- Run a Tripwire integrity check
Compare the newly-created Tripwire database with the actual system files, looking for missing or altered files.
- Examine the Tripwire report file
View the Tripwire report file using twprint to note integrity violations.
- Take appropriate security measures
If monitored files have been altered inappropriately, you can either replace the originals from backups or reinstall the program.
- Update the Tripwire database file
If the integrity violations are intentional and valid, such as if you intentionally edited a file or replaced a particular program, you should tell Tripwire's database file to not report them as violations in future reports.
- Update the Tripwire policy file
If you need to change the list of files Tripwire monitors or how it treats integrity violations, you should update your sample policy file ( /etc/tripwire/twpol.txt), regenerate a signed copy (/etc/tripwire/tw.pol), and update your Tripwire database.