Tripwire software can help to ensure the
integrity of critical system files and directories by identifying all
changes made to them. Tripwire configuration
options include the ability to receive alerts via email if particular
files are altered and automated integrity checking via a
cron job. Using Tripwire for
intrusion detection and damage assessment helps you keep track of system
changes and can speed the recovery from a break-in by reducing the number
of files you must restore to repair the system.
Tripwire compares files and directories against
a baseline database of file locations, dates modified, and other data. It
generates the baseline by taking a snapshot of specified files and
directories in a known secure state. (For maximum security,
Tripwire should be installed and the baseline
created before the system is at risk from intrusion.) After creating the
baseline database, Tripwire compares the
current system to the baseline and reports any modifications, additions,
The following flowchart illustrates how
Tripwire should be used:
Figure 10-1. How to Use Tripwire
The following steps should be taken to properly install, use and maintain
Install Tripwire and customize
the policy file — If not already done, install the
tripwire RPM (see the section called RPM Installation Instructions). Then, customize the sample
and policy (/etc/tripwire/twpol.txt) files
and run the configuration script
(/etc/tripwire/twinstall.sh). For more
information, see the section called Post-Installation Instructions.
Initialize the Tripwire
database — Build a database of critical system
files to monitor based on the contents of the new, signed
Tripwire policy file
(/etc/tripwire/tw.pol). For more information,
see the section called Initializing the Database.
Run a Tripwire
integrity check — Compare the newly-created
Tripwire database with the actual
system files, looking for missing or altered files. For more
information, see the section called Running an Integrity Check.
Examine the Tripwire
report file — View the
Tripwire report file using
twprint to note integrity violations. For more
information, see the section called Printing Reports.
Take appropriate security measures — If
monitored files have been altered inappropriately, you can either
replace the originals from backups or reinstall the program.
Update the Tripwire database
file — If the integrity violations are
intentional and valid, such as if you intentionally edited a file
or replaced a particular program, you should tell
Tripwire's database file to not report
them as violations in future reports. For more information, see
the section called Updating the Database after an Integrity Check.
Update the Tripwire policy
file — If you need to change the list of files
Tripwire monitors or how it treats
integrity violations, you should update your sample policy file
(/etc/tripwire/twpol.txt), regenerate a
signed copy (/etc/tripwire/tw.pol), and
update your Tripwire database. For more
information, see the section called Updating the Policy File.
Refer to the appropriate sections within this chapter for detailed
instructions on these steps.