Chapter 11. Tripwire

Tripwire data integrity assurance software monitors the reliability of critical system files and directories by identifying changes made to them. Tripwire configuration options include the ability to receive alerts via email if particular files are altered and automated integrity checking via a cron job. Using Tripwire for intrusion detection and damage assessment helps you keep track of system changes. Because Tripwire can positively identify files that have been added, modified, or deleted, it can speed recovery from a break-in by keeping the number of files which must be restored to a minimum.

Tripwire compares files and directories against a database of file locations, dates modified, and other data. The database contains baselines, which are snapshots of specified files and directories at a specific point in time. The contents of the baseline database should be generated before the system is at risk of intrusion. After creating the baseline database, Tripwire then compares the current system to the baseline and reports any modifications, additions, or deletions.

While Tripwire is a valuable tool for auditing the security state of Red Hat Linux systems, Tripwire is not supported by Red Hat, Inc. Refer to the Tripwire project's website ( for more information about Tripwire.

How to Use Tripwire

The following flowchart illustrates how Tripwire works:

Figure 11-1. Using Tripwire

The following describes in more detail the numbered blocks shown in Figure 11-1

1. Install Tripwire and customize the policy file.

Install the tripwire RPM (the Section called Installing the Tripwire RPM). Then, customize the sample configuration and policy files (/etc/tripwire/twcfg.txt and /etc/tripwire/twpol.txt respectively) and run the configuration script, /etc/tripwire/ For more information, see the Section called Customizing Tripwire.

2. Initialize the Tripwire database.

Build a database of critical system files to monitor based on the contents of the new, signed Tripwire policy file, /etc/tripwire/tw.pol. For more information, see the Section called Initialize the Tripwire Database.

3. Run a Tripwire integrity check.

Compare the newly-created Tripwire database with the actual system files, looking for missing or altered files. For more information, see the Section called Running an Integrity Check.

4. Examine the Tripwire report file.

View the Tripwire report file using /usr/sbin/twprint to note integrity violations. For more information, see the Section called Viewing Tripwire Reports.

5. If unauthorized integrity violations occur, take appropriate security measures.

If monitored files have been altered inappropriately, you can either replace the original files from backup copies reinstall the program, or completely reinstall the operating system.

6. If the file alterations were valid, verify and update the Tripwire database file.

If the changes made to monitored files are intentional, edit Tripwire's database file to ignore those changes in subsequent reports. For more information, see the Section called Updating the Tripwire Database.

7. If the policy file fails verification, update the Tripwire policy file.

To change the list of files Tripwire monitors or how it treats integrity violations, update the supplied policy file (/etc/tripwire/twpol.txt), regenerate a signed copy (/etc/tripwire/tw.pol), and update the Tripwire database. For more information, see the Section called Updating the Tripwire Policy File.

Refer to the appropriate sections within this chapter for detailed instructions on each step.