Tripwire software can help to ensure the integrity of critical system files and directories by identifying all changes made to them. Tripwire configuration options include the ability to receive alerts via email if particular files are altered and automated integrity checking via a cron job. Using Tripwire for intrusion detection and damage assessment helps you keep track of system changes and can speed the recovery from a break-in by reducing the number of files you must restore to repair the system.
Tripwire compares files and directories against a baseline database of file locations, dates modified, and other data. It generates the baseline by taking a snapshot of specified files and directories in a known secure state. (For maximum security, Tripwire should be installed and the baseline created before the system is at risk from intrusion.) After creating the baseline database, Tripwire compares the current system to the baseline and reports any modifications, additions, or deletions.
While a valuable tool when auditing the security state of your system, Tripwire is not supported by Red Hat, Inc.. Contact Tripwire, Inc., (http://www.tripwire.com) for support options.
The following flowchart illustrates how Tripwire should be used:
The following steps should be taken to properly install, use and maintain Tripwire:
Install Tripwire and customize the policy file — If not already done, install the tripwire RPM (see the Section called RPM Installation Instructions). Then, customize the sample configuration (/etc/tripwire/twcfg.txt) and policy (/etc/tripwire/twpol.txt) files and run the configuration script (/etc/tripwire/twinstall.sh). For more information, see the Section called Post-Installation Instructions.
Initialize the Tripwire database — Build a database of critical system files to monitor based on the contents of the new, signed Tripwire policy file (/etc/tripwire/tw.pol). For more information, see the Section called Initializing the Database.
Run a Tripwire integrity check — Compare the newly-created Tripwire database with the actual system files, looking for missing or altered files. For more information, see the Section called Running an Integrity Check.
Examine the Tripwire report file — View the Tripwire report file using twprint to note integrity violations. For more information, see the Section called Printing Reports.
Take appropriate security measures — If monitored files have been altered inappropriately, you can either replace the originals from backups or reinstall the program.
Update the Tripwire database file — If the integrity violations are intentional and valid, such as if you intentionally edited a file or replaced a particular program, you should tell Tripwire's database file to not report them as violations in future reports. For more information, see the Section called Updating the Database after an Integrity Check.
Update the Tripwire policy file — If you need to change the list of files Tripwire monitors or how it treats integrity violations, you should update your sample policy file (/etc/tripwire/twpol.txt), regenerate a signed copy (/etc/tripwire/tw.pol), and update your Tripwire database. For more information, see the Section called Updating the Policy File.
Refer to the appropriate sections within this chapter for detailed instructions on these steps.