Linux Security HOWTO : Files and Filesystem Security : Integrity Checking with Tripwire Tripwire
Previous: File Permissions
Next: Trojan Horses

5.3. Integrity Checking with Tripwire Tripwire

Another very good way to detect local (and also network) attacks on your system is to run an integrity checker like Tripwire. Tripwire runs a number of checksums on all your important binaries and config files and compares them against a database of former, known-good values as a reference. Thus, any changes in the files will be flagged.

It's a good idea to install Tripwire onto a floppy, and then physically set the write protect on the floppy. This way intruders can't tamper with Tripwire itself or change the database. Once you have Tripwire setup, it's a good idea to run it as part of your normal security administration duties to see if anything has changed.

You can even add a crontab entry to run Tripwire from your floppy every night and mail you the results in the morning. Something like:

		# set mailto
		MAILTO=kevin
		# run Tripwire
		15 05 * * * root /usr/local/adm/tcheck/tripwire 
will mail you a report each morning at 5:15am.

Tripwire can be a godsend to detecting intruders before you would otherwise notice them. Since a lot of files change on the average system, you have to be careful what is cracker activity and what is your own doing.

You can find Tripwire at http://www.tripwiresecurity.com, free of charge. Manuals and support can be purchased.


Linux Security HOWTO : Files and Filesystem Security : Integrity Checking with Tripwire Tripwire
Previous: File Permissions
Next: Trojan Horses