Tripwire
Tripwire
Another very good way to detect local (and also network) attacks on
your system is to run an integrity checker like Tripwire
.
Tripwire
runs a number of checksums on all your important
binaries and config files and compares them against a database of former,
known-good values as a reference. Thus, any changes in the files will
be flagged.
It's a good idea to install Tripwire
onto a floppy, and then
physically set the write protect on the floppy. This way intruders
can't tamper with Tripwire
itself or change the database. Once you
have Tripwire
setup, it's a good idea to run it as part of your normal
security administration duties to see if anything has changed.
You can even add a crontab
entry to run Tripwire
from your floppy
every night and mail you the results in the morning. Something like:
# set mailto
MAILTO=kevin
# run Tripwire
15 05 * * * root /usr/local/adm/tcheck/tripwire
will mail you a report each morning at 5:15am.
Tripwire
can be a godsend to detecting intruders before you would
otherwise notice them. Since a lot of files change on the average
system, you have to be careful what is cracker activity and what is
your own doing.
You can find Tripwire
at http://www.tripwiresecurity.com,
free of charge. Manuals and support can be purchased.
Tripwire