Google Site SearchFN Site Search FN Blog Login FN Blog Login
Site Navigation:
 
 

Tripwire on your Fedora Box

by Krishnan Subramanian

Updated 2004-03-02 with info on new version. See the last page for details.

Introduction

Tripwire is an Intrusion Detection System. This can be used to alert users whenever their system is compromised. Tripwire detects and reports changes in system files. It will alert you through email whenever a change is detected. If the change is due to normal system activity, you can instruct Tripwire not to report the change to that file in future. If the change is not due to normal system activity, then it is a clear indication that something is wrong and you need to act immediately and fix the issue. Thus tripwire comes very handy to maintain the integrity of the system.

There is lot of information on the web about Tripwire. Some people might argue that AIDE (Advanced Intrusion Detection Environment) is better than tripwire and so on. This comparison is beyond the scope of this article. This is an introductory article for novice users who are interested in installing Tripwire on their Fedora Box. Advanced users can refer to the web for relevant information or they can contact appropriate mailing lists like fedora users mailing list.

Before we go further in this article, I want to summarize the whole process of installing, configuring tripwire and checking the file system.

  • Install Tripwire
  • Initialize Tripwire database
  • Run Tripwire check whenever needed
  • Examine the tripwire report
  • Check for changes in file system and take appropriate actions
  • Analyse whether your existing configuration is good enough for your system. If not, edit your policy file (twpol.txt) and update the file signature database to reflect the changes that you have made to the policy file