Tuesday, January 25, 2005
Use Tripwire for integrity checking
Validating file system files is a crucial part of system security. However, without the help of an integrity-checking tool such as Tripwire, this can be a daunting task.
Tripwire makes it easy. It creates a cryptographically protected database of files and directories that you define, which you can use to periodically verify the state of the system to ensure no unwanted changes have occurred.
Tripwire is easy to use, but it may be a little time-consuming to set up. However, this additional setup time will offset the amount of time previously required to determine if problems exist on the system.
Many Linux vendors ship Tripwire, so you may be able to install RPM or DEB packages. Once installed, run the twinstall.sh script to generate the local and site keys used to protect your configuration, policy, and database files.
The default Tripwire policy file may generate a lot of missing file errors, and it may not cover everything you want to observe. You can use your favorite editor to change the policy to match your system and requirements. On Mandrake Linux, the policy file is /etc/tripwire/twpol.txt.
If you want to modify the policy file after creating the initial database, change the clear text copy (twpol.txt), and generate the new protected copy by using the following:
# twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt
After changing the policy file, initialize the database again using the following:
# tripwire --init
Finally, create a cronjob to execute the Tripwire check daily:
# tripwire --check
For more information, check out the Tripwire Web site.
Tripwire makes it easy. It creates a cryptographically protected database of files and directories that you define, which you can use to periodically verify the state of the system to ensure no unwanted changes have occurred.
Tripwire is easy to use, but it may be a little time-consuming to set up. However, this additional setup time will offset the amount of time previously required to determine if problems exist on the system.
Many Linux vendors ship Tripwire, so you may be able to install RPM or DEB packages. Once installed, run the twinstall.sh script to generate the local and site keys used to protect your configuration, policy, and database files.
The default Tripwire policy file may generate a lot of missing file errors, and it may not cover everything you want to observe. You can use your favorite editor to change the policy to match your system and requirements. On Mandrake Linux, the policy file is /etc/tripwire/twpol.txt.
If you want to modify the policy file after creating the initial database, change the clear text copy (twpol.txt), and generate the new protected copy by using the following:
# twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt
After changing the policy file, initialize the database again using the following:
# tripwire --init
Finally, create a cronjob to execute the Tripwire check daily:
# tripwire --check
For more information, check out the Tripwire Web site.