Article: Tripwire for Linux File Integrity

by Ken Dennis

What is Tripwire?

Tripwire is a form intrusion detection system (IDS) that helps you keep tabs on the integrity of the files on your computer. Quite simply it will help identify files or modifications made to your system in the event someone compromised your system.

How does Tripwire work?

Tripwire works on a pretty easy to understand concept. Basically, when you install Tripwire on your linux box you tell it to scan your system and create a database of checksums and information. Once you have a good reference point or database setup, you then scan your system on a regular basis for modifications to your file system.

Why would I want run a file system integrity software?

If you have ever had your system compromised by a cracker, it's an extremely frustrating time. You never know what they have done, where they have been, or what files they have modified or installed. This type of application helps in the recovery process. Quite often crackers will installed a group of applications on your system called a rootkit. A rootkit overwrites many of your commonly used system files to help hide the tracks of the cracker, or leave a backdoor on your system so he can return at a later date. Often the types of files modified are ones such as ps and netstat. By installing their own version of applications like these they can hide the fact there is additional daemons and processes running the background.

How do I put Tripwire to practical use?

Tripwire can be configured to send you emails at a set time interval via Sendmail or SMTP. On small systems it wouldn't be unreasonable to have your system checked several times a day and have Tripwire email you the results. If you don't want the results emailed you can store the information in a file for later review. I believe it is a handy tool to have the logs emailed to you, so a problem can be quickly identified.

Thought Tripwire won't protect you from hackers, it will help you identify the level of which your system has been compromised and if scanned at regular time intervals should help you reduce the amount of time for which your system has been compromised. If your system has been broken in to, then the best thing to do is isolate the machine from the network and rebuilt it from know good backups and try to determine the method of entry.

Ken Dennis

Related Resources