Monitoring file integrity with FC4 - Tripwire??

Scot L. Harris webid at cfl.rr.com
Sat Oct 1 03:46:07 UTC 2005 

On Fri, 2005-09-30 at 20:42, Ian wrote:
> I'd never heard of Tripwire before, but it sounds like the ultimate
> virus defence to me. Can it stop programs from running if they have
> been changed without Tripwire being told? Or do you just get told when
> a file has been modified (via the cron job, by which time it's
> probably too late)?
> The second thought that occurred to me was that, if a virus was trying
> to modify system files, wouldn't it also attempt to update the
> Tripwire database to match, so Tripwire wouldn't flag the change?
> Could that be prevented? Does Tripwire monitor itself???
> Ian

It is not a virus defense, it is a host based intrusion detection tool. 
Tripwires purpose is to periodically examine files specified in the
policy file and report any differences.  These differences are an
indication that something was changed.  If you are unable to trace the
cause to a system update or modification that you performed then it may
be an indication that someone else has modified files on your system. 
In the past I have used things like Big Brother to examine the tripwire
reports and alarm if a violation is indicated.

Tripwire will not stop programs from running, you should look to selinux
to provide that kind of protection.  Selinux will prevent a program from
trying to change files or perform operations that are not authorized by
the policy on the system.

That is where having the policy and database files used by tripwire
signed by a key.  In order to update the database you must enter the
pass phrase used for the system.  It is also a good idea to have
tripwire monitor its own executables and files so you will get notified
if those are changed.

Understand that tripwire is an IDS, it lets you know when something
appears to have changed.  It is not a magic bullet but one part of a
system you can use to help protect your system.  

Also note that tripwire is not prelink aware.  You can scare your self
pretty bad if you setup a new system configure tripwire and then come
back the next day and most of the files in the system are flagged as
being changed.  :)

More information about the fedora-list mailing list