Monitoring file integrity with FC4 - Tripwire??

Ian Harris mogplus8 at bigpond.net.au
Sat Oct 1 22:53:55 UTC 2005


On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote:
> On Fri, 2005-09-30 at 20:42, Ian wrote:
> > I'd never heard of Tripwire before, but it sounds like the ultimate
> > virus defence to me. Can it stop programs from running if they have
> > been changed without Tripwire being told? Or do you just get told when
> > a file has been modified (via the cron job, by which time it's
> > probably too late)?
> > The second thought that occurred to me was that, if a virus was trying
> > to modify system files, wouldn't it also attempt to update the
> > Tripwire database to match, so Tripwire wouldn't flag the change?
> > Could that be prevented? Does Tripwire monitor itself???
> > Ian
>
> It is not a virus defense, it is a host based intrusion detection tool.
> Tripwires purpose is to periodically examine files specified in the
> policy file and report any differences.  These differences are an
> indication that something was changed.  If you are unable to trace the
> cause to a system update or modification that you performed then it may
> be an indication that someone else has modified files on your system.
> In the past I have used things like Big Brother to examine the tripwire
> reports and alarm if a violation is indicated.
>
> Tripwire will not stop programs from running, you should look to selinux
> to provide that kind of protection.  Selinux will prevent a program from
> trying to change files or perform operations that are not authorized by
> the policy on the system.
>
> That is where having the policy and database files used by tripwire
> signed by a key.  In order to update the database you must enter the
> pass phrase used for the system.  It is also a good idea to have
> tripwire monitor its own executables and files so you will get notified
> if those are changed.
>
> Understand that tripwire is an IDS, it lets you know when something
> appears to have changed.  It is not a magic bullet but one part of a
> system you can use to help protect your system.
>
> Also note that tripwire is not prelink aware.  You can scare your self
> pretty bad if you setup a new system configure tripwire and then come
> back the next day and most of the files in the system are flagged as
> being changed.  :)

Thanks for that Scott, looks like I'm going to have to study the selinux 
manual!
Ian




More information about the fedora-list mailing list