Monitoring file integrity with FC4 - Tripwire??

Mon Oct 3 01:41:43 UTC 2005

Scot L. Harris wrote:

>On Sat, 2005-10-01 at 18:53, Ian Harris wrote:
>  
>
>>On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote:
>>    
>>
>>>It is not a virus defense, it is a host based intrusion detection tool.
>>>Tripwires purpose is to periodically examine files specified in the
>>>policy file and report any differences.  These differences are an
>>>indication that something was changed.  If you are unable to trace the
>>>cause to a system update or modification that you performed then it may
>>>be an indication that someone else has modified files on your system.
>>>In the past I have used things like Big Brother to examine the tripwire
>>>reports and alarm if a violation is indicated.
>>>
>>>Tripwire will not stop programs from running, you should look to selinux
>>>to provide that kind of protection.  Selinux will prevent a program from
>>>trying to change files or perform operations that are not authorized by
>>>the policy on the system.
>>>
>>>That is where having the policy and database files used by tripwire
>>>signed by a key.  In order to update the database you must enter the
>>>pass phrase used for the system.  It is also a good idea to have
>>>tripwire monitor its own executables and files so you will get notified
>>>if those are changed.
>>>
>>>Understand that tripwire is an IDS, it lets you know when something
>>>appears to have changed.  It is not a magic bullet but one part of a
>>>system you can use to help protect your system.
>>>
>>>Also note that tripwire is not prelink aware.  You can scare your self
>>>pretty bad if you setup a new system configure tripwire and then come
>>>back the next day and most of the files in the system are flagged as
>>>being changed.  :)
>>>      
>>>
>>Thanks for that Scot, looks like I'm going to have to study the selinux 
>>manual!
>>Ian
>>    
>>
>
>If you are looking at security of your system start thinking about it in
>layers.  Start with a good firewall and set it to block things coming in
>as well as going out.  Only allow those things that you need to use.
>
>Use iptables on your servers.  This acts as a second firewall layer.  
>
>Setup tripwire which will alert you that something has changed.  This
>will reduce the amount of time that someone may have access to your
>system.
>
>Enable selinux.  With the right policy this should limit potential
>damage and exposure should someone manage to execute code on your
>system.
>
>Use good passwords.  Disable all services you don't need/use.
>
>Review your log files regularly, read roots email.
>
>If you want to get really paranoid you can setup snort.  Snort is a
>network intrusion detection tool (depending on how it is configured it
>could be an intrusion prevention system).  It can notify when it sees
>odd things on your network.  It can also be configured to reactively
>modify firewall rules in response to perceived threats.  Similar lighter
>weight apps like this include portsentry which can be used on individual
>hosts.
>
>Think of security as having multiple layers.  That way if someone
>penetrates one layer they should be blocked by another.  To do damage
>someone should would have to penetrate your firewall, iptables, selinux,
>evade tripwire, break passwords, and elude snort.  Most hackers will
>move on to other systems that are not protected as well.  And for the
>most part that is what you want to achieve.  Make your system just a
>little harder to crack than then next on the Internet.
>
>  
>
Excellent advice. I don't have any servers or a network though, my PC is 
just a home PC connected directly to the net.
At one stage I had a home network set up with Smoothwall on a dedicated 
PC, which had snort enabled. I used to check the logs occasionally, and 
I was always gobsmacked at how many attempts to hack the box were 
recorded. Hundreds a day sometimes.
Cheers, Ian