Tripwire

Tripwire is a system integrity checking application. It creates a database of files and their properties (including checksums) which can be used as a reference to see if any properties have changed at a later date. The idea being, you can see if anyone has been tampering with your system.

Tripwire is available as Open Source for Linux but for commercial Unixes, you have to pay. See http://www.tripwire.com for details.

Installing tripwire for Linux

  1. Download the RPM and install it using rpm -ivh package-name

  2. Run /etc/tripwire/twinstall.sh This creates a site and local phrase and creates a configuration file

  3. Create a policy file using the default settings provided with the installation (this will be customised later). twadmin –create-polfile /etc/tripwire/twpol.txt

  4. Intialise tripwire tripwire –init

  5. Run tripwire in check mode tripwire –check

  6. A report will be produced with various errors. Because the default policy file was used they’ll be various file that don’t exist on your server and some that exist on your server but weren’t checked. Use this information to edit and correct /etc/tripwire/twpol.txt

  7. Recreate the policy file using the updated file twadmin –create-polfile /etc/tripwire/twpol.txt

  8. Reinitialise the database tripwire –init

Tripwire is now ready to use. Simply run tripwire –check on a regular basis and check the resulting report. If you want to update the database from the report produced (i.e. any files reported as updated are OK) run tripwire –update -r /var/lib/tripwire/report/latest-file.twr