| |
|
Home
|
| Red Hat Linux 7.3: The Official Red Hat Linux Reference Guide |
|---|
| Prev | | Next |
Tripwire software can help to ensure the
integrity of critical system files and directories by identifying all
changes made to them. Tripwire configuration
options include the ability to receive alerts via email if particular
files are altered and automated integrity checking via a
cron job. Using Tripwire for
intrusion detection and damage assessment helps you keep track of system
changes and can speed the recovery from a break-in by reducing the number
of files you must restore to repair the system.
Tripwire compares files and directories against
a baseline database of file locations, dates modified, and other data. It
generates the baseline by taking a snapshot of specified files and
directories in a known secure state. (For maximum security,
Tripwire should be installed and the baseline
created before the system is at risk from intrusion.) After creating the
baseline database, Tripwire compares the
current system to the baseline and reports any modifications, additions,
or deletions.
 | Warning |
|---|
| | While a valuable tool when auditing the security state of your system,
Tripwire is not supported by Red Hat, Inc.. Contact Tripwire, Inc.,
(http://www.tripwire.com)
for support options.
|
The following flowchart illustrates how
Tripwire should be used:
The following steps should be taken to properly install, use and maintain
Tripwire:
Install Tripwire and customize
the policy file — If not already done, install the
tripwire RPM (see the Section called RPM Installation Instructions). Then, customize the sample
configuration (/etc/tripwire/twcfg.txt)
and policy (/etc/tripwire/twpol.txt) files
and run the configuration script
(/etc/tripwire/twinstall.sh). For more
information, see the Section called Post-Installation Instructions.
Initialize the Tripwire database —
Build a database of critical system files to monitor based on the
contents of the new, signed Tripwire policy file
(/etc/tripwire/tw.pol). For more information,
see the Section called Initializing the Database.
Run a Tripwire integrity check —
Compare the newly-created Tripwire database with the actual system
files, looking for missing or altered files. For more information,
see the Section called Running an Integrity Check.
Examine the Tripwire report file —
View the Tripwire report file using twprint to
note integrity violations. For more information, see the Section called Printing Reports.
Take appropriate security measures — If
monitored files have been altered inappropriately, you can either
replace the originals from backups or reinstall the program.
Update the Tripwire database file —
If the integrity violations are intentional and valid, such as if
you intentionally edited a file or replaced a particular program,
you should tell Tripwire's database file to not report them as
violations in future reports. For more information, see the Section called Updating the Database after an Integrity Check.
Update the Tripwire policy file — If
you need to change the list of files Tripwire monitors or how it
treats integrity violations, you should update your sample policy
file (/etc/tripwire/twpol.txt), regenerate a
signed copy (/etc/tripwire/tw.pol), and
update your Tripwire database. For more information, see the Section called Updating the Policy File.
Refer to the appropriate sections within this chapter for detailed
instructions on these steps.
|
|
|
|
|
|
|
|
Disclaimer: For authoritative source or latest update to this
documentation, please refer to http://www.redhat.com/docs/manuals/linux/ |
|
 |
|
|
|
Quotes: Everyone is a genius at least once a year. The real geniuses simply have their bright ideas closer together.
|
|
|
|
|
|
|
