Intrusion detection with Tripwire

  • April 2, 2008
  • Avatar for peter
    Peter
    Upfold

It's a myth that any system that you connect to the internet is 'safe'. No matter how vigilant you are, there are always risks out there and so having some way of detecting that something bad has happened is a vital part of any security strategy.

Tripwire (I'm referring to the open source edition here, not the commercial ones that are also available) is a program which is designed to monitor your filesystem for changes so you can quickly identify suspicious activity and therefore be able to detect if an intrusion has happened.

The concept works like this. First of all, you set up a 'policy' file. This policy file details what files you expect to change on a regular basis, basically, any exclusions of files that you know are going to change. Once you've put that policy in place, you then schedule Tripwire to check every so often.

The results from the Tripwire scan will tell you which files, outside of those excluded in your policy file, have changed. You can then look at these changes manually and hopefully pick up any suspicious behaviour (such as binaries in /usr/bin changing without a good reason, such as a software update you applied).

Tripwire isn't designed to do anything about any suspicious behaviour; that's left up to you. If you do identify something that looks wrong, however, the best policy is usually to back up your data (and perhaps the whole system to take a closer look at later), take the system down and reinstall from a known safe installation disc or a known safe backup.

It's most useful in server environments, where you have services running all the time and where they are at risk of intrusion. It's also not the be all and end all, and you certainly shouldn't assume that it will be able to catch everything, but it is an essential tool in my opinion for people running servers in many environments that help you limit the damage that can be caused by the bad guys.

It hasn't been updated in a while, unfortunately, but you can download the latest version from Sourceforge. There are also many guides available online that detail how to set it up and use it effectively.

Avatar for peter Peter Upfold

Home » Articles »