Intrusion detection with Tripwire

It's a myth that any system that you connect to the internet is 'safe'. No matter how vigilant you are, there are always risks out there and so having some way of detecting that something bad has happened is a vital part of any security strategy.

Tripwire (I'm referring to the open source edition here, not the commercial ones that are also available) is a program which is designed to monitor your filesystem for changes so you can quickly identify suspicious activity and therefore be able to detect if an intrusion has happened.

The concept works like this. First of all, you set up a 'policy' file. This policy file details what files you expect to change on a regular basis, basically, any exclusions of files that you know are going to change. Once you've put that policy in place, you then schedule Tripwire to check every so often.

The results from the Tripwire scan will tell you which files, outside of those excluded in your policy file, have changed. You can then look at these changes manually and hopefully pick up any suspicious behaviour (such as binaries in /usr/bin changing without a good reason, such as a software update you applied).

Tripwire isn't designed to do anything about any suspicious behaviour; that's left up to you. If you do identify something that looks wrong, however, the best policy is usually to back up your data (and perhaps the whole system to take a closer look at later), take the system down and reinstall from a known safe installation disc or a known safe backup.

It's most useful in server environments, where you have services running all the time and where they are at risk of intrusion. It's also not the be all and end all, and you certainly shouldn't assume that it will be able to catch everything, but it is an essential tool in my opinion for people running servers in many environments that help you limit the damage that can be caused by the bad guys.

It hasn't been updated in a while, unfortunately, but you can download the latest version from Sourceforge. There are also many guides available online that detail how to set it up and use it effectively.

Avatar for peter Peter Upfold -

Peter Upfold is a technology enthusiast from the UK. Peter’s interest in Linux stems back to 2003, when curiosity got the better of him and he began using SUSE 9.0. Now he runs Linux Mint 9 on the desktop, runs a CentOS-based web server from home for his personal website and dabbles in all sorts of technology things across the Windows, Mac and open source worlds.

Home » Articles »

Discussion: Intrusion detection with Tripwire

  1. # Posted on 04 April 2008 at 04:38 AM

    <strong>Story added...</strong>

    This story has been submitted to! If you think this story should be read by the free software community, come vote it up and discuss it here:

Home » Articles » Intrusion detection with Tripwire