Setting a Tripwire
Intrusion detection and change management are often associated with expensive enterprise systems out of reach of many individual and small businesses offering hosting and development services.
Another golden kernel from the open source community has been addressing this with a free Linux implementation of their enterprise solution. Tripwire has been a favorite for many due to its granular change management control over the filesystem. An rpm or source download is available from Tripwire’s open source site. Tripwire is best deployed immediately on a newly built server, however, once installed on any server you have set a benchmark going forward for system security.
The program monitors key attributes of files that should not change, including binary signature, size, and so on. Additionally, for files that are expected to change (log files, httpd.conf, etc.), the Tripwire configuration policy enables settings to watch elements that should not change, such as user, group, and permissions.
The configuration policy is available to be customized for your particular situation, and various levels of monitoring can be instituted for differing directories such as /etc, /usr, /root, and /var with special rules and adjustment to which elements of directories or files are being monitored.
Upon initial install and configuration of the policy, the Tripwire database, which holds the baseline for your filesystem, is created with a manual run, and then the program is prepared to watch your filesystem. Both the policy and database can be encrypted and changed only with an administrator’s passphrase and the passphrase for your signing key that Tripwire generates.
Once running to your preference, Tripwire can be placed in cron to run on a schedule and will email reports based on scans. The program enables you to authorize, suspend and/or rollback changes found in the scan based on your commands after reviewing each email.
For the truly paranoid, Tripwire reports can be sent direct to print from the server as an intruder would need physical access to prevent the report from printing, whereas an email could be intercepted.
Finally, Tripwire can be installed on multiple servers with a single configuration file serving as the central policy (with custom directives for each host). Tripwire’s open source for Linux is supported via forums on Sourceforge.
In addition, Tripwire offers an upgrade path to their commercial Tripwire for Servers for Linux and Unix (and Windows) servers with commercial support, found at their commercial site .