Tripwire is a program that monitors file integrity by maintainig a database of cryptographic signature for programs.

Tripwire is a program that monitors file integrity by maintainig a database of cryptographic signature for programs and configuration files installed on the system, and reports changes in any of these files.

A database of checksums and other characteristics for the files listed in the configuration file is created. Each subsequent run compares any differences to the reference database, and the administrator is notified.

The greatest level of assurance that can be provided occurs if Tripwire is run immediately after Linux has been installed and security updates applied, and before it is connected to a network.

A text configuration file, called a policy file, is used to define the characteristics for each file that are tracked. Your level of paranoid determines the frequency in which the intergrity of the files are checked. Administration requries constant a ttention to the system changes, and can be time-consuming if used for many systems. Tripwire is available in unsupported commercial binary for Red Hat and similar distributions. 

  # Create policy file from text file
  /usr/TSS/bin/twadmin -m P policy.txt

  # Initialize database according to policy file
  /usr/TSS/bin/tripwire --init

  # Print database
  /usr/TSS/bin/twprint -m d

  # Generate daily report file
  /usr/TSS/bin/tripwire -m c -t 1 -M
  
  # Update database according to policy file and report file
  /usr/TSS/bin/tripwire --update --polfile policy/tw.pol 
                        --twrfile report/-.twr

References

  • Tripwire, Inc.
  • Tripwire - The Only Way to Really Know