Installing tripwire
crankycronos posted this on Jan 10th 2007 under Server Security
Tripwire is a form of intrusion detection. It’s like the James Bond trick of putting a hair on the doorknob. It lets you know if somebody’s been doing things inside your system, however it can only make it’s report ***AFTER*** the break-in.
Tripwire has been around for a while, and has gone commercial. However, there is a free gpl version available for use and installation. Here are the directions that you can use to install tripwire. This is not a tutorial on it’s use, or the results it produces.
wget http://www.nightowlsnetwork.net/repos/tripwire-2.4.0.1-1.i386.rpm rpm -Uvh tripwire-2.4.0.1-1.i386.rpm cd /etc/tripwire wget http://www.customensimbackup.com/download/tweak_tripwire chmod +x tweak_tripwire ./tweak_tripwire
Now you need to edit the policy file, and make sure you need to add or remove any checks or just leave the defaults I have set.
pico -w twpol.txt
Answer the following 4 password questions with something that you know very well.
/usr/sbin/tripwire-setup-keyfiles
Now to get things setup.
wget http://www.customensimbackup.com/download/tweak_tripwire2 chmod +x tweak_tripwire2 ./tweak_tripwire2
Feel free to change the time of the cron job if you desire after your sure it’s running. I have the report to run at 5:30AM
The docs are freely available on the web, so let Google be your friend. A good article can be found here: http://www.barryodonovan.com/misc/publications/lg/106/
