On Fri, 2005-09-30 at 20:42, Ian wrote: > I'd never heard of Tripwire before, but it sounds like the ultimate > virus defence to me. Can it stop programs from running if they have > been changed without Tripwire being told? Or do you just get told when > a file has been modified (via the cron job, by which time it's > probably too late)? > The second thought that occurred to me was that, if a virus was trying > to modify system files, wouldn't it also attempt to update the > Tripwire database to match, so Tripwire wouldn't flag the change? > Could that be prevented? Does Tripwire monitor itself??? > Ian It is not a virus defense, it is a host based intrusion detection tool. Tripwires purpose is to periodically examine files specified in the policy file and report any differences. These differences are an indication that something was changed. If you are unable to trace the cause to a system update or modification that you performed then it may be an indication that someone else has modified files on your system. In the past I have used things like Big Brother to examine the tripwire reports and alarm if a violation is indicated. Tripwire will not stop programs from running, you should look to selinux to provide that kind of protection. Selinux will prevent a program from trying to change files or perform operations that are not authorized by the policy on the system. That is where having the policy and database files used by tripwire signed by a key. In order to update the database you must enter the pass phrase used for the system. It is also a good idea to have tripwire monitor its own executables and files so you will get notified if those are changed. Understand that tripwire is an IDS, it lets you know when something appears to have changed. It is not a magic bullet but one part of a system you can use to help protect your system. Also note that tripwire is not prelink aware. You can scare your self pretty bad if you setup a new system configure tripwire and then come back the next day and most of the files in the system are flagged as being changed. :)
