On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote: > On Fri, 2005-09-30 at 20:42, Ian wrote: > > I'd never heard of Tripwire before, but it sounds like the ultimate > > virus defence to me. Can it stop programs from running if they have > > been changed without Tripwire being told? Or do you just get told when > > a file has been modified (via the cron job, by which time it's > > probably too late)? > > The second thought that occurred to me was that, if a virus was trying > > to modify system files, wouldn't it also attempt to update the > > Tripwire database to match, so Tripwire wouldn't flag the change? > > Could that be prevented? Does Tripwire monitor itself??? > > Ian > > It is not a virus defense, it is a host based intrusion detection tool. > Tripwires purpose is to periodically examine files specified in the > policy file and report any differences. These differences are an > indication that something was changed. If you are unable to trace the > cause to a system update or modification that you performed then it may > be an indication that someone else has modified files on your system. > In the past I have used things like Big Brother to examine the tripwire > reports and alarm if a violation is indicated. > > Tripwire will not stop programs from running, you should look to selinux > to provide that kind of protection. Selinux will prevent a program from > trying to change files or perform operations that are not authorized by > the policy on the system. > > That is where having the policy and database files used by tripwire > signed by a key. In order to update the database you must enter the > pass phrase used for the system. It is also a good idea to have > tripwire monitor its own executables and files so you will get notified > if those are changed. > > Understand that tripwire is an IDS, it lets you know when something > appears to have changed. It is not a magic bullet but one part of a > system you can use to help protect your system. > > Also note that tripwire is not prelink aware. You can scare your self > pretty bad if you setup a new system configure tripwire and then come > back the next day and most of the files in the system are flagged as > being changed. :) Thanks for that Scott, looks like I'm going to have to study the selinux manual! Ian
