On Sat, 2005-10-01 at 18:53, Ian Harris wrote: > On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote: > > > > It is not a virus defense, it is a host based intrusion detection tool. > > Tripwires purpose is to periodically examine files specified in the > > policy file and report any differences. These differences are an > > indication that something was changed. If you are unable to trace the > > cause to a system update or modification that you performed then it may > > be an indication that someone else has modified files on your system. > > In the past I have used things like Big Brother to examine the tripwire > > reports and alarm if a violation is indicated. > > > > Tripwire will not stop programs from running, you should look to selinux > > to provide that kind of protection. Selinux will prevent a program from > > trying to change files or perform operations that are not authorized by > > the policy on the system. > > > > That is where having the policy and database files used by tripwire > > signed by a key. In order to update the database you must enter the > > pass phrase used for the system. It is also a good idea to have > > tripwire monitor its own executables and files so you will get notified > > if those are changed. > > > > Understand that tripwire is an IDS, it lets you know when something > > appears to have changed. It is not a magic bullet but one part of a > > system you can use to help protect your system. > > > > Also note that tripwire is not prelink aware. You can scare your self > > pretty bad if you setup a new system configure tripwire and then come > > back the next day and most of the files in the system are flagged as > > being changed. :) > > Thanks for that Scot, looks like I'm going to have to study the selinux > manual! > Ian If you are looking at security of your system start thinking about it in layers. Start with a good firewall and set it to block things coming in as well as going out. Only allow those things that you need to use. Use iptables on your servers. This acts as a second firewall layer. Setup tripwire which will alert you that something has changed. This will reduce the amount of time that someone may have access to your system. Enable selinux. With the right policy this should limit potential damage and exposure should someone manage to execute code on your system. Use good passwords. Disable all services you don't need/use. Review your log files regularly, read roots email. If you want to get really paranoid you can setup snort. Snort is a network intrusion detection tool (depending on how it is configured it could be an intrusion prevention system). It can notify when it sees odd things on your network. It can also be configured to reactively modify firewall rules in response to perceived threats. Similar lighter weight apps like this include portsentry which can be used on individual hosts. Think of security as having multiple layers. That way if someone penetrates one layer they should be blocked by another. To do damage someone should would have to penetrate your firewall, iptables, selinux, evade tripwire, break passwords, and elude snort. Most hackers will move on to other systems that are not protected as well. And for the most part that is what you want to achieve. Make your system just a little harder to crack than then next on the Internet.
