i am a newbie(so dont flame me!).i want to know about tripwire,can anybody give me some thread links ,or maybe some txt files?
Printable View
i am a newbie(so dont flame me!).i want to know about tripwire,can anybody give me some thread links ,or maybe some txt files?
http://mrcorp.infosecwriters.com/Tri...inux_intro.htm
http://www.freeos.com/printer.php?entryID=3405
http://www.nig.abel.co.uk/network_in...on_systems.htm
Quote:
system integrity verifiers (SIV) monitors system files to find when a intruder changes them (thereby leaving behind a backdoor). The most famous of such systems is "Tripwire". A SIV may watch other components as well, such as the Windows registry and chron configuration, in order to find well known signatures. It may also detect when a normal user somehow acquires root/administrator level privleges. Many existing products in this area should be considered more "tools" than complete "systems": i.e. something like "Tripwire" detects changes in critical system components, but doesn't generate real-time alerts upon an intrusion.
EDIT: would you mind posting this in the correct forum? As I don't think this is a tutorial :P :D
You may want to look at aide or yafic also http://sourceforge.net/projects/aide http://philosophysw.com/software/yafic/
thanks!
I'm trying to custom my Tripwire prints outs to keep just what I need to know. However, there is no solid documentation for the open source version of Tripwire. Does anyone have a link to this information or can anyone here answer my questions if I post them here.
- Question one: Would a used program be marked as modified?
Good Day,
Hope this helps: if Tripwire detects that a file has been changed, then it will show the modified file name, size, time, etc.
i.e. Modified object name: /root/aoisgreat.txt
size 2000, 2120
modify time Wed Feb 29 13:00 2006, Wed Feb 29 13:18 2006
++Maximum Linux Security - Anonymous
edit: commas added only to separate the entries
From: http://www.redhat.com/docs/manuals/l...update-db.html
Updating the Database after an Integrity Check
If you run an integrity check and Tripwire finds violations, you will first need to determine whether the violations discovered are actual security breaches or the product of authorized modifications. If you recently installed an application or edited critical system files, Tripwire will (correctly) report integrity check violations. In this case, you should update your Tripwire database so those changes are no longer reported as violations. However, if unauthorized changes are made to system files that generate integrity check violations, then you should restore the original file from a backup or reinstall the program.
Appears that you can modify your report (printout) by "updating the Tripwire database so that those changes are no longer reported as violations."
I'm currently using it on Debian, LindowsOS, and Fedora.