tripwire

Printable View

December 26th, 2003, 12:38 PM
adityaa1

tripwire

i am a newbie(so dont flame me!).i want to know about tripwire,can anybody give me some thread links ,or maybe some txt files?
December 26th, 2003, 01:11 PM
el-half

http://mrcorp.infosecwriters.com/Tri...inux_intro.htm
http://www.freeos.com/printer.php?entryID=3405

http://www.nig.abel.co.uk/network_in...on_systems.htm

Quote:

system integrity verifiers (SIV) monitors system files to find when a intruder changes them (thereby leaving behind a backdoor). The most famous of such systems is "Tripwire". A SIV may watch other components as well, such as the Windows registry and chron configuration, in order to find well known signatures. It may also detect when a normal user somehow acquires root/administrator level privleges. Many existing products in this area should be considered more "tools" than complete "systems": i.e. something like "Tripwire" detects changes in critical system components, but doesn't generate real-time alerts upon an intrusion.

Google

EDIT: would you mind posting this in the correct forum? As I don't think this is a tutorial :P :D
December 27th, 2003, 02:24 AM
lumpyporridge

You may want to look at aide or yafic also http://sourceforge.net/projects/aide http://philosophysw.com/software/yafic/
December 27th, 2003, 03:28 AM
adityaa1

thanks!
March 22nd, 2004, 02:01 PM
Info Tech Geek

I'm trying to custom my Tripwire prints outs to keep just what I need to know. However, there is no solid documentation for the open source version of Tripwire. Does anyone have a link to this information or can anyone here answer my questions if I post them here.

- Question one: Would a used program be marked as modified?
March 23rd, 2004, 12:12 AM
Relyt

Good Day,

Hope this helps: if Tripwire detects that a file has been changed, then it will show the modified file name, size, time, etc.

i.e. Modified object name: /root/aoisgreat.txt

size 2000, 2120
modify time Wed Feb 29 13:00 2006, Wed Feb 29 13:18 2006

++Maximum Linux Security - Anonymous

edit: commas added only to separate the entries

From: http://www.redhat.com/docs/manuals/l...update-db.html

Updating the Database after an Integrity Check

If you run an integrity check and Tripwire finds violations, you will first need to determine whether the violations discovered are actual security breaches or the product of authorized modifications. If you recently installed an application or edited critical system files, Tripwire will (correctly) report integrity check violations. In this case, you should update your Tripwire database so those changes are no longer reported as violations. However, if unauthorized changes are made to system files that generate integrity check violations, then you should restore the original file from a backup or reinstall the program.

Appears that you can modify your report (printout) by "updating the Tripwire database so that those changes are no longer reported as violations."
March 23rd, 2004, 06:32 PM
Info Tech Geek

I'm currently using it on Debian, LindowsOS, and Fedora.