;) I'm all about security questions today.

So, I've also had Tripwire on my system for awhile. It runs every day (thank you cron) but, the problem is, it doesn't seem to do too much. For example, I installed it/set it up the day I installed my system. (Before it was even connected to the network.) However, since then, I have installed, uninstalled, etc. and Tripwire now outputs almost 1000 different files from the original database. I know that most of those are from, me, and I'm pretty sure the rest are too.

So...what good does this do me if I have to look through a list of 1000 items. And, even if I don't have to look through a list of 1000 items, and I just have to update Tripwire every time I install something major, what good does that do me as well? This will just result in me having to do a lot of work, and/or I'll add something to Tripwire's new database that will already be infected, and not know it.

See my dilemma here? Maybe I'm just confused on how this whole thing works. But...if anybody could give me an explanation as to the good of Tripwire, and how it's REALLY supposed to be handled, I'd appreciate it. Otherwise, I think it's going to come off my system.


Dark Ninja

Well, the idea is that you keep watch on a few 'important' files and binaries, let's say /bin:/sbin:/usr/bin:/usr/sbin:/etc and so on. Don't have the thing keep track of absolutely everything on your system, because unless you're using a static system that nothing new is ever installed on, it's going to be a big pain in the butt. Which you're running into. It is also recommended to keep your database on a read-only filesystem or media like CD that can be accessed to compare but not overwritten. So you have Tripwire check your system once a week, burn it to CD and then have it check the next week, so on and so forth. I don't think nightly Tripwire checks are the answer, you shouldn't be that paranoid about it. Keep track of your logs, run Tripwire once a week or as you see fit on a few important files.

Ahh...well that makes a little more sense...thank you. However, that would now mean I would need to do a reinstallation of my system, since I have no clue what I've been installing to it.

Also - do you have any instructions on how to watch JUST those folders/files you recommended. Tripwire always wants to setup to watch my entire system, it seems.

Thank you very much for clearing that up.


Dark Ninja

Originally posted by Dark Ninja:
<STRONG>Ahh...well that makes a little more sense...thank you. However, that would now mean I would need to do a reinstallation of my system, since I have no clue what I've been installing to it.

Also - do you have any instructions on how to watch JUST those folders/files you recommended. Tripwire always wants to setup to watch my entire system, it seems.

Thank you very much for clearing that up.


Dark Ninja</STRONG>

Not a problem. I know there's a good README or HOWTO somewhere that helped me set it up once upon a time, I'll see if I can't find it for you.

'man tripwire' gives you loads of info; IMHO one of the better man pages. At any rate, and to answer the just of the initial question, Tripwire is a solid security program. It may be a little time consuming to dial the policy in (unless you use RedHat, which it was written for), but once you have that watching the stuff you want it's great. Then all you need to do is a cronjob of 'tripwire -m c -M' as often as needed followed by a weekly (or whatever) 'tripwire -m c -I' to interactively update the database so as to keep it current. You should comment everything out in the policy save for what you feel is important, and add stuff as you feel necessary. Baby steps...