Chapter 11.

Tripwire

Tripwire data integrity assurance software monitors the reliability of critical system files and directo 

ries by identifying changes made to them. Tripwire configuration options include the ability to receive

alerts via email if particular files are altered and automated integrity checking via a

cron

job. Using

Tripwire for intrusion detection and damage assessment helps you keep track of system changes. Be 

cause Tripwire can positively identify files that have been added, modified, or deleted, it can speed

recovery from a break in by keeping the number of files which must be restored to a minimum.

Tripwire compares files and directories against a database of file locations, dates modified, and other

data. The database contains baselines, which are snapshots of specified files and directories at a spe 

cific point in time. The contents of the baseline database should be generated before the system is at

risk of intrusion. After creating the baseline database, Tripwire then compares the current system to

the baseline and reports any modifications, additions, or deletions.

While Tripwire is a valuable tool for auditing the security state of Red Hat Linux systems, Tripwire is

not supported by Red Hat, Inc. Refer to the Tripwire project's website (http://www.tripwire.org) for

more information about Tripwire.

11.1. How to Use Tripwire

The following flowchart illustrates how Tripwire works:

Figure 11 1. Using Tripwire

The following describes in more detail the numbered blocks shown in Figure 11 1