Features:
TripWire is a tool for checking file integrity and consistency under Linux.
principle:
TripWire generates a copy of the encrypted snapshot of the file specified to be controlled based on the profile. When the system is invaded, you can do a digital signature according to the previously generated encrypted snapshot. If the file is replaced, the corresponding digital signature in the TripWire database does not match, and TripWire will report the corresponding file being faster. The results of the inspection are reflected in the form of text files or mail.
Configuration:
Profile is /etc/tripwire/twcfg.txt
POLFILE = /etc/tripwire/tw.pol // Strategy Document
DBFILE = /VAR/LIB/Tripwire/$ (HostName ).twd // Snapshot
Reportfile = /var/lib/tripwire/report/$ (HostName )- (Date ).twr // Report file storage
SiteKeyFile = /etc/tripwire/site.key / / policy file change key storage
LocalKeyFile = /etc/tripwire/$ (HostName )-local.key, // policy file read key storage
Policy file /etc/tripwire/twpol.txt
@@ section global is some variables required for Tripwire runtime, which are consistent with the variables in twcfg.txt.
@@ section fs is a predefined rule
Similar to the following paragraph is the file that Tripwire to monitor and use those rules.
(
Rulename = "NetWorking Programs",
SEVERITY = $ (SIG_HI)
)
{
/ SBIN / ARP -> $ (sec_crit);
/ SBIN / IFCFG -> $ (sec_crit);
/ SBIN / IFCONFIG -> $ (sec_crit);
/ SBIN / IFDOWN -> $ (sec_crit);
/ sbin / ifnslave -> $ (sec_crit);
/ SBIN / IFPORT -> $ (sec_crit);
/ SBIN / IFUP -> $ (sec_crit);
/ SBIN / IFUSER -> $ (sec_crit);
/ sbin / ip -> $ (sec_crit);
/ sbin / ipmaddr -> $ (sec_crit);
/ SBIN / IPTABLES -> $ (sec_crit);
/ SBIN / IPTUNNEL -> $ (sec_crit);
/ sbin / ipconfig -> $ (sec_crit);
/ SBIN / IWPRIV -> $ (sec_crit);
/ sbin / iWspy -> $ (sec_crit); / sbin / netreport -> $ (sec_crit);
/ sbin / plipconfig -> $ (sec_crit);
/ sbin / portmap -> $ (sec_crit);
/ SBIN / PPP-WATCH -> $ (sec_crit);
/ SBIN / ROUTE -> $ (sec_crit);
/ SBIN / SLATTACH -> $ (sec_crit);
/ sbin / ypbind -> $ (sec_crit);
/ bin / ping -> $ (sec_crit);
}
usage:
initialization:
Twadmin -m p /etc/tripwire/twpol.txt // Establish a policy file
Tripwire -M I // Generate Snapshot
Generate reports:
Tripwire -M C
View ever report:
Tripwire -m u -r /var/lib/tripwire/report/linux - ???????-??????.twr
Disadvantages:
1. The usage system resources are large when generating reports.
2, you cannot use this software on Windows.
