Monitoring Files

A computer system, at its simplest, is a collection of files which contain the information on what the system is to do and for whom. The information the system contains is held within files, the configuration information which controls the system is held within files, and on UNIX systems the devices themselves appear on the system as files. The controlling of these files is critical to the security of the system. Monitoring these files is equally important to maintaining the security. Hackers alter and replace files to change the behavior of the system or to gain access to information.

Tripwire

Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change. Tripwire was developed by Dr. Eugene Spafford and Gene Kim of Purdue University in 1992. It has become a basic technology in monitoring systems for unauthorized changes.

Tripwire software can help to ensure the integrity of critical system files and directories by identifying when they are changed. Tripwire configuration options include the ability to receive alerts via e-mail if particular files are altered and automated integrity checking via a cron job. Using tripwire for intrusion detection and damage assessment helps you keep track of system changes and can speed the recovery from a break-in by reducing the number of files you must restore to repair the system.

Tripwire compares files and directories against a base-line database of file locations, dates modified, and other data. It generates the base line by taking a snapshot of specified files and directories in a known secure state. (For maximum security, tripwire should be installed and the base line created before the system is at risk from intrusion.) After creating the base-line database, tripwire compares the current system to the base line and reports any modifications, additions, or deletions.

The tripwire policy file is a text file containing comments, rules, directives, and variables . This file dictates the way tripwire checks your system. Each rule in the policy file specifies a system object to be monitored . Rules also describe which changes to the object to report and which to ignore.

System objects are the files and directories you want to monitor. Each object is identified by an object name . A property refers to a single characteristic of an object that tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file ( /etc/tripwire/twpol.txt ) is encrypted and renamed , becoming the active policy file ( /etc/tripwire/tw.pol ).

When first initialized , tripwire uses the signed policy file rules to create the database file, /var/lib/tripwire/host_name.twd . The database file is a base-line snapshot of the system in a known secure state. Tripwire compares this base line against the current system to determine what changes have occurred. This comparison is called an integrity check.

When you perform an integrity check, tripwire produces report files in the /var/lib/tripwire/report directory. The report files summarize any file changes that violated the policy file rules during the integrity check.

The tripwire configuration file ( /etc/tripwire/tw.cfg ) stores system-specific information, such as the location of tripwire data files. Tripwire generates the necessary configuration file information during installation, but the system administrator can change parameters in the configuration file at any time after that point. Note that the altered configuration file must be signed in the same way as the policy file in order for it to be used by default.

The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify the locations of the policy file, database file, report files, and site and local key files. These variables are defined by default at the time of installation. If you edit the configuration file and leave any of them undefined, the configuration file will be considered invalid by tripwire. This causes an error on the execution of tripwire, making the program exit.

Note that the altered configuration file must be signed in the same way as the policy file in order for it to be used by tripwire.

Tripwire can e-mail someone if a specific type of rule in the policy file is violated. To configure tripwire to do this, you first have to know the e-mail address of the person to be contacted if a particular integrity violation occurs, plus the name of the rule you would like to monitor. Note that on large systems with multiple administrators, you can have different sets of people notified for certain violations and no one notified for minor violations.

Tripwire is supplied with Red Hat Linux and the Tripwire Open Source code is available from tripwire.org and is on the CD-ROM.