Skip to content

tripwire

A good info page : visit

When installing the backup and deployment machine i was thinking about an existing machine, but there was no real way of telling weather that machine was already compromised. There really is no way to tell without a tool like tripwire. And even than you are only sure when you take precautions.

In principle all tools you run on a compromised system could be altered by the attacker and say everything is fine. Tripwire creates a signed database of binaries with the checksums just after installation (upgrade) and can then detect if a binary has been changed.

However an attacker can also alter tripwire to let it say everything is dandy ! So you need to save the database to a read-only system like flop/cd to be sure.

In theory checksumming can even be fooled by devising a binary that has the same number of bytes and making the bytes fit the checksum but i doubt hackers would go to that length of trouble.

installation

Tripwire should be installed as soon as possible, right after installation of the system. It should also be re-run after every update and new installation. Installing is easy:

install
1
2
3
apt-get install tripwire
# now answer the questions to you liking, just use all keys
tripwire --init  # starts setting up the database
check
1
sh -c "tripwire --check | grep Filename > missing-directory.txt"

usage

This simply boils down to :

use
1
tripwire --check

However you might want to at least regularly check against a read-only database. At least every time you want to write a new database to readonly media you should first do a check against read-only media first.