Intrusion Detection Systems: Part II - Installing Tripwire
Most persons would succeed in small things if they were not troubled with great ambitions- H.W. Longfellow.
In the first part of this series we had a laid the ground work that took us a step further towards understanding the necessity of a full fledged Intrusion Detection system (IDS). A good policy is to mix and match the best to form a security grid that should be difficult enough even for the expert cracker to penetrate. The various IDS systems of interest to us throughout this series will be purely Tripwire and Snort.
Before even installing Tripwire let me walk you through the whole logical process of Installing, Configuring and using Tripwire.
To understand the whole logical process lets have a look at the points given below. These points given below are courtesy the Red Hat Installation guide. It gives us a clear picture as to how should one go about installing and using Tripwire very briefly.
(1) Install Tripwire and tweak the POLICY file for your respective system.
(2) Initialize the Tripwire database.
(3) Run the Tripwire Integrity check as and when needed.
(4) Examine the Tripwire Report file.
(5) Check for changes in File System and take appropriate action.
(6) Has your existing configuration been able to help you conduct a proper postmortem according to your existing POLICY file. If not, you need to edit your POLICY file and update the file signature database to reflect the changes that you have made in your POLICY file.
Installation and configuration of Tripwire
Tripwire works by checking for the integrity of the existing File System against an existing baseline. Thus, it compares the existing state of the File system against a baseline that has been created and digitally signed by you using a Passphrase that you mention during installation of the product. This digitally signed database consists of encrypted information regarding the various system files, system binaries and various other important files and directories that you wanted to protect. You would normally create the baseline consisting of the information of the various components of your file system when you are sure that the security status of the system has not been breached. E.g. Just after OS installation. This baseline in general terms is a snapshot as taken by Tripwire depending on the rules you have mentioned in your POLICY file. As we mentioned earlier this happens in a simple two step procedure. First, you install the binaries on your machine and then get on to creating the snapshot.