How to catch Linux system intruders

twadmin -m P twpol.txt

You will be asked for your passphrase again before the encrypted file can be generated. And that's all the configuration you need. The next step is to type 'Tripwire --init' to start building the database from the locations specified in your configuration file. The time this takes is dependent on how many directories and files need to be scanned, but expect to wait long enough for the kettle to boil and the tea to stew.

When you come back to the screen, you'll probably see some error messages as Tripwire complains about directories specified in the configuration file that don't exist. You can safely ignore these. Tripwire is now ready to defend your system.

Testing your current file system against the copy held in the Tripwire database is as simple as typing 'Tripwire --check'. After a few minutes, Tripwire will start to report any detected changes. As an experiment, try editing one of the files covered by your policy.

You could add a new group, for example, or change a user's password. Either of these actions will change a configuration file, making it different from the one held in the Tripwire database. The generated report will include a useful table, so that you can see exactly what has changed and what kind of severity the issue has raised. Below the table, the output goes into greater detail. Here's a snippet from Tripwire's output if you change a password:

Rule Name: Security Control (/etc/shadow)
Severity Level : 66

You can see the rule name under which the password files fall under (shadow is the encrypted file used to store passwords), and you can also see the severity for the issue. At a security level of 66, it's less severe than a change detected in the boot files and modules directories, but it's still notable. Because the output from Tripwire is quite detailed, you can decide for yourself the likelihood of a compromised system. The output is stored in an encrypted form in the '/var/lib/ Tripwire/report' directory, and if you take a look at it, you can see a file for every report you've run.

If you want to make any discovered changes permanent and flag them as acceptable, type 'Tripwire --update -r hostnamereport. twr', inserting the name of the report you want to edit instead of our placeholder. This will decrypt the report's contents into a Vim editing session (as set in one of the configuration files). Instructions are embedded within the file, but you generally just need to remove an 'x' from the files you want to update.

Quitting the editor will run the scan again, with your changes added. With everything running correctly, you might want to schedule a regular time interval for Tripwire checks. Running a check at least once every 24 hours is recommended, but this all depends on the vulnerability of your system. If you know that your system has security issues, try running Tripwire once every few hours. As long as you check the reports, you can be completely certain that your system hasn't been compromised.

Update: removed incorrect space in wadmin -m G -S /etc/Tripwire/site.key. Apologies! - Ed.