Open Source

Don't let others mine your data; guard it with Tripwire 2.0 for Linux

Keep a virtual eye on your valuable data—with Tripwire 2.0 for Linux standing watch. Sean McPherson gave it a go, and here's what he has to say.

Security should always be on your mind when it comes to important data. After all, you wouldn't consider it important if it weren’t worth something, would you? If your data matters, then Tripwire 2.0 for Linux might be worth checking out. I did, and I found quite a lot to like, although there are a few "gotchas" you should know about.

Tripwire has been available as an Internet download for years. Many UNIX/Linux admins have used it on servers as a security tool.

What is Tripwire?
The Tripwire introduction page describes Tripwire 2.0 as "a file system integrity checker for UNIX networks.” The idea behind the software is that if you have a database of checksums for the files on your server, you have the ability to detect intrusions or unauthorized changes. You can also monitor changes made to files by other software you have installed, which can be a lifesaver.

The test
I tested Tripwire 2.0 on a Celeron 400 with 128 MB and a 2.5-GB system disk. Although the software only requires a 486 and 32 MB of RAM, I knew the majority of today's users would be using a beefier machine.

My test PC is reasonable for both desktop/workstation use and small office servers. The machine has a “comfortable” install of RedHat 5.2, meaning that I installed about 500 MB of software both from the install CD and from the Internet. The intent was to create a machine with critical data as well as files and directories that users would be changing constantly. To me, this seemed a reasonable test environment.

The software’s initial installation was simple. I just mounted the CD and ran the included shell script. The script asked a few simple questions and set up the site keys that are used to cryptographically sign all databases and reports. Remembering these keys is vital, since without them you cannot create, update, or query the Tripwire databases.

After the installation is complete, you'll need to review the default policies, which determines the files and directories monitored by Tripwire. The policies are stored in an easily modified text format, and the documentation explains what each type of rule means and provides the proper syntax to use. These rules are very flexible, and they can be used to monitor file sizes, permissions, and modification times. Just edit the file and initialize the databases with your values. All errors will be displayed, allowing you to learn what problems might exist. But you’ll need the passphrase you configured at setup to update the databases (I TOLD you they were important!).

When you are satisfied with the rules you've written and your databases are loaded, all you need to do for a basic security audit is run the tripwire binary from a 'cron' or 'at' script on a regular basis. Tripwire will happily e-mail the results of a certain report. This feature is great for servers that have multiple administrators, each of whom is responsible for a specific group of files. One example might be a multipurpose server with both FTP and HTTP access. The FTP administrator would receive a custom report that only described files pertaining to the FTP site, while the Web administrator could be sent a different report for Web files.

As files change on the machine and reports are generated, you can open Tripwire in an interactive mode and add these changes to the database to prevent them from being reported again until the next time they change. This is a simple interface that basically runs as if you had opened the file in your default text editor, and it makes it easy to quickly confirm changes to the machine.

The “gotchas”
What kind of "gotchas" did I find? The one that stands out is the fact that all of the system documentation, including the user manual, is in PDF format. I may just be picky, but I have a LOT of headless UNIX servers and machines with a slimmed down install. XPDF or Adobe's Acrobat may not be installed. Is it too much to ask for a text version of the documentation? Oh, and just so you don't waste too much time, the version of pdftotext that's part of RedHat 5.2 mangled the file terribly when I tried that.

I did find it amusing that while the documentation required a PDF viewer, most of which run under X, the program itself is completely command line driven. I was hoping for some kind of GUI interface to make it a bit less daunting for users on a workstation or for admins who just like to point and click.

Aside from that, the software was easy to install, the documentation (while a bit hard to access, and VERY dry and technical) was complete and accurate, and the programs ran quickly and efficiently. Creating the databases took approximately five minutes, and after the third or fourth run, I had a firm grip on creating the rules. Reports can be created nearly instantly, and the disk usage for the whole shebang was under 10 MB.

Tripwire is also completely year 2000 compliant. Additionally, Tripwire Security Systems makes a version for the Windows NT platform.

Overall, I was very pleased with the Linux version’s ability to detect system changes. If the documentation can be made a bit more flavorful and easier to access in the next version, I expect even more people will add it to their personal set of required software tools used to protect important data.
Are you eager to try Tripwire 2.0? Or has another program caught your eye? Send us an e-mail and let us know.

Editor's Picks