Although being on the lookout for suspicious events and configurations is always advisable, this approach is far from guaranteed to detect a break-in. A skilled or lucky cracker may be able to change your system in a subtle enough way that you'd be unlikely to notice the damage, and use few enough system resources that you wouldn't notice a degradation in performance. For this reason, tools exist to systematically scan your system for compromised components. One of the most popular of these tools is Tripwire (http://www.tripwire.org). This program is designed to detect modifications to files and directories and to alert you to these changes. As a security tool, Tripwire must attend to various security issues that greatly complicate its design and configuration. Issues of what files to monitor are also important. For these reasons, configuring and running Tripwire takes more effort than you might at first think. Modifying the configuration as you update your system also takes special effort. Despite these problems, using Tripwire is advisable, particularly on high-profile systems that are exposed directly to the Internet.
Was this article helpful?