Tripwire Detecting Modified Files

Tripwire's basic approach is fairly straightforward: The program scans important system directories and stores vital information about the files it finds in a database. Information can include the creation date and time, the file size, and various types of checksums (codes that are likely to change if any byte in the file is altered). Once this database is in place, it serves as a reference. You can run Tripwire automatically on a regular basis from a cron job or manually whenever you feel it's appropriate. On these subsequent runs, the program recomputes the information it stored in the database. If the new data doesn't match the stored data, Tripwire raises an alarm; the files have been altered.

For instance, suppose you configure Tripwire to run once a day from a cron job. If an intruder breaks into your system and manages to replace critical binary files, Tripwire will detect that fact and can send you an e-mail or otherwise notify you of the problem. Therefore, you're unlikely to go more than a day between an intrusion and your becoming aware of it, minimizing the period during which the cracker can do further damage.

Unfortunately, life isn't quite as easy as I've just described. The problem is this: An intruder who can replace critical system files can also alter Tripwire's configuration. For instance, the intruder could modify Tripwire's database so that it reflects the modified files. Several possible defenses against such actions exist. One that's very popular, and that's described in the coming sections, is to use encryption. If the database is encrypted in such a way that Tripwire can read it but not write to it without a password, chances are a cracker won't be able to modify the database. Another option is to store the database on a read-only medium—ideally one that's physically impossible to write, such as a CD-R disc in a CD-ROM drive. In both of these cases, of course, an intruder could theoretically replace the Tripwire executable itself. Therefore, you may want to manually monitor this file using other tools.

0 0

Post a comment