Linux Security HOWTO : Files and Filesystem Security : Integrity Checking
Previous: File Permissions
Next: Trojan Horses

5.3. Integrity Checking

Another very good way to detect local (and also network) attacks on your system is to run an integrity checker like Tripwire, Aide or Osiris. These integrety checkers run a number of checksums on all your important binaries and config files and compares them against a database of former, known-good values as a reference. Thus, any changes in the files will be flagged.

It's a good idea to install these sorts of programs onto a floppy, and then physically set the write protect on the floppy. This way intruders can't tamper with the integrety checker itself or change the database. Once you have something like this setup, it's a good idea to run it as part of your normal security administration duties to see if anything has changed.

You can even add a crontab entry to run the checker from your floppy every night and mail you the results in the morning. Something like:

		# set mailto
		MAILTO=kevin
		# run Tripwire
		15 05 * * * root /usr/local/adm/tcheck/tripwire 
will mail you a report each morning at 5:15am.

Integrety checkers can be a godsend to detecting intruders before you would otherwise notice them. Since a lot of files change on the average system, you have to be careful what is cracker activity and what is your own doing.

You can find the open sourced version of Tripwire at http://www.tripwire.org, free of charge. Manuals and support can be purchased.

Aide can be found at http://www.cs.tut.fi/~rammer/aide.html.

Osiris can be found at http://www.shmoo.com/osiris/.


Linux Security HOWTO : Files and Filesystem Security : Integrity Checking
Previous: File Permissions
Next: Trojan Horses