Tripwire is a reliable intrusion detection system. It is a software tool that checks to see what has changed in your system. It mainly monitors the key attribute of your files; by key attribute we mean the binary signature, size and other related data. Security and operational stability must go hand in hand; if the user does not have control over the various operations taking place, then naturally the security of the system is also compromised. Tripwire has a powerful feature which pinpoints the changes that has taken place, notifies the administrator of these changes, determines the nature of the changes and provide you with information you need for deciding how to manage the change. Tripwire Integrity management solutions monitor changes to vital system and configuration files. Any changes that occur are compared to a snapshot of the established good baseline. The software detects the changes, notifies the staff and enables rapid recovery and remedy for changes. All Tripwire installation can be centrally managed. Tripwire software’s cross platform functionality enables you to manage thousands of devices across your infrastructure. Security not only means protecting your system against various attacks but also means taking quick and decisive actions when your system is attacked. First of all we must find out whether our system is attacked or not, earlier system logs are certainly handy. You can see evidences of password guessing and other suspicious activities. Logs are ideal for tracing steps of the cracker as he tries to penetrate into the system. But who has the time and the patience to examine the logs on a daily basis??

1. By
P.BALAKRISHNA
07071A0531

2.  Security needs for large clusters may be divided into two broad
areas:
• Security systems aimed at avoiding unauthorized access to a
network.
• Security systems whose target is the detection of unauthorized
accesses.
 Tripwire is a free software tool included in the second group.
 It monitors computers’ file systems to discover any modification
of the stored directories and files detecting any unauthorized
access as soon as possible. In short,
 Tripwire’s main goal is "information integrity checking".

3. FLOWCHART OF TRIPWIRE

4. IMPLEMENTATION

5.  Install Tripwire and customize the policy file
 If not already done, install the tripwire RPM or download
source from www.tripwire.org.
1. Customize configuration file(/etc/tripwire/twcfg.txt).
2. Customize Policy file: /etc/tripwire/twpol.txt.
3. Run the Configuration Script(/etc/tripwire/twinstall.sh).
# twinstall.sh

6.  Tripwire builds a collection of file system objects
 This database serves as the baseline for integrity checks.
 To initialize the Tripwire database, use the following
command:
# tripwire –init
 The /var/lib/tripwire directory contains the Tripwire
database of your system's files(*.twd)

7.  Compares the current, actual file system objects with their
properties as recorded in its database.
 Violations are printed to standard output and saved in a
report file.
 To run an integrity check, use the following command:
# tripwire --check

8.  Command for printing Tripwire reports
# twprint -m r
The above command will display all tripwire reports.
 To print a particular Tripwire report use the following
command:
# twprint -m r --twrfile
/var/lib/tripwire/report/<name>.twr

9.  Maintain backup drive and external data storage.

10.  Security breaches or authorized modifications
 If it is authorized modification then update the database
 If it is security breach then restore the original file from a
backup or reinstall the program.
 The command to be used after integrity check to update the
database is
# tripwire --update --twrfile
/var/lib/tripwire/report/<name>.twr

11.  To change the files Tripwire records in its database, you
need to edit the Tripwire policy file.
 First make necessary changes to sample policy file by using
the command
# /etc/smb.conf -> $(SEC_CONFIG);
 Next, you must tell Tripwire to generate a new
/etc/tripwire/tw.pol signed file using the command
# twadmin --create-polfile -S site.key
/etc/tripwire/twpol.txt

12.  The text file with the configuration file changes (commonly
/etc/tripwire/twcfg.txt) must be signed to replace the
/etc/tripwire/tw.cfg.
 If your altered configuration text file is
/etc/tripwire/twcfg.txt, type this command to sign it,
replacing the current /etc/tripwire/tw.pol file:
# twadmin --create-cfgfile -S site.key
/etc/tripwire/twcfg.txt

13.  You can run a Tripwire integrity check daily by inserting the
following commands in the script /etc/cron.daily/tripwire-
check:
#!/bin/sh
HOST_NAME=`uname -n`
if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ]; then
echo "Error: Tripwire database for ${HOST_NAME} not found"
echo "Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init""
else
test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check
fi

14.  Tripwire can email someone if a specific type of rule in the
policy file is violated.
 It can be done using emailto= line to the rule directive
section of each rule.
 To make sure that Tripwire's email notification configuration
can actually send email correctly, use the following
command:
/usr/sbin/tripwire --test --email akadia-
adm@akadia.com

15. THANK YOU

16. QUERIES..?