Use Tripwire to alert you to compromised files or verify file integrity in the event of a compromise.
tool that can help you detect intrusions on a host and also ascertain
what happened after the fact is
Tripwire is part of a
class of tools known as file integrity
checkers, which can detect the presence of important
changed files on your systems. This
is desirable because intruders who have gained access to a system
will often install what’s known as a root
in an attempt to both cover their tracks and maintain access to the
system. A root kit usually
accomplishes this by modifying key operating system utilities such as
ls, and other programs
that could give away the presence of a backdoor program. This usually means that these programs will
be patched to not report that a certain process is active or that
certain files exist on the system.
Attackers could also modify the system’s
md5sum) to report correct checksums for all the
binaries that they have replaced.
Since using MD5 checksums is usually one of the primary
ways to verify whether a file has been modified, it should be clear
that something else is sorely needed.
This is where
comes in handy. It stores a
snapshot of your files in a known state, so you can periodically
compare the files against the snapshot to discover
discrepancies. With this snapshot,