Tripwire: Why Not?Tripwire is a tool for detecting changes in files due to corruption or tampering. You can find the full Tripwire package at The COAST Archive at Purdue University (ftp://coast.cs.purdue.edu/pub/COAST/Tripwire/). Tripwire is now a commercial product. Gene Kim, co-creator of the (semi-)free tripwire from Purdue is now running Tripwire Security Inc.
You can get RPM's (packages) of the sources and precompiled package. These are the last "free" versions.
I no longer recommend tripwire. I prefer a couple copies of
a well-tested, write-protected, comprehensive backup (on tape or
burned into a CD-ROM). This can be used, with a good, write-protected
boot/root "rescue" diskette, as an excellent integrity
auditing system. Just use a command like:
tar dzf /dev/st0
... to perform an audit. The GNU tar d
or --diff option will report any discrepancies
between your base/reference system (the backup) and the current
system files (including differences in ownership and permissions).
You'll also have an obvious means of recovery at hand.
Of course you should create this "initial system
reference backup" immediately after your initial program
load (IPL: OS installation), and basic configuration. It should
include everything except the /proc and /dev/pts (dynamic
filesystems). I suggest a command like:
tar cvfzSl /dev/nst0 / /usr ...
... to create your backup(s) (keep a couple of them).
The c, v, and f,
options to GNU tar should be familiar to all
Linux sysadmins. The other options are: