I set it up on a system. The end user configures it to watch certain
directories and/or files. Then runs it an initial time to get a signature for
Tripwire to compare future checks with. The next time it is run it runs through
its config and rechecks those folders/files and reports any changes. Its up to
the end user to determine why those things changed and determine if it means
they got hacked.
> > > > If I recall, someone listed a command that would verify and list any
> > > > binaries that had changed - does anyone know what the command was?
> > >
> > > It depends on the distribution. On Red Hat systems, try ``rpm --verify''.
> >
> > That should work for any rpm-based dist, right?
>
> Right.
>
> > It'll cover anything installed from the package management system,
> > but will miss the stuff installed from tarballs, etc.
>
> Right again.
>
> > Craig might be looking for tripwire, though. I think there's an Open
> > Source package on Source Forge that does the same stuff as tripwire.
> >
> > I don't see a similar option for dpkg or apt-get. The /usr/ports stuff
> > would have to use something similar to tripwire.
>
> Can someone give me a brief primer on how tripwire is implemented? I
> read somewhere recently that it uses a kernel module on linux and
> basically watches for open() calls (where write access is requested)
> on specific system files. Is this right or not?