Tripwire policy suggestions

security linux tripwire

Solution 1:

I think your assumptions are okay.

There is nothing interesting in proc to watch for, and they change every time. /dev is also a good question. I used to have that line, but now with udev I am not so sure.

You still have this line, do you?

/var -> $(SEC_INVARIANT) (recurse = 0) ;

My real problem with tripwire is, that it requires regular attention to keep it up-to-date. When I had the time it worked great, but not anymore.

Maybe it is worth to take a look at Samhain. It only reports once then learns the changes. It has other great features (maybe I will extend this later).

Solution 2:

You know that tripwire open source is outdated and not supported anymore? Plus, its configuration is a pain and it has no centralized support.

The recommended integrity monitors that are open source, with centralized support and actively maintained are:

-OSSEC - https://ossec.github.io/

-Samhain - http://www.la-samhna.de/samhain/

-Osiris - http://osiris.shmoo.com/

I am specially a fan of OSSEC, which is the simplest,easiest to use... But try them all and see if you like.

Related

Openldap error: alock package is unstable
Is there a simple phpBB alternative? [closed]
SpinRite and USB blues - does a solution exist?
Why re-initiate the DbContext when using the Entity Framework?
Why don't we see more routing attacks?
ASP.Net MVC 4 Form with 2 submit buttons/actions
Passing a matplotlib figure to HTML (flask)
PrintWriter vs FileWriter in Java
KVO vs NSNotification vs protocol/delegates?
Curl not recognized as an internal or external command, operable program or batch file
How to convert NSDate in to relative format as "Today","Yesterday","a week ago","a month ago","a year ago"?
Why are malloc() and printf() said as non-reentrant?