Solved Should I use Tripwire and how difficult it will be to maintain it?

Solved issue

CaffeineAddict

Well-Known Member
Joined
Jan 21, 2024
Messages
1,417
Reaction score
978
Credits
11,610
Hey guys, I noticed mention of Tripwire several times here on forums, so far I've been ignoring it but changed my mind and now thinking what if I give it a try.

If you're using Tripwire or know it's use, how useful it will be to me as a regular desktop user and how easy it will be to maintain it's configuration?
Any other suggestions or tips are welcome.
 


Tripwire should be installed first on a base system. So unless you are planning to re-install OS it is too late. It makes sense on the server, not workstation. In my opinion this would be overkill.
questions:
Server or workstation
Do you have hardened kernel
Did you ever run kernel hardening scan and what was the result
How often do you run lynis and do you follow provided suggestions to secure your system.
How often do you log in as root
How permissive is your firewall
Do you have ssh running and how secured it is
Do you have running default services that you don't use

Before trying tripwire, you must be certain that your system is secured. Then try tripwire. I don't think that you will keep it though.
 
Server or workstation
Workstation

Do you have hardened kernel
I guess not, I don't do any kernel modifications

Did you ever run kernel hardening scan and what was the result
No

How often do you run lynis and do you follow provided suggestions to secure your system.
Never run lynis, don't know what it is, but I do plan to follow Debian's guide about securing system at some point from link below:

How often do you log in as root
Never, it's disabled

How permissive is your firewall
Restrictive, both outbound and inbound

Do you have ssh running and how secured it is
No, I only use it for git commits and development

Do you have running default services that you don't use
I guess yes, did not modify any service defaults, they're all at default since OS install

Tripwire should be installed first on a base system. So unless you are planning to re-install OS it is too late. It makes sense on the server, not workstation. In my opinion this would be overkill.
I see, thanks!

Before trying tripwire, you must be certain that your system is secured. Then try tripwire. I don't think that you will keep it though.
I'm 90% sure it's secure based on my computing habits, that's why I'm not sure if I need tripwire.
 
I think the term "Tripwire" needs to be explained and defines as to what it is.

What I know as a Tripwire has nothing to do with computers or software.
 
I think the term "Tripwire" needs to be explained and defines as to what it is.

What I know as a Tripwire has nothing to do with computers or software.
I don't know what Tripwire is either

It's used for system integrity, there is commercial as well as open source alternative:

 
Last edited:
This the github page for Tripwire....it appears to be unmaintained.
It has not been updated since 2018
Thanks, I've really missed that, now there is no way to use it.

But now I also recall from Learn Linux TV channel the guy said something about tripwire and issues that is may cause, but sadly don't recall which video it was :(
 
fwiw, I have no av etc etc of any kind installed on any of my systems.

The best summary I have read re Linux and its built in security....comes from :

and says:
Notice something missing on my desktop? There's no sign of an antivirus program. That's because I haven't had to use A/V software on any Linux desktop -- ever. There are Linux antivirus programs, such as Avast, Bitdefender, and ESET. I don't bother with them. Linux is orders of magnitude safer than Windows.

Oh, Linux isn't perfect. It has its own security problems, but the viruses and malware that constantly bedevil Windows users aren't among them. True, I run Avast on my Linux servers, but I do so to protect my Windows friends who get emails and store files on them, not to protect Linux.
Written by Steven Vaughan-Nichols, Senior Contributing EditorJuly 26, 2024 at 4:52 a.m. PT
 
I DO have the firewall enabled. (actually I have two...the default ufw takes care of the vpn I use......and firewalld takes care of the OS)

I DO practise safe browsing

I do not suffer from attacks of paranoia where I install every two bit av/clam etc etc after reading that latest doom and gloom predictions.
I keep important data on its own drive. It is air gapped. That means it is disconnected after I have used it. Pull the usb plug out. Works every time.
 
@Condobloke
I'm no fan of any sorts of anti-viruses but tripwire is something different and sounds way more promising than AV because it requires human intervention.

I believe my own (or anyone's) intervention with tripwire would produce better results than torturing system resources with an AV that does nothing when it comes to suspicious behaviors.

Yes I also have firewall (nftables) and my safe computing habits are good and my backup method is only external HDD, but firewall isn't enough, there is so much more to it.

I've discovered debsums command and this might work good as well for integrity checking.
 
After some research and reading manuals I've come out with a solution, it consists of 3 tools:

  • debsums Verifies hashes of installed Debian packages
  • aide Is basically tripwire but well maintained and much simpler to use, can be manually run or using a daemon
  • debsecan Downloads known CVE's for installed packages which you can filter based on "fixed", "priority" etc.

Bash:
sudo apt install debsums aide debsecan
man debsums
man aide
man aide.conf
man debsecan
 
Based on your answers, I wouldn't bother. Any integrity scanning tool have impact on resources (I/O). Also security should not be burden.
Finally consider samhain but it requires some skill to build.
Again, this may be too much for a workstation (integrity software that is)
 
After some research and reading manuals I've come out with a solution, it consists of 3 tools:

  • debsums Verifies hashes of installed Debian packages
  • aide Is basically tripwire but well maintained and much simpler to use, can be manually run or using a daemon
  • debsecan Downloads known CVE's for installed packages which you can filter based on "fixed", "priority" etc.

Bash:
sudo apt install debsums aide debsecan
man debsums
man aide
man aide.conf
man debsecan
Another tool that may be worth considering is the auditd package. Audit is baked into the linux kernel by default on all distros in my experience, and on this machine kernel configs show this here:
Code:
[tom@min ~]$ grep -i audit /boot/config-6.9.10-amd64
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_ARCH=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_DM_AUDIT=y
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
CONFIG_INTEGRITY_AUDIT=y

So the audit libraries such as the libaudit-common package are usually installed by default, but the audit daemon is not necessarily itself installed. The daemon is in the auditd package. It's Red Hat sponsored code and is in current maintenance and development and is a default daemon in recent RHEL systems. There's a blurb here: https://www.redhat.com/sysadmin/configure-linux-auditing-auditd

It's capable of very fine-grained security monitoring. Whilst not in current use here, it was in use some years ago by another user to monitor some critical files that were being targeted from online and was flawless in its logs and information and enabled some measures to be successfully taken. Maybe worth a gander. YMMV.
 
Any integrity scanning tool have impact on resources (I/O). Also security should not be burden.
Thanks, I already figured out it does take system resources, but I've set my aide.conf to only scan exectuables and shared libs:
/boot/* 0 R
/bin/* 0 R
/sbin/* 0 R
/lib/* 0 R
/opt/* 0 R
/usr/bin/* 0 R
/usr/sbin/* 0 R
/usr/lib/* 0 R
/usr/libexec/* 0 R

This is much faster than scanning whole system.
Why on earth would somebody scan things like Firefox cache and similar stuff that changes all the time heh.

Finally consider samhain but it requires some skill to build.
Did notice it but it appears too advanced for what I need, it seems more suitable for networks of computers.

@osprey
Thanks, didn't hear about this one so will take a look.
 
Based on your answers, I wouldn't bother.
I ignored this part because I'm happy with aide, but I see you know some stuff from your initial questions that not all make sense to me, so if you have any suggestions regarding integrity checks I'd be glad to hear them.

Or anyone else ofc.

Again, this may be too much for a workstation (integrity software that is)
Btw. debsums found one package that did not match it's md5 sum yesterday, I fixed the problem with apt reinstall.
I can imagine it would be overkill for whole system but this made me think whether checking basic stuff like packages, executables and shared libs is an overkill or actually a very useful feature to rule out issues.
 
Last edited:

Staff online


Top