intercity / intercity-next

Web control panel to deploy apps on your servers (with Dokku)
https://intercity.io/
MIT License
116 stars 23 forks source link

Add Tripwire system #221

Open jvanbaarsen opened 7 years ago

jvanbaarsen commented 7 years ago

In order to improve security, we want to monitor the state of our servers. This includes adding a tripwire system that keeps monitoring certain files to see if they get modified. A possible system for this can be Tripwire.

michiels commented 7 years ago

I think that a tool like "rkhunter" includes both service/port scanning, file scanning and known exploit scanning. So with running something like rkhunter, you have all tools in one.

jvanbaarsen commented 7 years ago

I believe there is a subtle difference in rkhunter and Tripwire. Tripwire acts as an Intrusion detection system, RKHunter mainly checks for rootkits. I have to dive deeper into this matter. I'll report back here when I have more info.

jvanbaarsen commented 7 years ago

@michiels I think it makes sense to run both.

michiels commented 7 years ago

@jvanbaarsen Allright. I've already done some research towards this, so if you have anything that you think Tripwire does on top of RKHunter, then I'm happy to hear!

jvanbaarsen commented 7 years ago

@michiels Tripwire checks a full set of files and checks if they have been modified. What I've seen so far is that RKHunter checks against a known list of rootkits, and only checks for those instances.

jvanbaarsen commented 7 years ago

Downside of Tripwire is that it takes a lot of configuration work.

michiels commented 7 years ago

@jvanbaarsen Ok, my experience is that rkhunter checks for all system files that have been installed when you "snapshotted" your system, and you can exclude paths that you know are going to change (because of deployments for example). But, we can test them both as part of this issue!

jvanbaarsen commented 7 years ago

@michiels Yeah, I have now configured Tripwire on a new server, will also install RKHunter besides it. We can then see which gives the best result.