Add Tripwire system

[jvanbaarsen]

In order to improve security, we want to monitor the state of our servers. This includes adding a tripwire system that keeps monitoring certain files to see if they get modified. A possible system for this can be Tripwire.

[michiels]

I think that a tool like "rkhunter" includes both service/port scanning, file scanning and known exploit scanning. So with running something like rkhunter, you have all tools in one.

[jvanbaarsen]

I believe there is a subtle difference in rkhunter and Tripwire. Tripwire acts as an Intrusion detection system, RKHunter mainly checks for rootkits. I have to dive deeper into this matter. I'll report back here when I have more info.

[jvanbaarsen]

@michiels I think it makes sense to run both.

[michiels]

@jvanbaarsen Allright. I've already done some research towards this, so if you have anything that you think Tripwire does on top of RKHunter, then I'm happy to hear!

[jvanbaarsen]

@michiels Tripwire checks a full set of files and checks if they have been modified. What I've seen so far is that RKHunter checks against a known list of rootkits, and only checks for those instances.

[jvanbaarsen]

Downside of Tripwire is that it takes a lot of configuration work.

[michiels]

@jvanbaarsen Ok, my experience is that rkhunter checks for all system files that have been installed when you "snapshotted" your system, and you can exclude paths that you know are going to change (because of deployments for example). But, we can test them both as part of this issue!

[jvanbaarsen]

@michiels Yeah, I have now configured Tripwire on a new server, will also install RKHunter besides it. We can then see which gives the best result.