2

I have a ubuntu server with weekly auto update/upgrade and tripwire installed.

The problem is that the auto update kind of makes tripwire useless as changes always occur on my server. Therefore I constantly have violations flagged by tripwire.

If there were any malicious changes I would miss them.

What is the best practice in such a situation? Is there a way to have automatic updates and useful tripwire reports? How do people usually combine the two?

Cyrus
  • 29
  • 2

1 Answers1

0

I haven't used tripwire in ages but conceptually:

You could choose to limit the tripwire report to alert/report only on missing and newly created files in the */bin/, */sbin/ and */lib/ directories rather than comparing the checksums of the files in those directories.

You then use the package manager to report on the integrity of the packages as explained in for instance this question which should detect when binaries have been replaced or when the package manager has been used to replace existing packages with untrusted packages.

Admittedly it appears that the RPM format is a bit stronger in requiring signed packages although this article explains how to enforce and verify signed packages on Debian and Ubuntu.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • So what is the best practice? Having automatic updates or using a IDS like Tripwire. How do people usually combine the two? – Cyrus Jan 09 '15 at 07:07
  • The idea to use a tool such as tripwire is to make sure that files are not tempered by hackers. It is a requirement of such things as PCI DSS (not tripwire, but what tripwire does). It is ill advised to tell OP to only check a few directories and not the kernel and other files that tripwire does by default. – Alexis Wilke Aug 13 '22 at 01:19