I am new to this HIDS, we are in a plan to install this on small set of Linux servers as a part of POC.
Since this is the firs time we are going to use tripwire to check our server, I am pretty much curious to what are the files folders and directories that need to be monitoried?
What should be the criticality set for those directories?
What should I be looking for when there is a trigger for a file change?
Any pointers much appreciated.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Well, YMMV, it all depends on what you actually want to monitor. A good start would be system binaries, and configuration files, keeping in mind that these will change when you apply updates, so in that case you need to make sure you run a report prior to updates to get an idea of how safe your system is.
Hi,
I am new to this HIDS, we are in a plan to install this on small set of Linux servers as a part of POC.
Since this is the firs time we are going to use tripwire to check our server, I am pretty much curious to what are the files folders and directories that need to be monitoried?
What should be the criticality set for those directories?
What should I be looking for when there is a trigger for a file change?
Any pointers much appreciated.
Well, YMMV, it all depends on what you actually want to monitor. A good start would be system binaries, and configuration files, keeping in mind that these will change when you apply updates, so in that case you need to make sure you run a report prior to updates to get an idea of how safe your system is.
I recommend you read this article, good overview: https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps