Tamper Alarm, is my free lightweight implementation of tripwire. Originally written in 2001 as a configuration watch script, I’ve added to it over the years and I now think it’s a capable host based Intrusion Detection System (IDS).
Tamper Alarm has been written specifically for OpenBSD, though it’s likely to work on any unix based OS, it for example works just fine on my iMac.
Tamper Alarm crawls a filesystem and list of files, building up a database of ownership, permissions and content, by means of an MD5 hash.
This database is then used to periodically check the host for changes.
For added security the database is SCP’s to a management server at build time. When the script runs in check mode, it SCP’s the database back using SSH Public Key Authentication on an account that only has read access to the database files, safe guarding the database.
I’ll follow up with a worked example and guide to setting up SSH PKAuth.
