Problem
An example of a host-based intrusion detection tool is the tripwire program. This is a file integrity checking tool that scans files and directories on the system on a regular basis and notifies the administrator of any changes. It uses a protected database of cryptographic checksums for each file checked and compares this value with that recomputed on each file as it is scanned. It must be configured with a list of files and directories to check and what changes, if any, are permissible to each. It can allow, for example, log files to have new entries appended, but not for existing entries to be changed.
a) What are the advantages and disadvantages of using such a tool? List minimum 3 advantages and 3 disadvantages. If you list less, justify.
b) Consider the problem of determining which files should only change rarely, which files may change more often and how, and which change frequently and hence cannot be checked.
c) Describe the work in both the configuration of the program and on the system administrator monitoring the responses generated.