Security Incident
Report Problem
VPN
Login to vpn@ucsf
Help
Login to help@ucsfMonitoring Server Changes with Tripwire
_________________________________________________
Monitoring Server Changes
Monitoring change on a server is difficult, most changes to a system happen as part of other (and sometimes unrelated) operations such as web browsing, and others are directly related to actions such as software installs and updates. When was a file updated or replaced; when did the registry change happen; when was that directory deleted? These are questions that can arise months after the change happens, and without a method of automatically monitoring for change, may not come up until it's too late.
Tools such as Tripwire are designed to monitor for system changes and alert administrators as to what was changed and in what way. This gives administrators a much better view into the operation of their respective server and assists in identifying problems in a timely manner.
How Tripwire Works
Tripwire creates a database containing all of the files on the server (on Windows servers it can also monitor the system registry). The database contains the location, size, creation and modification times as well as a checksum (to verify that the contents of a file are unmodified). It then runs a regular sweep of the system comparing the current status against the status stored in the database. If differences are found an email notification is sent to the administrators detailing those differences.
Properly configuring Tripwire takes time and practice. An incorrect configuration could fail to monitor important system files or could cause constant notifications as log and temporary files are regularly modified during the standard operation of the server.
Getting Tripwire
Three versions of Tripwire are available: Open Source, Tripwire for Servers and Tripwire for Enterprise.
Tripwire provides a matrix comparing the open source and commercial releases, which split in 1997 into the two separate branches and which have been following different road maps since 1999.
-
Open Source Tripwire
http://sourceforge.net/projects/tripwire/
The open source release of Tripwire is available in source code form and is available pre-compiled for most UNIX and *NIX-like operating systems (not currently available for Windows). It provides command line tools to monitor and alert for changes to the file system.
The open source version of tripwire is supported through web forums and discussion groups and is recommended if you have a small set of UNIX or *NIX-like servers to manage and monitor.
-
Tripwire for Servers and Enterprise
http://www.tripwire.com/products/
Tripwire for Server and Tripwire Enterprise provide the command line features of the open source Tripwire with additional support for Windows computers (server version) and network devices such as routers (enterprise version). These releases also provide a graphical interface to aid in the configuration, management and response in the Tripwire system.
The commercial versions of Tripwire have direct email, web and phone support options available with the purchase of a support contract from the Tripwire company.
Alternatives to Tripwire
Other tools exist which provide the same or similar functionality to Tripwire, such as Samhain and OSSEC. It is recommended that each department evaluate all options available and pick the tool which best meets their environment and technical expertise.