Open source tripwire is a host-oriented intrusion detection system (IDS) for Linux. This data integrity and security tool is used for supervising and alerting about unauthorized file and directory changes on a variety of Linux systems. Instead of trying to detect the intrusions at network level, Tripwire detects modifications on file system objects.
In simple words, after a baseline is fixed, Tripwire monitors and reports any file that is modified or added, who modified it, what was modified, and when it was modified. If these modifications are authorized, the tripwire database can be updated to accept the modifications.
Such an open source tripwire is ideal for keeping an eye on a few Linux servers, wherein centralized control and reporting is not required and professional system automation or support is not a mandatory requirement. In a nutshell, it can deployed at places when dynamic changes needn’t be necessarily monitored, and it’s sufficient to simply check intrusion attempts on a regular basis to ensure security of the system.
How it Works
When open source tripwire is initialized for the first time, it scans the file system as guided by the administrator and saves info on every file scanned in a database. The database includes the size, location, creation and modification times, and also the checksum (to make sure that the file contents are unchanged). The same files are scanned at a later date and the results are compared with the stored values in the database. If it detects any differences, the modifications are reported to the administrator through an email notification. The modifications in a file are detected by deploying cryptographic hashes without storing the complete contents of the file in database.
This is not only handy to detect intrusions after the changes, but can also be used for several other purposes like change management, policy compliance, and integrity assurance. It takes some practice and time to properly configure Tripwire. A wrong configuration could fail to supervise vital system files and may cause continuous notifications as temporary and log files are modified regularly during the server’s standard operation.
So, the operation may be considered to be slightly complex, but ones configuration has been set-up properly, and tested duly, then Tripwire runs quite smoothly.
The open source edition of Tripwire is offered in source code format. It is available pre-compiled for most of the *NIX and Unix-like operating systems. It gives command line tools to monitor and report changes to the file system. Open source tripwire is supported through discussion groups and web forums- it is suggested if you have a small set of*NIX and Unix-like servers to manage.
There are two more editions of tripwire –
- Tripwire for Enterprise, and
- Tripwire for Servers.
Alternatives to Tripwire
There are few other alternatives to tripwire, which offer similar or same functionality as that of Tripwire. These include OSSEC and Samhain. It is recommended to pick the best tool that meets the technical expertise and environment of a particular department after evaluating all choices.
In this way, Tripwire provides the administrators a better vision into the operation of their particular server, thereby assisting in identifying the problems in time. Of course, it doesn’t have the kind of popularity that OSSEC boasts of, but over the longer run, Tripwire would certainly turn out to be the pick of the lot as IDS for Linux users. And, the fact that it’s open source and free-for-all program, makes it even more enticing in a market full of paid IDS packages selling for significant amounts.
Jolie is a tech geek who loves to explore the latest Linux utilities, and OS flavors. He constantly test and reviews unique products like multiple route planner and GPS devices on popular online technology sites such Latest-Technews.com, BrightHub.com, About.com and the likes of them.