Linux Today: Linux News On Internet Time.

CrossNodes: Who's Got Root? Find Out With Tripwire

Dec 20, 2002, 11:30 (6 Talkback[s])
(Other stories by Carla Schroder)

"Your network groans under the weight of monitors and alarms. Every packet, every bit is inspected, scrutinized, sanitized, and organized. Surely it is time to relax and take it easy. Except for one little nagging worry--if an intruder slides through all the barriers, past all the traps, and successfully cozies into a snug corner, how will you know?

"Most security applications are reactive: they look for evidence of known exploits. Tripwire doesn't need a personal introduction to villains, it detects any suspicious changes. It creates a baseline snapshot of a system when it is in a known good state, then makes comparisons against this baseline. When files change that shouldn't, such as system binaries, or registry objects, Tripwire will tell you. If the changes are valid, the Tripwire database can be updated. If there is a problem, the ace admin will know exactly what was affected.

"It is not meant to replace other security measures, or to be the sole security measure. It monitors the integrity of your perimeter watchdogs- 'watches the watchers'--a most useful ability, as firewalls and routers are prime targets of attack. It monitors the integrity of internal systems, detecting and reporting changes no matter where they originate, from the inside or outside. Other intrusion detectors typically search for signatures of known exploits, which is useful as long as only known exploits are used against you..."

Complete Story

Related Stories: