[Infrastructures] Tripwire

[Tillman Hodgson]

On Sun, Jul 24, 2005 at 04:17:14PM -0500, Sean Kelly wrote:
> Has anybody used Tripwire's products? How do products such as Tripwire for
> Servers compare to a configuration built using tools like cfengine or the
> like?

I've deployed Tripwire across a fairly large AIX and Linux environment
(versions 4.0 and, later, 4.5). In my mind, it doesn't really compare
... they're definitely different types of tools.

Tripwire examines an installed system and monitors filesystem changes.
That's it. It won't tell you if the configuration is correct for that
host, it'll only tell you if it's changed recently. It runs according to
a schedule and checks your chosen objects on that schedule. It's fairly
heavyweight, especially when checking all filesystem objects -- that's a
lot of disk churn and checksum generation. It's useful as an
filesystem-level IDS and very useful as part of your change control
process.

Conversely, cfengine is a tool that will configure your hosts to match
the description. The filesystems likely won't exactly match across
identically configured hosts (inodes will likely be different for a
given file, for example) but the effects of the configuration should be
identical across hosts. It generally does anything only when changes are
needed and is relatively lightweight since it only needs to touch a
small number of described files.

I suppose one could use them in tandem, using cfengine to configure the
hosts and tripwire to act as the confirmation stage of the change
control process (ideally by a different group, like the security team,
so that change control is rigorously enforced).

-T


-- 
I love the way Microsoft follows standards. In much the same manner that
fish follow migrating caribou. 
    -- A.S.R. quote (Paul Tomblin)