Tripwire for Servers — configuration control for servers and desktops

Tripwire for Servers

Improper Change Detection

Detects Improper Change, including additions to, deletions from and modifications of file systems, and identifies what changed and where and when the change was made.

Identifies Source of Improper Change by correlating event logs to Tripwire integrity reports, helping support change management processes, audits and data forensics.

Easy Management of Change Monitoring Policies

Simplifies and Eases Management of Change Monitoring Policies with an intuitive interface that allows rapid set-up and “noise” reduction from non-critical alerts and also easy adding, deleting, or modifying policies.

Improper Change Alerts

Alerts to Improper Change When and Where Needed with alerts sent in multiple ways—email, syslog, SNMP traps, XML and HTML output to the Tripwire Manager console—to ensure IT receives them.

High Level Information

Provides just the right level of information with high-level views that provide management with a picture of overall health and drill down to details that help technical staff remediate issues.

Automated Rollback

Supports Automated Rollback by triggering custom command line scripts that automatically restore files to the last known good state. Support for command line scripts can also extend reporting and notification capabilities.

Broad Platform Support

Offers Broad Platform Support, monitoring machines—even virtual machines—running Windows, Linux, Solaris, HP-UX, and AIX. And when used with Tripwire^® Manager, Tripwire for Servers provides a single point of control to manage change to servers and desktops across the enterprise.

Tripwire Manager

Tripwire Manager centralizes management and reporting for multiple Tripwire for Servers installations on a variety of platforms—all without requiring a persistent connection.

Tripwire for Servers

Tripwire Manager

What is Tripwire for Servers?

Tripwire for Servers is Configuration Control software that provides IT system administrators the ability to report on in-depth file system and registry changes on Windows, UNIX and Linux systems. This provides improved visibility of both authorized and unauthorized changes, and greater accountability for those changes, which ultimately results in increased server availability, enhanced security and ensures compliance with policies and the change and configuration management processes.

What does Tripwire for Servers do?

Tripwire for Servers monitors all file and registry changes—whether they originate inside or outside of your organization, and are accidental or malicious in nature. Tripwire for Servers identifies configuration changes to system attributes including hash values, file size, access flags, access time, write time, ACLs, inode number, security descriptors and more, and displays them in easy-to-read reports. It silently listens for Tripwire Manager to give it commands regarding system functions and reports back accordingly.

What is Tripwire Manager?

Tripwire Manager is a fully functional, cross-platform management console that allows system and security professionals to easily manage all installations of Tripwire for Servers software across an enterprise network. Tripwire Manager eliminates the need to manually monitor multiple discrete installations of Tripwire for Servers. Instead, IT professionals have a comprehensive view of configuration change information from a single, centralized console. Tripwire Manager also enables you to view and analyze reports from installations of Tripwire for Servers.

Do I need Tripwire Manager to operate Tripwire for Servers?

No, you can operate individual Tripwire for Servers installation as a standalone application. However, managing any more than five Tripwire for Servers installations without Tripwire Manager is generally found to be inefficient, time consuming and tedious.

How many machines can Tripwire Manager control?

Tripwire Manager allows you to manage the functions of Tripwire for Servers on up to 2,500 machines. Depending upon your system, Tripwire Manager may be able to manage much more.

Can Tripwire Manager alert me when an agent goes down?

Yes, Tripwire Manager displays an obvious graphical cue when a system is unavailable. The status information displayed for the affected system will explain whether the host system is unreachable or the Tripwire service is down. An additional method of alerting is to utilize the 'Email no violations' function on critical servers. If you stop receiving the 'No violations' email from targeted critical servers, either Tripwire has been disabled or the server is down.

Can I use Tripwire Manager to compare one server’s file system to other servers?

Yes, using Tripwire Manager you can replicate one server's integrity system (including the baseline snapshot) and deploy this to the other servers that you need to compare against. This is very useful in eliminating configuration drift, ensuring that all the production servers match policy.

How does Tripwire for Servers work?

Tripwire for Servers works by creating a baseline snapshot (database) of a server's file system in a known and trusted state. It then takes subsequent snapshots and compares the differences, if any, and reports any changes to files, file attributes and the Windows Registry.

Is the Tripwire snapshot secured?

Yes, the snapshot is cryptographically signed with a 1024-bit cryptography algorithm that detects any unauthorized tampering. A user can also sign the report, policy and configuration file for each Tripwire for Servers installation. The default policy file also monitors the Tripwire binary files, essentially using Tripwire to monitor Tripwire.

Can reports be exported?

Yes, reports can be exported from Tripwire for Servers in an XML or HTML format. This is helpful if the user wants to view reports from a Web browser. Reports can also be sent to the syslog/event logs.

Can wildcards be used in the policy file?

Yes, wildcards can be used in the policy file to make developing policy files easier. For example, if a user wants to scan all dll files in a certain folder or directory, they would be able to use *.dll. A user can use wildcards for both inclusion and exclusion (for example, monitor all files of a certain type or do not monitor any files of a certain type).

How does Tripwire for Servers track "who made the change?"

Tripwire for Servers tracks the identity of who made the change by correlating the information from the operating system's event and audit log with the change information that is detected by Tripwire for Servers. It uses this information to provide the identity of who made a certain change. Since we rely on the operating system to gather this information, the product only captures the "who" information from the operating systems that track this. Linux and FreeBSD do not track this information. This feature is called Event Log Correlation.

Does event tracking correlation require auditing to be turned on to determine "who" made a change?

Yes, auditing does have to be turned on for each directory or object for which a user would like this information.

What is Integrated Command Execution (ICE)?

ICE is a feature that can be used to execute a command when a change violation is identified. This can be configured for each file being monitored or entire directories on a server.

Can the Integrated Command Execution function be used to automatically back up files that are changed?

A user could develop a script to be automatically executed using the ICE function that would go to a user's back up system and replace the specific files that were violated. This function is specified for each rule within the policy file.

What if I delete Tripwire for Servers keys, and then replace policy, config and database files with my own signed versions that tell Tripwire software to check nothing?

Each Tripwire for Servers report details when the database was last updated, providing a quick benchmark detailing if or when the data files have been replaced. In order to replace these files, an attacker requires root or administrator level privileges and must know where Tripwire for Servers has been installed. On a properly secured system, gaining this level of access takes time and leaves physical evidence behind for Tripwire for Servers to detect prior to the system being compromised. Methods for reducing the risk of an intruder being able to replace a Tripwire for Servers installation include:

• Hiding the application by renaming configuration, data, and binary files and installing to a hidden location.
• Installing Tripwire for Servers to a read-only partition such as a CD-ROM.

Can I specify who receives an email based on different change violations?

Tripwire for Servers permits users to designate different email addresses within the policy file. For example, the Webmaster should receive an email if the configuration settings on the Web site have been altered, but the IT staff should be alerted if a new user account has been added.

How do you handle log files that are cycled daily?

If log files are being rotated automatically every day, it makes sense to have Tripwire for Servers monitor the log file not for size or content, but for permissions and access control information. This alerts administrators of a change in who has access to the log file instead of constantly alerting the administrator when the size or content has been modified.

How do you handle spoofing?

With Tripwire for Servers the file contents cannot be spoofed when running hashes against them. Tripwire for Servers looks at the contents of the file to make sure that the contents have not changed from their Known and Trusted state. It is mathematically infeasible to spoof multiple hashes of a file. Tripwire for Servers does not inspect network packets to validate authenticity. That is the role of a good network IDS or firewall. Tripwire for Servers can be used, however, to ensure that the configurations of your network IDS or firewall have not been altered.

Can I apply one policy file to several installations of Tripwire for Servers?

Yes, one policy file can be used on any number of machines running Tripwire for Servers, as long as the platforms are the same. Tripwire Manager allows you to edit one policy file and then distribute it to all the machines that you want to update.

How long does it take to install Tripwire for Servers and Tripwire Manager?

Under normal conditions, it should take no longer than five minutes to install Tripwire for Servers on a single machine and 30 minutes to install Tripwire Manager. You do not need root privileges to install Tripwire for Servers.

What are the typical types of servers that Tripwire for Servers is placed on?

Tripwire for Servers should be installed on any server that needs to be monitored for change. Typical servers include email servers, Web servers, firewalls, transaction servers, development servers, etc. Any server where it is imperative to identify if and when a file system change has occurred should be monitored with Tripwire for Servers. Even critical workstations that need monitoring should have Tripwire for Servers deployed on them.

How often should Tripwire for Servers be run?

This depends on how critical the files being monitored are. If they are very critical, then an integrity check can and should be run more frequently, say every hour. If files are less critical, then a once-a-day check should be sufficient. Tripwire for Servers can be configured to run a more frequent check on the critical files and then run less frequently on the entire file system. At the minimum, customers usually run a full scan everyday, at off-peak hours, to verify system integrity.

Where can I find more information about Tripwire for Servers?

You can download the Tripwire for Servers and Tripwire Manager datasheet and/or attend one of our webcasts. In addition, you can also watch the Flash demo of the product that is available under the product section of the Tripwire Web site. If you wish, you can also call a Tripwire sales representative at 503.276.7500 for more information, or send an email to sales[ at ]tripwire[ dot ]com.