Tripwire for Servers — configuration control for servers and desktops

Tripwire for Servers

Improper Change Detection

Detects improper change, including additions to, deletions from and modifications of file systems. It also determines what changed and where and when the change was made. In addition, it helps support change management processes, audits and data forensics by identifying the source of improper change through correlating event logs to Tripwire integrity reports.

Identifies Source of Improper Change by correlating event logs to Tripwire integrity reports, helping support change management processes, audits and data forensics.

Easy Management of Change Monitoring Policies

Simplifies and eases management of change monitoring policies with an intuitive interface that allows rapid set-up and "noise" reduction from non-critical alerts. It also lets users easily add, delete, or modify policies.

Improper Change Alerts

Alerts to improper change when and where needed with alerts sent in multiple ways–email, syslog, SNMP traps, XML and HTML output to the Tripwire Manager console–to ensure IT receives them.

Appropriate Detail Level of Information

Provides just the right level of information with high-level views that provide management with a picture of overall health and drill down to details that help technical staff remediate issues.

Automated Rollback

Supports automated rollback by triggering custom command line scripts that automatically restore files to the last known good state. Support for command line scripts can also extend reporting and notification capabilities.

Broad Platform Support

Offers broad platform support, monitoring machines–even virtual machines–running Windows, Linux, Solaris, HP-UX, and AIX. And when used with Tripwire Manager, Tripwire for Servers provides a single point of control to manage change to servers and desktops across the enterprise.

Tripwire Manager

Tripwire Manager centralizes management and reporting for multiple Tripwire for Servers installations on a variety of platforms–all without requiring a persistent connection.

Tripwire for Servers

Tripwire Manager

What is Tripwire for Servers?

Tripwire for Servers is configuration control software that provides IT system administrators the ability to report on in-depth file system and registry changes on Windows, UNIX and Linux systems. This provides improved visibility of both authorized and unauthorized changes, and greater accountability for those changes, which ultimately results in increased server availability and enhanced security. It also ensures compliance with policies and change and IT configuration management processes.

What does Tripwire for Servers do?

Tripwire for Servers monitors all file and registry changes–whether they originate inside or outside of your organization or are accidental or malicious in nature. It identifies configuration changes to system attributes including hash values, file size, access flags, access time, write time, ACLs, inode number, security descriptors and more, and displays them in easy-to-read reports. Tripwire for Servers can receive commands from Tripwire Manager regarding system functions and reports back accordingly.

What is Tripwire Manager?

Tripwire Manager is a fully functional, cross-platform management console that allows system and security professionals to easily manage all installations of Tripwire for Servers software across an enterprise network. Tripwire Manager eliminates the need to manually monitor multiple discrete installations of Tripwire for Servers. Instead, IT professionals have a comprehensive view of configuration change information from a single, centralized console. Tripwire Manager also enables you to view and analyze reports from installations of Tripwire for Servers.

Do I need Tripwire Manager to operate Tripwire for Servers?

No, you can operate individual Tripwire for Servers installation as a standalone application. However, managing any more than five Tripwire for Servers installations without Tripwire Manager is generally found to be inefficient and time consuming.

How many machines can Tripwire Manager control?

Tripwire Manager allows you to manage the functions of Tripwire for Servers on up to 2,500 machines. Depending upon your system, Tripwire Manager may be able to manage many more.

Can Tripwire Manager alert me when an agent goes down?

Yes, Tripwire Manager displays an obvious graphical cue when a system is unavailable. The status information displayed for the affected system will explain whether the host system is unreachable or the Tripwire service is down. In addition, the 'Email no violations' function on critical servers may be used for alerting; if you stop receiving the 'No violations' email from targeted critical servers, either Tripwire has been disabled or the server is down.

Can I use Tripwire Manager to compare one server’s file system to other servers?

Yes, using Tripwire Manager you can replicate one server's integrity system (including the baseline snapshot) and deploy this to the other servers that you need to compare against. This is very useful in eliminating configuration drift, ensuring that all the production servers match policy.

How does Tripwire for Servers work?

Tripwire for Servers works by creating a baseline snapshot (database) of a server's file system in a known and trusted state. It then takes subsequent snapshots and compares the differences, if any, and reports any changes to files, file attributes and the Windows Registry.

Is the Tripwire snapshot secured?

Yes, the snapshot is cryptographically signed with a 1024-bit cryptography algorithm that detects any unauthorized tampering. A user can also sign the report, policy and configuration file for each Tripwire for Servers installation. The default policy file also monitors the Tripwire binary files, essentially using Tripwire to monitor Tripwire.

Can reports be exported?

Yes, reports can be exported from Tripwire for Servers in an XML or HTML format. This is helpful if the user wants to view reports from a Web browser. Reports can also be sent to the syslog/event logs.

Can wildcards be used in the policy file?

Yes, wildcards can be used in the policy file to make developing policy files easier. For example, if a user wants to scan all dll files in a certain folder or directory, they would be able to use *.dll. A user can use wildcards for both inclusion and exclusion (for example, monitor all files of a certain type or do not monitor any files of a certain type).

How does Tripwire for Servers track "who made the change?"

Tripwire for Servers tracks the identity of who made the change by correlating the information from the operating system's event and audit log with the change information that is detected by Tripwire for Servers. It uses this information to provide the identity of who made a certain change. Since we rely on the operating system to gather this information, the product only captures the "who" information from the operating systems that track this. Linux and FreeBSD do not track this information. This feature is called Event Log Correlation.

Does event tracking correlation require auditing to be turned on to determine "who" made a change?

Yes, auditing does have to be turned on for each directory or object for which a user would like this information.

What is Integrated Command Execution (ICE)?

ICE is a feature that can be used to execute a command when a change violation is identified. This can be configured for each file being monitored or entire directories on a server.

Can the Integrated Command Execution function be used to automatically back up files that are changed?

A user could develop a script to be automatically executed using the ICE function that would go to a user's back up system and replace the specific files that were violated. This function is specified for each rule within the policy file.

What if I delete Tripwire for Servers keys, and then replace policy, config and database files with my own signed versions that tell Tripwire software to check nothing?

Each Tripwire for Servers report details when the database was last updated, providing a quick benchmark detailing if or when the data files have been replaced. In order to replace these files, an attacker requires root or administrator level privileges and must know where Tripwire for Servers has been installed. On a properly secured system, gaining this level of access takes time and leaves physical evidence behind for Tripwire for Servers to detect prior to the system being compromised. Methods for reducing the risk of an intruder being able to replace a Tripwire for Servers installation include:

• Hiding the application by renaming configuration, data, and binary files and installing to a hidden location.
• Installing Tripwire for Servers to a read-only partition such as a CD-ROM.

Can I specify who receives an email based on different change violations?

Tripwire for Servers permits users to designate different email addresses within the policy file. For example, the Webmaster should receive an email if the configuration settings on the Web site have been altered, but the IT staff should be alerted if a new user account has been added.