Tripwire for Servers is Configuration Audit and Control software that provides IT system administrators the ability to report on in-depth file system and registry changes on Windows,UNIX and Linux systems. This provides improved visibility of both authorized and unauthorized changes, and greater accountability for those changes, which ultimately results in increased server availability, enhanced security and ensures compliance with policies and the change and configuration management processes.

Tripwire for Servers monitors all file and registry changes-whether they originate inside or outside of your organization, and are accidental or malicious in nature. Tripwire for Servers identifies configuration changes to system attributes including hash values, file size, access flags, access time, write time, ACLs, inode number, security descriptors and more, and displays them in easy-to-read reports. It silently listens for Tripwire Manager to give it commands regarding system functions and reports back accordingly.

Tripwire Manager is a fully functional, cross-platform management console that allows system and security professionals to easily manage all installations of Tripwire for Servers software across an enterprise network. Tripwire Manager eliminates the need to manually monitor multiple discrete installations of Tripwire for Servers. Instead, IT professionals have a comprehensive view of configuration change information from a single, centralized console. Tripwire Manager also enables you to view and analyze reports from installations of Tripwire for Servers.

No, you can operate individual Tripwire for Servers installation as a standalone application. However, managing any more than 5 Tripwire for Servers installations without Tripwire Manager is generally found to be inefficient, time consuming and tedious.

Tripwire Manager allows you to manage the functions of Tripwire for Servers on up to 2,500 machines. Depending upon your system, Tripwire Manager may be able to manage much more.

Yes, Tripwire Manager displays an obvious graphical cue when a system is unavailable. The status information displayed for the affected system will explain whether the host system is unreachable or the Tripwire service is down. An additional method of alerting is to utilize the 'Email no violations' function on critical servers. If you stop receiving the 'No violations' email from targeted critical servers, either Tripwire has been disabled or the server is down. What about the "Down machine" notification trigger to send emails? Wouldn't this be better.

Yes, using Tripwire Manager you can replicate one server's integrity system (including the baseline snapshot) and deploy this to the other servers that you need to compare against. This is very useful in eliminating configuration drift, ensuring that all the production servers match policy.

Tripwire for Servers works by creating a baseline snapshot (database) of a server's file system in a known and trusted state. It then takes subsequent snapshots and compares the differences, if any, and reports any changes to files, file attributes and the Windows Registry.

Yes, the snapshot is cryptographically signed with a 1024-bit cryptography algorithm that detects any unauthorized tampering. A user can also sign the report, policy and configuration file for each Tripwire for Servers installation. The default policy file also monitors the Tripwire binary files, essentially using Tripwire to monitor Tripwire.

Yes, reports can be exported from Tripwire for Servers in an XML or HTML format. This is helpful if the user wants to view reports from a Web browser. Reports can also be sent to the syslog/event logs.

Yes, wildcards can be used in the policy file to make developing policy files easier. For example, if a user wants to scan all dll files in a certain folder or directory, they would be able to use *.dll. A user can use wildcards for both inclusion and exclusion (for example, monitor all files of a certain type or do not monitor any files of a certain type.)

Tripwire for Servers tracks the identity of who made the change by correlating the information from the operating system's event and audit log with the change information that is detected by Tripwire for Servers. It uses this information to provide the identity of who made a certain change. Since we rely on the operating system to gather this information, the product only captures the "who" information from the operating systems that track this. Linux and FreeBSD do not track this information. This feature is called Event Log Correlation.

Yes, auditing does have to be turned on for each directory or object for which a user would like this information.

ICE is a feature that can be used to execute a command when a change violation is identified. This can be configured for each file being monitored or entire directories on a server.

A user could develop a script to be automatically executed using the ICE function that would go to a user's back up system and replace the specific files that were violated. This function is specified for each rule within the policy file.

Each Tripwire for Servers report details when the database was last updated, providing a quick benchmark detailing if or when the data files have been replaced. In order to replace these files, an attacker requires root or administrator level privileges and must know where Tripwire for Servers has been installed. On a properly secured system, gaining this level of access takes time and leaves physical evidence behind for Tripwire for Servers to detect prior to the system being compromised. Methods for reducing the risk of an intruder being able to replace a Tripwire for Servers installation include:

• Hiding the application by renaming configuration, data, and binary files and installing to a hidden location.

• Installing Tripwire for Servers to a read-only partition such as a CD-ROM.

Tripwire for Servers permits users to designate different email addresses within the policy file. For example, the Webmaster should receive an email if the configuration settings on the Web site have been altered, but the IT staff should be alerted if a new user account has been added.

If log files are being rotated automatically every day, it makes sense to have Tripwire for Servers monitor the log file not for size or content, but for permissions and access control information. This alerts administrators of a change in who has access to the log file instead of constantly alerting the administrator when the size or content has been modified.

With Tripwire for Servers the file contents cannot be spoofed when running hashes against them. Tripwire for Servers looks at the contents of the file to make sure that the contents have not changed from their Known and Trusted state. It is mathematically infeasible to spoof multiple hashes of a file. Tripwire for Servers does not inspect network packets to validate authenticity. That is the role of a good network IDS or firewall. Tripwire for Servers can be used, however, to ensure that the configurations of your network IDS or firewall have not been altered.

Yes, one policy file can be used on any number of machines running Tripwire for Servers, as long as the platforms are the same. Tripwire Manager allows you to edit one policy file and then distribute it to all the machines that you want to update.

Under normal conditions, it should take no longer than 5 minutes to install Tripwire for Servers on a single machine and 30 minutes to install Tripwire Manager. You do not need root privileges to install Tripwire for Servers.

Tripwire for Servers should be installed on any server that needs to be monitored for change. Typical servers include email servers, Web servers, firewalls, transaction servers, development servers, etc. Any server where it is imperative to identify if and when a file system change has occurred should be monitored with Tripwire for Servers. Even critical workstations that need monitoring should have Tripwire for Servers deployed on them.

This depends on how critical the files being monitored are. If they are very critical, then an integrity check can and should be run more frequently, say every hour. If files are less critical, then a once-a-day check should be sufficient. Tripwire for Servers can be configured to run a more frequent check on the critical files and then run less frequently on the entire file system. At the minimum, customers usually run a full scan everyday, at off peak hours, to verify system integrity.

You can download the Tripwire for Servers and Tripwire Manager datasheet and/or attend one of our webcasts. In addition, you can also watch the Flash demo of the product that is available under the product section of the Tripwire Web site. If you wish, you can also call a Tripwire sales representative at 503.276.7500 for more information, or send an email to sales@tripwire.com.