What to monitor
The first step in FIM is controlling what is monitored. There is no practical reason to monitor every file on every device or application all of the time. Tripwire provides a robust rules-based way to control which files are monitored for change and to what level they are monitored.
Tripwire harvests more properties about each change than any other FIM—by a long shot.
Depending on the type of file and its risk-importance level, the properties we harvest can provide the information required to determine if a change is “expected” or “suspect”. Tripwire agents are purpose-built to detect and manage large amounts of change over time, and to capture critical information about each change to help determine its risk factor to the environment.
Managing the changes
When Tripwire is first deployed it creates a snapshot of the initial state of every monitored file—or element—in the database. We call this initial state the baseline. It is the first version of a monitored element—or version 0. From that point in time any future change to an element is detected and the properties that have changed are captured and stored in the database as version 1 of the element. Delta versions of the properties that change are stored indefinitely in the database. This version-based architecture is compact, fast and permanent. At any point in time the history of a single element can be accessed, analyzed and acted upon.