Knowing only that a file has changed is of little use unless you know what about the file or what within the file has changed. Each file has dozens of attributes that, if changed, could spell trouble. Tripwire can capture any of those attributes providing essential information to help determine if the change is harmful or harmless.
If you know exactly what within a file has been changed you can quickly determine if the change was high-risk and you also have the information required to fix the issue. For any human-readable file type, Tripwire agents can harvest the actual content that was changed and show the character-for-character differences in a before-and-after view. It is just one more way Tripwire FIM does more than simply detect that a file has been changed.
Who made the change?
Knowing who made a change can often determine if a change is suspect or low-risk. But capturing the “who data” is not easy so hardly any other FIM can provide this important information. Tripwire knows who made the change through the use of real-time detection agents. And these agents do not require OS Auditing to be enabled on the device—which is something most IT professionals will not permit.
Be sure to keep watching for more True FIM—Tripwire FIM posts by Ed Rarick coming later this week.