Is Tripwire Still Relevent?

Deagol asks "I work for a good-sized University. I've heard that Tripwire and our software licensing department is negotiating for a site-license. I was asked to comment on whether our department would like to buy in. I personally lost interest in Tripwire when they went commercial (I guess seeing a well-respected research tool go proprietary soured the milk for me), and though I've toyed briefly with the 'open source' version, I mainly have experience with the Academic Source Release. Seeing how their demo is only a 'simulation' (how lame is that?), I can't get a feel for what the commercial version can really do for me. Does anyone know the value (if any) of commercial Tripwire over the free one; Are there open source packages that have made Tripwire obsolete?"

Aide

[den_erpel]

I guess this will not answer your question about the advantage of the commercial tripwire above the open source one, but I use aide for some time now and it does a good job for me. I think it does the same as tripwire does (the version of 2 years ago, since it was the last time I used this).

[marc@scorpius marc]$ apt-cache show aide
Package: aide
Priority: optional
Section: admin
Installed-Size: 980
Maintainer: Mike Markley
Architecture: i386
Version: 0.9-2
Depends: libc6 (>= 2.3.1-1), debconf (>= 0.2.0)
Recommends: cron, mailx
Filename: pool/main/a/aide/aide_0.9-2_i386.deb
Size: 346316
MD5sum: a3610146e79608a34997450fdc56d74f
Description: Advanced Intrusion Detection Environment
AIDE creates a database from the regular expression rules that it finds
from the config file. Once this database is initialized it can be used to
verify the integrity of the files. It has several message digest algorithms
(md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of
the file. More algorithms can be added with relative ease. All of the usual
file attributes can also be checked for inconsistencies.
.
You will almost certainly want to tweak the configuration file in /etc/aide/aide.conf. See manual.html for information on this file.

FCheck

[sydb]

About 4 months ago, a Windows-knowledgable colleague and my Unix-using self did a comparison of TripWire, ViperDB, Aide, Fcheck and another tool whose name escapes me. We were looking for speed, simplicity, effectiveness and portability *nix/Win32).

FCheck ruled the day. It's easy to configure, works on *nix and Win32 (it's written in Perl), very fast in operation (We found Tripwire to be unusably slow/CPU-intensive for regularly scheduled checks) and passed every functional test we threw at it. It logs to syslog so you can send output to a remote machine. And it's GPL'd.

As for Tripwire's proprietary version, my colleague reckoned the only benefit was the GUI. Personally I don't see the point of a GUI on a security tool which is meant to run unsupervised. I suppose it does reporting etc. but really, what more do you need other than "This file changed at dd/mm/yy, hh:mm.ss. The change was ....". A little bit of scripting will do everything else for you.

Commercial Tripwire

[roachmotel3]

First off, if you only have to worry about a couple of machines, anything works pretty well.

Tripwire is good because it uses multiple hashing routines to figure out if something has changed (ie you can't pad a file with "0" until the hash is the same).

Additionally, the real strength in the commercial version of tripwire is the scalability. If you have hundreds of machines you need to monitor, the commercial version provides a central console which at a glance shows you what's going on across all your machines as far as changes. And the central console allows you to reconcile changes or revert to a known good state remotely.

All in all, if you only have a few boxen, don't buy it. If you have many and you don't want to spend all your time reconfiguring and updating a rules database, go for the commercial version.