Tripwire for Servers 4/Tripwire Manager 4

Tripwire has carved itself a slice of the change-management market by offering a range of products that monitor network systems and either prevent or log any modifications made to their system files. Tripwire for Network Devices looks after the configuration files on switches, hubs and routers, while Tripwire for Servers (TS) on review looks after, well, servers.

TS functions by taking a snapshot of selected system data and then using this as a baseline against which it checks to see if any modifications have been made. If it detects a change, it sends out warnings to the administrator who can view reports to see what has happened and who made the changes. If they're acceptable, the baseline may be updated to reflect them, or you can reinstate the file back to its original condition. A policy file determines what's to be monitored and consists of a text file that may be modified to suit. You can specify files, folders and Registry keys that you want monitored, and TS comes with a default policy for Windows 2000 Server systems. It identifies common components such as critical startup files, network configuration files and Registry entries, but can be customised to suit your particular circumstances. This is probably the most complex part of TS, as it will take plenty of practice to familiarise yourself with the myriad of commands, but Tripwire makes things easier with the policy-builder tool on its website.

Installation is swift, and anyone brave enough can run TS as a standalone app on each server. However, this could prove tedious, as all contact is via the Command Prompt - it's far easier to install the TS agent on each server and manage everything remotely from the Tripwire Manager component. Adding new systems to the Manager interface is a lengthy process, as no discovery routines are provided. You have to add each one manually or create a CSV file listing each system's hostname, IP address and port.

Security is good, as TS maintains encrypted passphrases for the Manager along with site and local versions for each monitored system. The Manager streamlines policy creation and editing by offering a graphical interface from which you can view each server's file system and Registry and select items to be monitored.

Once you've created a policy, it needs to be distributed to the relevant systems and their local databases initialised with the new values. Only then can you run integrity checks to monitor the data included in the policy. It took a while to get to grips with the commands, but we succeeded in creating rules to check the condition of various files. We received reports when TS spotted that these had been subsequently changed, along with information about who had made the modifications.

Tripwire for Servers provides an unusual solution to protecting critical data on key servers and, although it looks a costly option, it does offer peace of mind. You know this data can be protected and swiftly reinstated if unauthorised changes are found.

Author: Dave Mitchell