TS uses policy files that contain information about the files and keys to be monitored and the responses it should make if changes are found. It provides a report on its findings. If you don't like the changes made you can swiftly restore a file, or key, back to its original state using this snapshot. If the modifications are acceptable you can ask TS to create a new baseline with these changes included. Not just anyone can play with TS. It offers some impressive security features by encrypting policy, configuration, database and report files - so you'll need to know multiple passphrases to use the software. TS can be run as a standalone application on each system. However, this will swiftly become tedious for larger sites as all configuration and monitoring is via the command prompt. Even the policy files start out at text files that must be manually edited. We strongly recommend stumping up the extra cash for the Tripwire Manager component as this will make your life a lot easier. Each monitored server will require an extra TS agent installed to be accessed by the Manager but it will allow you to keep an eye on all systems and deploy policies from a central location. Smart feature
The graphical interface makes policy creation far more pleasant as you can remotely view each server's file system and pick and choose which items you want to monitor. Each instance is added to a policy as a rule. A smart feature is the option to assign various actions to each rule, such as e-mailing a member of the support staff if a particular file has been changed. Once you're happy with your policy you then distribute it to selected systems. When this is completed you will need to update the local database, although all this can be carried out easily from the Manager console. Once completed you can run integrity checks on each server. The Manager provides a clear indication of the action with a large pie chart showing which systems are currently being checked, those that are receiving new policies or having their database updated, and those that are idle. A chart below also offers a bar graph showing if any violations have been detected. If there are, you can select a system, choose the Report option and see what triggered the Tripwire alert. Checks can be run manually at any time but the Manager provides scheduling tools so you can run these daily, weekly or monthly, or at any interval you choose. We were impressed with Tripwire for Network Devices and the same applies to Tripwire for Servers. Change management is normally viewed as a luxury only enterprises can afford. While this software doesn't come cheap, it brings these tools to the smaller business that needs to ensure critical systems aren't tampered with.
Tripwire for Servers is in the enviable position of having little, if any competition, as few network management products offer this type of protection for servers. Deployment will be a problem on large networks and administrators may be tempted (as we were) to use the same passphrase for every system to reduce the workload.