I've used Tripwire on other platforms (NT, HP-UX, Solaris, and AIX) and have found it to be wonderful for forensic analysis and enforcing change management policies. It lets you know what's been changed and provides a thorough mechanism to verify important files. I've been using the commercial product and while it's far easier to install and manage (with the management console) than the 'academic' version, it does what it's supposed to do and does it well. The hardest part of setting it up remains the policy files though. Defining exactly what you want monitored and what you don't is the most important (and difficult) part of the setup. If you're watching a single machine it's not that bad if you watch everything, it's bad when you're watching over 300 machines and you're flagged on /etc/shadow every time a user changes a password or you're flagged on every file on the server when your backup software runs and changes the 'c' time. If you filter down the noise you should find Tripwire easy to use and effective. BTW, version 2.4 commercial supports Linux as a client AND runs the management console on X. Ed Spencer MCSE/MCT/CNA/A+/Network+ Security Analyst - IS Security Renaissance Worldwide, Inc. - Walt Disney World This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please immediately notify us by calling (407) 566-5195. The ideas, opinions, and information expressed within the above email are the express sole opinion of the author and are not the opinion of the Walt Disney World Corporation. Thank you. -----Original Message----- From: Jeric [mailto:jeric@mmcable.com] Sent: Sunday, June 24, 2001 12:37 PM To: suse-security@suse.com Subject: [suse-security] intrusion detector "tripwire" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 First off, I just wanted to say hello to everyone, since this is my first posting here at SuSE. I was reading an article in "linux journal" about an intrusion detection called "tripwire" (http://sourceforge.net/projects/tripwire). it sounds really great on paper, but i was wonder if anyone uses this program, and if so, are there any issues with it on a SuSE system, or in general (i.e. is it fairly reliable, stable, easy to setup)? Thanks in advance -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA+AwUBOzYXHKhXhGbhej/EEQJtfwCY3uNrJ+kkmZ/JkJh5tN9xAB4BZwCZAUIw aE24LymxeXsP0ILZV2tIA7E= =bNx5 -----END PGP SIGNATURE-----