At the heart of most computer systems is a file system. The file system contains user data, executable
programs, configuration and authorization information, and (usually) the base executable version of the
operating system itself. The ability to monitor file systems for unauthorized or unexpected changes
gives system administrators valuable data for protecting and maintaining their systems. However, in
environments of many networked heterogeneous platforms with different policies and software, the task
of monitoring changes becomes quite daunting.
Tripwire is tool that aids UNIX system administrators and users in monitoring a designated set of
files and directories for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can
notify system administrators of corrupted or altered files, so corrective actions may be taken in a timely
manner. Tripwire may also be used on user or group files or databases to signal changes.
This paper describes the design and implementation of the Tripwire tool. It uses interchangeable
signature (usually, message digest) routines to identify changes in files, and is highly configurable.
Tripwire is no-cost software, available on the Internet, and is currently in use on thousands of machines
around the world