Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Some years ago, I had Tripwire installed for a few days but quickly removed it again because whenever I upgraded installed packages, I'd get a storm of messages about files which had changed and that was just annoying since I was the one who had initiated the action that caused the files to change, but at the same time there were so many files that changed of course, that I had no way of distinguishing legitimate changes (as they all were) from any potential illegitimate changes.


That's precisely what it's supposed to do. If you update the Tripwire db every time you "initiate an action that causes monitored files to change" - then it does a _magnificent_ job of telling you when someone _else_ changes those files.

You need to run 'tripwire --update' every time you run 'apt-get update' or 'pip install foo' or 'npm install bah' or whatever - then you wont get that storm of false positives.


Honest question from an interested party: have you actually had it alert you about someone else changing the files?

I've been in the previous boat: of having it running on a system I've inherited, and given up because it seemed too much hassle.


Yes - a few times a year when normal and authorised things or people have unexpectedly changed files in tripwire-protected places, and in ~20 years I think three times when I'd had an intrusion.

Those three timely notifications of real breaches have made 20+ years worth of occasional false positives 100% worth it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: