Thiago Teixeira
EN | PT

Tripwire

Fortra (Tripwire)

File Integrity Monitoring (FIM) tool that detects unauthorised changes to system files and configurations.

Endpoint Analysis Freemium Agent / Service Learning Linux
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Preparation
9 Detection & Analysis
10 Containment, Eradication & Recovery
11 Post-Incident Activity

Description

Tripwire is the original file integrity monitoring (FIM) tool, available as both an open-source utility (tripwire-oss) and the commercial Tripwire Enterprise. It establishes a known-good baseline of file hashes, permissions, and metadata, then alerts on any deviation — a textbook indicator of tampering, malware persistence, or unauthorised admin changes.

CySA+ references FIM directly under both security operations and incident response objectives because integrity violations on binaries, web roots, /etc/, or registry keys are high-fidelity compromise signals.

Use cases

  • Baselining critical Linux directories (/etc, /usr/bin, /var/www)
  • Detecting webshell drops on a public web server
  • Compliance evidence for PCI-DSS req. 11.5
  • Verifying integrity of golden images after deployment

Example

# Initialise the baseline database
sudo tripwire --init

# Run integrity check and report changes
sudo tripwire --check --report-level 4