WHY NOT TO USE TRIPWIRE:

Some history:  Tripwire[1] is a security-checker developed by Gene 
Spafford and Gene Kim at Purdue University's COAST Laboratory (now merged 
into CERIAS) from 1992 through 1994.  Copyright was owned by Purdue Research 
Foundation from 1992 until May 2000.  At that time, co-author Gene Kim's
firm, Tripwire, Inc. invoked a clause in its 1997 commercial-distribution 
agreement with Purdue[2] to acquire all copyright and trademark rights.
On October 30, 2000, Tripwire, Inc. released version 2.3.0, tailored
for Linux, under the GNU General Public License.

This text _formerly_ cautioned users that Tripwire was not free software
and (up to that time) never had been, and also about USA-export and USA
encryption-patent (RSA) issues that have now disappeared.

All those issues are now resolved.  I heartily recommend Tripwire.  (The
publisher hasn't answered my question of whether it knows of any patent
encumbrances on Tripwire technology, but I know of no problems in that 
or any other area.)

The Tripwire codebase reached this status in three stages:

1.  Purdue and then Tripwire, Inc. (and corporate predecessors) released
Tripwire 1.x as non-commercial-gratis-use proprietary source code.  This
version was and is dubbed Tripwire Academic Source Release (ASR).

2.  Tripwire, Inc. then thoroughly rewrote the C++ codebase, adding an
encrypted authentication database.[3]  It also sported improved reporting 
and policy-creation routines, more extensive monitoring, more signature 
types, new management software, better documentation, better performance, 
and general revamping.
(http://www.tripwire.com/products/connector.cfml?section=com)
You could retrieve and use those 2.x Linux binaries gratis for use in some 
non-commercial situations if you agreed to a restrictive end-user licence.  
No source code was available under any terms, and you were prohibited 
from redistributing the binaries.

3.  Following a February 2000 announcement of plans for an open source
version "for Linux" and an August 2000 announcement that this would be
under the GNU General Public Licence, Tripwire, Inc. released 2.3.0 on
October 30, 2000, replacing both Tripwire ASR and the binary-only 2.x 
series.  This fully open-source package is said to be "functionally 
equivalent" to the preceding 2.2.1 proprietary version.  (I would speculate 
that this means that some third-party components had to be replaced, 
before release.  Be advised that this is a fairly complex C++ codebase,
with no autoconf support so far.  Portability is thus an interesting
question.)

There continues to be a proprietary branch with versions tailored for 
numerous OS development platforms, commercial-grade QA, support, & 
documentation, and a "HQ Manager Console" to manage Tripwire on multiple 
hosts running sundry OSes. 




There is a pre-existing GPLed competitor:

Launched in August 1999, "AIDE (Advanced Intrusion Detection Environment)"
is an all-new package providing a superior implementation of Tripwire(R)
ASR's (1.x's) security ideas.  It is licenced as genuinely free software 
under the GNU General Public License, has no patent encumbrances, and has 
no USA-export limitations.  

ftp://ftp.cs.tut.fi/pub/src/gnu/          Latest source archives.
http://www.cs.tut.fi/~rammer/aide.html    AIDE home page.

AIDE also has a public CVS server and public mailing list.

Some have asserted that authors Rami Lehti and Pablo Virolainen have ceased 
AIDE development, but this is NOT true.  They are in fact planning the
structure of AIDE's next (1.x) versions.




And now (starting 02/2001), there's a second GPLed competitor:

Ed L. Kashin's Integrit.  Small, light, uses up-to-date cryptographic 
algorithms.  

http://integrit.sourceforge.net/
http://sourceforge.net/projects/integrit/





SIMILAR OFFERINGS:

ViperDB, http://www.resentment.org/projects/viperdb/
gog-magog, http://www.multimania.com/cparisel/gog/
Sentinel, http://packetstorm.linuxsecurity.com/UNIX/IDS/
SuSEauditdisk, http://www.suse.de/~marc/  (Currently being rewritten.)
Sxid, ftp://marcus.seva.net/pub/sxid/
nannie, ftp://tools.tradeservices.com/pub/nannie/
confcollect, http://www.skagelund.com/confcollect/
Pikt, http://pikt.uchicago.edu/pikt/
Prelude, http://prelude-ids.org/

See also the listing at:
http://packetstorm.linuxsecurity.com/UNIX/IDS/
(That host is one of a chain of cooperating Packetstorm mirrors.
If it's down, search for others.)


-----------

[1] The Purdue University COAST Web pages and those of Tripwire, Inc. 
assert that "Tripwire" is a registered trademark.  This public claim 
_was_ untrue for several years -- until January 11, 2000:  I periodically 
checked at http://trademarks.uspto.gov/ .  Up until that date, 
Purdue Research Foundation's Oct. 8, 1997 application for trademark
registration had _not_ been approved.  The trademark _has now_ been approved,
and transferred to Tripwire, Inc.

(This document formerly listed the trademark claim as simply false.  
I've kept the reference for those who saw my earlier critique.)

[2] The COAST pages claim that "In December 1997, Visual Computing
Corporation(TM) obtained an exclusive license from Purdue University to 
develop and market new versions of Tripwire(R)."  This is somewhat 
misleading:  Anyone could have legally developed new versions based 
on the Tripwire 1.x source code, subject to its licence terms.

Subsequent to 1997, Visual Computing Corporation was renamed to
Tripwire Security Systems, Inc., and still later to Tripwire, Inc.

[3] Absent that feature, e.g., in Tripwire ASR and AIDE, one just
kept the authentication database on read-only media.  The Tripwire
encrypted-database approach works because it relies on signing using 
asymmetric (RSA) encryption, such that an intruder can then compromise 
the database only if he has the secret passphrase required for such
signing.