Tripwire is an integrity checking software. It was first developed on the Unix platform as a university project designed by Gene H. Kim and Eugene H. Spafford. It is now a commercial product (www.tripwire.com, they have an academic free version).
Tripwire works by comparing the current file system of a machine to a previous snapshot done from when the machine was guaranteed as safe (usually, at installation time). The snapshot is actually a database of the disk content, including (but not necessarily limited to) tree structure, complete list of files, along with file properties and Time/Date information, and a derived hash for each file. (A hash could be seen as some kind of encryption scheme, or a translation function, that translates the actual binary content of a file into something unreadable but that uniquely identifies that content) So when you first run Tripwire (or when you updated your machine with various patches and want to get a new snapshot), it will build that database containing all system file information.
The logic from this is that when you installed your system base, there is no reason that system files should be updated "by themselves" afterwards. If it is so, then your system has probably been compromised, and an intruder planted backdoors/trojans/sniffers in your machine. The sad news when you find this kind of things out is there are probably more machines on your network that may be compromised as well.
So, basically, when you want to run an audit on your system (let's say on a weekly basis), Tripwire will re-scan the entire system, regenerating a database similar in structure (along with derived hash) to the original snapshot. Any difference between these databases will show file integrity compromise. Added files can be imported tools. Modified files are trojaned system files; missing files could be vandalism. To figure out if a file has been modified, Tripwire does not only rely on the Date/Time stamp, but also on the derived hash.
It's that simple.
2. A little bit about InstallWatch
Table of contents