Tripwire is a useful part of a complete system defense. It is, however, only a part, and it is, in fact, rather the last bastion of a defense in depth. It detects system changes made by an intruder already in your system. With the tools available to the modern script kiddie , by the time Tripwire detects, your system is probably pretty messed up. Fortunately, if you have been keeping your Tripwire database on CD-R media, you can use it to undo everything the intruder has done.
No Linux system that spends any time connected to the Internet should be without Tripwire. But likewise, no such system should rely on Tripwire as its sole protection. A defense in depth should include a firewall, which is covered in Chapter 3 , plus a network monitor such as the one discussed in Chapter 13 .