Just as a murderer will leave behind prints and fibers, most network host security compromisers will leave some evidence behind. Automated "exploits" combine the compromise, obfuscation, and entrenchment phases.
The emergence of these scripted attacks makes it much more difficult to detect an intrusion. Before these tools were developed, there was a considerable lag between the compromise of the system and the manipulation of system and log files to hide the attackers ' presence. Nowadays mere seconds or even milliseconds may separate these events.
Obviously it becomes very important to know when these critical system files change, who changed them, and why. Often this is the only way to tell a compromise has occurred. What you need is the computer equivalent of a forensics expert, someone who can recover the prints and fibers of the scripted network-based system compromise. That expert is Tripwire. In this chapter we will introduce this tool and show you a little of how it works and how it can help you improve the security of your Linux system.