By now, you must have found out that these two products, while being developed for different purposes, act in a very similar way. I know it didn't take me long to figure this out, and I quickly forgot my silly ideas about doing a "batch file version" of Tripwire (although I may still do it for the kick later, if I do I'll include it in this file). I felt more like "tweaking" InstallWatch to see if it could truly be used as a real system integrity checker.
Well, it didn't need that much tweaking, after all. I proceeded to perform a snapshot of my system, which created a file called snapshot.iws. The file varies between 5 to 10 megabytes, depending on the size of your system scan. When you perform Snapshot and Analyze commands individually, Analyze is disabled until a scan is performed, or more precisely when snapshot.iws is in the snapshot directory. This also means that performing an Analyze will erase the snapshot.iws file, so if you're not using read-only media, be sure to keep a copy somewhere. InstallWatch behaves like this in order not to pick up unrelated changes between two software installations. So knowing this, it's easy to figure out what to do.
At the beginning, I'd say you have two options, and I can't figure out which one is the best option. You decide. The first option is this: you install InstallWatch Pro first thing after the OS, and you monitor the payload of every other Service Pack, update, software, etc. that you add afterwards. That will provide you with a wealth of useful information about your machines. But this can be time consuming. The second option is you prepare your system to be in the desired configuration and software, all up to date, then install InstallWatch Pro in order to monitor any suspicious changes from then on. After your initial snapshot is done, you should make a copy of it on another media, in case of tampering/deletion. I would recommend read-only media. You can then change InstallWatch snapshot directory to point to the copy on the CD-ROM. You should also make a backup copy of your database file, but this one still needs to be accessed on read-write media (could this be made with Adaptec Direct CD? I don't know. If someone out there is willing to risk scrapping a blank CD-R to try it out, let me know about it). And there you go. Whenever you place the CD in your CD-ROM drive, InstallWatch Pro will be in the Analyze mode, and will compare your system with your clean snapshot.
Here are a few recommendations, though. Since InstallWatch was not originally intended as a security product, it is not a quiet program if you keep the default configuration. Since you're monitoring production machines that shouldn't get software installed regularly, you should disable the start-up option, so it is not in memory when the server is in normal use. You should also disable the "detect setup" option, because if an intruder uses a tool that let's him see the console, and installs himself a kit via a setup program, he'll get InstallWatch splash screen right on his face, shouting out that you are monitoring your machines. Some could think it is a good thing because that would scare them away, but I don't believe so. I only gives them the chance to leave, figure out what I'm using, and how to disable/bypass it, than come back. Anyway, Tripwire isn't built for live checking, so there's no reason to try to pursue that fantasy with InstallWatch. Disabling these two options will keep the program quiet. You should also hide InstallWatch Pro somewhere else than the default directory. You manually launch InstallWatch Pro every time you want to perform an audit, and you close it after, until next check.
2. A little bit about Installwatch
4. The experiment
Table of contents