I set it up on a system.  The end user configures it to watch certain
directories and/or files.  Then runs it an initial time to get a signature for
Tripwire to compare future checks with.  The next time it is run it runs through
its config and rechecks those folders/files and reports any changes.  Its up to
the end user to determine why those things changed and determine if it means
they got hacked.

> > > > If I recall, someone listed a command that would verify and list any
> > > > binaries that had changed - does anyone know what the command was?
> > >
> > > It depends on the distribution.  On Red Hat systems, try ``rpm --verify''.
> >
> > That should work for any rpm-based dist, right?
> 
> Right.
> 
> > It'll cover anything installed from the package management system,
> > but will miss the stuff installed from tarballs, etc.
> 
> Right again.
> 
> > Craig might be looking for tripwire, though. I think there's an Open
> > Source package on Source Forge that does the same stuff as tripwire.
> >
> > I don't see a similar option for dpkg or apt-get. The /usr/ports stuff
> > would have to use something similar to tripwire.
> 
> Can someone give me a brief primer on how tripwire is implemented?  I
> read somewhere recently that it uses a kernel module on linux and
> basically watches for open() calls (where write access is requested)
> on specific system files.  Is this right or not?