It can be difficult sorting through all of the tools available for DevOps style management, learning which ones you need, which ones cover the same territory, and which ones can comfortably overlap or even work together better than apart. We’re going to compare Tripwire to Puppet here, not necessarily as identical tools, because they do have mostly different functionality sets, but how they fit into an IT environment.
The names of each company telegraph what is most important to them: Tripwire implies a mechanism by which one is alerted when something triggers a preset criterion, while Puppet implies the remote and precise manipulation of objects. Unsurprisingly, this is what their products respectively do best, but there is some feature overlap, as well as the question of how they interact with each other if in the same environment. We’ll look a bit more in detail at each product and how they compare and contrast.
Primarily known for their security configuration monitoring (SCM), Tripwire offers a handful of products that monitor files, audit and report changes and check compliance against various standards such as PCI. Additionally, they offer vulnerability management and logging products, though they are less known for these than their SCM. Right off the bat we can see that Tripwire does not handle the automated manipulation of files like Puppet. Tripwire isn't traditionally a DevOps product, but it does do things that are useful for DevOps.
Puppet allows Linux and Windows servers to be configured programmatically, a key tenet of DevOps in maintaining uniformity and automation within a deployment environment. In their Enterprise product, Puppet also offers reporting features that overlap many of the compliance and monitoring areas Tripwire covers, although these are mainly for files being enforced by Puppet manifests, not for monitoring changes for directories upon directories full of files.
Side-by-Side Scoring: Tripwire vs. Puppet
1. Capability Set
Tripwire has a few tiers of product with varying functionality, though the core mechanism of scanning files and reporting changes is mostly the same. Puppet’s functionality rests in whether it can save IT ops time and effort by automating repetitive tasks and streamlining the deployment flow. As you can imagine, its efficacy depends on the amount of effort put into learning, configuring and programming it. In the areas where these tools overlap, Tripwire has overall more robust monitoring and compliance features, but if your environment is already utilizing Puppet to manage configuration files, it might make more sense to try and use the integrated reporting and compliance options there than to invest in a separate application.
2. Ease of Use
Both products offer “enterprise consoles” with all of the modular dashboards and infographics you’d expect from modern tools, but even with a nice GUI, the real usability of these tools comes down to how well you can integrate them into your environment. Dumping Tripwire or Puppet onto a sysadmin or IT group who have otherwise managed their configurations directly, for example, would likely have a much different outcome than a shop in the middle of an overall culture shift towards DevOps practices. The devil is in the details as well. Usability will go up as familiarity with the underlying architecture (or programming language) increases.
Ease of Use
3. Community Support
While Puppet enjoys a large and active community, Tripwire users are likely to turn to other places like Reddit or StackExchange to get answers. Tripwire offers white papers and case studies, as well as professional services, but does not have official forums.
4. Release Rate
While Puppet has ample release notes for their various versions, Tripwire holds their cards closer to the chest. The Enterprise product is updated periodically, the current version as of 3/14/2016 being 8.4. The open source version, however, has not been touched since 2013, so people looking for a free configuration monitoring tool might be disappointed with it.
5. Pricing and Support
Tripwire’s Enterprise solution can be a bit pricey for smaller organizations and their open source version lacks many of the features needed to easily turn the monitoring output from an entire datacenter into usable information for IT ops. Puppet Enterprise pricing starts at $120/node per year with standard support, with more expensive support options available. Puppet open source retains the key Puppet programmability features under the Apache 2.0 license, but lacks Puppet Apps.
Pricing and Support
6. API and Extensibility
According to Tripwire’s website, “scripts and third-party software can use Tripwire Enterprise's SOAP API or command line interface to invoke functionality, including integrity checks, change reconciliation, version promotion, and report generation.” However, information on exactly what that means or how people are actually using the API was difficult to find. Due to it’s nature, Puppet supports many different kinds of extensibility and has documented APIs into most if not all of its products to assist with automating tasks.
API and Extensibility
7. 3rd Party Integrations
Puppet offers a host of approved modules for 3rd party integration and since their product exists to automate tasks for other products, it connects into a wide variety of systems. Tripwire’s website states that they “integrate with numerous third-party systems, from change and incident management systems to SIEM solutions,” but again, details were scarce. However, they also offer a set of apps.
3rd Party Integrations
8. Companies that Use It
Tripwire was one of the first in the game, and as such have a long customer list, including many top companies. No less impressive is Puppet’s list. No doubt both of these companies are widely used across many fields.
Companies that Use It
9. Learning Curve
Neither one of these products can be implemented lightly. Both require a degree of planning, education and configuration to achieve optimal results. In fact, poor setup of these tools can create more work and communication issues than traditional server management. Filtering Tripwire’s information output for what devs, application admins and sysadmins really need to know takes a period of finessing by someone intimately familiar with the software. Likewise, even though Puppet’s proprietary programming language is designed for sysadmins, the learning curve of any new language must be overcome to make use of the automation Puppet can provide.
10. CSTAR Score
As of 3/14/2016, Tripwire scored a 542 total from our external scanner, with most of their problems coming from the website itself. Puppet came in with a total score of 789, outranking Tripwire in the website category by over 500 points.
Scoreboard and Summary
|Ease of Use|
|Pricing and Support|
|API and Extensibility|
|3rd Party Integrations|
|Companies that Use It|
|CSTAR Score||542 (Average)||789 (Good)|
|Total||3.1 out of 5||4.3 out of 5|
Choosing between Tripwire and Puppet means first being able to understand if you need to choose between them in the first place, how they fit into an IT environment, and if/how they complement each other. There are some solutions out there that use Puppet to manage Tripwire, but that’s less of an integration than Puppet doing its thing. If your organization is going full DevOps, then you’re going to need the automation functionality Puppet or one of its competitors (Chef, Ansible, etc.) offers. If you’re after monitoring change on large numbers of files, something like Tripwire is closer to the mark, even though Puppet does offer some audit-type functionality for non-managed files.
Understanding your current processes, their bottlenecks and blind spots, will help you better understand if and how these tools could benefit you. But DevOps begins with a culture change, not a software addition, so that type of self-assessment is already a step in the right direction.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >