In terms of what they do and how they work, Tripwire and Puppet have little overlap. Tripwire is for monitoring changes and Puppet is for configuring servers. The reason for tracking changes and configuring servers, however, brings them together as two approaches to compliance automation and, ultimately, reducing risk in computing systems. We’re going to compare Tripwire to Puppet here, not necessarily as identical tools, because they do have mostly different functionality sets, but how they fit into an IT environment.
The names of each company telegraph what is most important to them: Tripwire implies a mechanism by which one is alerted when something triggers a preset criterion, while Puppet implies the remote and precise manipulation of objects. Unsurprisingly, this is what their products respectively do best, but there is some feature overlap, as well as the question of how they interact with each other if in the same environment. We’ll look a bit more in detail at each product and how they compare and contrast.
Primarily known for their security configuration monitoring (SCM), Tripwire offers a handful of products that monitor files and audit configurations for the purposes of reporting on standards like PCI. Additionally, they offer vulnerability management, network devices, and logging, though they are less known for these than their SCM. Tripwire's product suite is broad but loosely integrated, built as it was through a collection of acquisitions. Also a product of its time, Tripwire's architecture is pre-cloud and requires both installed agents and significant work to deploy and configure. While there is an open source version on Github, the project has a lifetime total of 215 commits and 132 stars.
Tripwire isn't traditionally a DevOps product, but it does do things that are useful for DevOps. For both root cause analysis and compliance with regulations like PCI, you need to know what's changing in your environment. And in fact, the more you DevOps, the more you are going to need that monitoring to know everything that's changing. But what if you just automated your infrastructure so you didn't need to monitor it...
That Puppet allows Linux and Windows servers (and some network devices) to be configured programmatically, a key tenet of DevOps in maintaining uniformity and automation within a deployment environment. Without getting into the specifics of how Puppet works, users describe how servers should be configured in files called "manifests." Puppet runs the scripts in those files to ensure all servers under its management match the desired state. In theory, this means that you don't need change monitoring because everything is automated through code and code never has bugs! In their Enterprise product, Puppet also offers reporting features that overlap many of the compliance and monitoring areas Tripwire covers, although these are mainly for files being enforced by Puppet manifests, not for monitoring changes for directories upon directories full of files.
Herein lies the essential difference between the two products: Tripwire offers detective controls for knowing how your environment is changing. Puppet offers corrective controls to enforce a desired state. At a high level, there is no conflict between the two: you need both detective and corrective controls for configuration management and compliance automation. When they step outside their wheelhouse, these products may come into competition, but the real question is whether each of them provides a best-in-class solution for matching your business' technology goals.
Side-by-Side Scoring: Tripwire vs. Puppet
1. Capability Set
Tripwire has a few tiers of product with varying functionality, though the core mechanism of scanning files and reporting changes is mostly the same. Puppet’s functionality rests in whether it can save IT ops time and effort by automating repetitive tasks and streamlining the deployment flow. As you can imagine, its efficacy depends on the amount of effort put into learning, configuring and programming it. In the areas where these tools overlap, Tripwire has overall more robust monitoring and compliance features, but if your environment is already utilizing Puppet to manage configuration files, it might make more sense to try and use the integrated reporting and compliance options there than to invest in a separate application.
2. Ease of Use
Both products offer “enterprise consoles” with all of the modular dashboards and infographics you’d expect from modern tools, but even with a nice GUI, the real usability of these tools comes down to how well you can integrate them into your environment. Dumping Tripwire or Puppet onto a sysadmin or IT group who have otherwise managed their configurations directly, for example, would likely have a much different outcome than a shop in the middle of an overall culture shift towards DevOps practices. The devil is in the details as well. Usability will go up as familiarity with the underlying architecture (or programming language) increases.
Ease of Use
3. Community Support
While Puppet enjoys a large and active community, Tripwire users are likely to turn to other places like Reddit or StackExchange to get answers. Tripwire offers white papers and case studies, as well as professional services, but does not have official forums.
4. Release Rate
While Puppet has ample release notes for their various versions, Tripwire holds their cards closer to the chest. The Enterprise product is updated periodically, the current version as of 3/14/2016 being 8.4. The open source version, however, has not been touched since 2013, so people looking for a free configuration monitoring tool might be disappointed with it.
5. Pricing and Support
A monitoring system won't troubleshoot a configuration error. A configuration test script will.
Tripwire’s Enterprise solution can be a bit pricey for smaller organizations and their open source version lacks many of the features needed to easily turn the monitoring output from an entire datacenter into usable information for IT ops. Puppet Enterprise pricing starts at $120/node per year with standard support, with more expensive support options available. Puppet open source retains the key Puppet programmability features under the Apache 2.0 license, but lacks Puppet Apps.
Pricing and Support
6. API and Extensibility
According to Tripwire, “scripts and third-party software can use Tripwire Enterprise's SOAP API or command line interface to invoke functionality, including integrity checks, change reconciliation, version promotion, and report generation.” However, information on exactly what that means or how people are actually using the API is difficult to find. Due to it’s nature, Puppet supports many different kinds of extensibility and has documented APIs into most if not all of its products to assist with automating tasks.
API and Extensibility
7. 3rd Party Integrations
Puppet offers a host of approved modules for 3rd party integration and since their product exists to automate tasks for other products, it connects into a wide variety of systems. Tripwire’s website states that they “integrate with numerous third-party systems, from change and incident management systems to SIEM solutions,” but again, details were scarce. However, they also offer a set of apps.
3rd Party Integrations
8. Companies that Use It
Tripwire was one of the first in the game, and as such have a long customer list, including many top companies. No less impressive is Puppet’s list. No doubt both of these companies are widely used across many fields.
Companies that Use It
9. Learning Curve
Neither one of these products can be implemented lightly. Both require a degree of planning, education and configuration to achieve optimal results. In fact, poor setup of these tools can create more work and communication issues than traditional server management. Filtering Tripwire’s information output for what devs, application admins and sysadmins really need to know takes a period of finessing by someone intimately familiar with the software. Likewise, even though Puppet’s proprietary programming language is designed for sysadmins, the learning curve of any new language must be overcome to make use of the automation Puppet can provide.
10. CSTAR Score
Tripwire has improved their score significantly since we first wrote about them. On March 14, 2016 their score was 542; as of August 21, 2017 they have improved to 741. There are still a few technical controls missing from their website and on Glassdoor their CEO has a 27% approval rating. Puppet has also improved. In 2016, they scored 789. As of 2017 they have addressed all the glaring issues and now have an "excellent" rating of 931.
Scoreboard and Summary
|Ease of Use
|Pricing and Support
|API and Extensibility
|3rd Party Integrations
|Companies that Use It
|| 3.1 out of 5
|| 4.3 out of 5
Choosing between Tripwire and Puppet means first being able to understand if you need to choose between them in the first place, how they fit into an IT environment, and if/how they complement each other. There are some solutions out there that use Puppet to manage Tripwire, but that’s less of an integration than Puppet doing its thing. If your organization is going full DevOps, then you’re going to need the automation functionality Puppet or one of its competitors (Chef, Ansible, etc.) offers. If you’re after monitoring change on large numbers of files, something like Tripwire is closer to the mark, even though Puppet does offer some audit-type functionality for non-managed files.
Understanding your current processes, their bottlenecks and blind spots, will help you better understand if and how these tools could benefit you. But DevOps begins with a culture change, not a software addition, so that type of self-assessment is already a step in the right direction.
How CSTAR Works What's In the Website Risk Grader? Understanding Risk in the 21st Century
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.