HOME

TheInfoList



Click Here for Items Related To - Tripwire (software)
OR:
Tripwire (software) on:   [Wikipedia]   [Google]   [Amazon]

Open Source Tripwire is a
free software Free software, libre software, libreware sometimes known as freedom-respecting software is computer software distributed open-source license, under terms that allow users to run the software for any purpose as well as to study, change, distribut ...
security and data integrity tool for monitoring and alerting on specific file change(s) on a range of systems originally developed by Eugene H. Spafford and Gene Kim. The project is based on code originally contributed by Tripwire, Inc. in 2000. It is released under the terms of
GNU General Public License The GNU General Public Licenses (GNU GPL or simply GPL) are a series of widely used free software licenses, or ''copyleft'' licenses, that guarantee end users the freedom to run, study, share, or modify the software. The GPL was the first ...
. It works by creating a baseline
database In computing, a database is an organized collection of data or a type of data store based on the use of a database management system (DBMS), the software that interacts with end users, applications, and the database itself to capture and a ...
, and then regularly comparing the state of the file system with the database. If it detects changes (e.g. addition or modification of some files), it includes these changes in its report, so that the security administrators could check these changes.


History

The Tripwire was created by Dr. Eugene Spafford and Gene Kim in 1992 in response to a series of stealthy intrusions that occurred in early 1991. These attacks circumvented the existing security systems by infecting the
shared libraries In computing, a library is a collection of resources that can be leveraged during software development to implement a computer program. Commonly, a library consists of executable code such as compiled functions and classes, or a library can ...
in a way that their CRC checksums were unchanged. Tripwire was designed to use message digest functions from different hash families (e.g.
MD5 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as Request for Comments, RFC 1321. MD5 ...
and Snefru) in order to stay reliable even after one of the hashing algorithms gets compromised. The name "Tripwire" comes from the ''trap or tripwire'' files which alert administrators upon being accessed by intruders. Spafford recalls: Tripwire was written in C and its design emphasized the program and database portability. On November 2, 1992, it was released for a
beta testing Software testing is the act of checking whether software satisfies expectations. Software testing can provide objective, independent information about the quality of software and the risk of its failure to a user or sponsor. Software test ...
. In December 1993, the formal release was made after identifying and fixing several bugs. Early releases were developed in a cleanroom style, where Gene Kim did the development and Eugene Spafford ran the
acceptance testing In engineering and its various subdisciplines, acceptance testing is a test conducted to determine if the requirements of a specification or contract are met. It may involve chemical tests, physical tests, or performance tests. In systems ...
. The Tripwire was initially free and open-source, but it went commercial in 1997. Open Source Tripwire was released in October, 2000, under the GNU General Public License. On May 4, 2015, the source code was moved from
SourceForge SourceForge is a web service founded by Geoffrey B. Jeffery, Tim Perdue, and Drew Streib in November 1999. SourceForge provides a centralized software discovery platform, including an online platform for managing and hosting open-source soft ...
to
GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...
.


Overview

During the installation, Open Source Tripwire asks the user to set the site-key and local key
passphrase A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control ...
s. The site-key passphrase encrypts the policy and configuration files which are shared across multiple systems. The local passphrase is used to protect files on a specific machine. The policy file contains the list of files and directories to scan and the rules (e.g. which attributes of the
directory tree In computing, a directory is a file system cataloging structure that contains references to other computer files, and possibly other directories. On many computers, directories are known as folders or drawers, analogous to a workbench or the tra ...
to look at). Open Source Tripwire later asks for the local passphrase when creating an initial database with file signatures. It runs the first scan of the system and saves the result to the database. Afterwards, it runs integrity checks and compares the result with the database. For example, if a new file is created then it will be listed in the subsequent integrity check report. Open Source Tripwire can be configured to regularly run integrity checks and send report e-mails to the system administrator. The database should be initialized before the system is at risk of being compromised. The user can create the ''tripwire'' files which look like they have valuable information (e.g. the file called master-password.txt) and configure Open Source Tripwire to track these files in order to catch snooping intruders. When the intruder reads these files, their access
timestamp A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolu ...
s get updated and the security administrators get notified about this incident. Unlike Tripwire Enterprise, Open Source Tripwire is not available for
Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
and has only basic policies. Windows users can run the Open Source Tripwire using the
Cygwin Cygwin ( ) is a free and open-source Unix-like environment and command-line interface (CLI) for Microsoft Windows. The project also provides a software repository containing open-source packages. Cygwin allows source code for Unix-like operati ...
, but it will not scan Windows specific attributes such as
Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, a ...
.


Details


Policy file

The policy file is called twpol.txt (or tw.config in the previous versions), and it tells which files and directories need to be monitored. It supports preprocessing which allows administrators to write only one policy file for many different machines. In the policy file, along with each file or directory there is a selection-mask that tells which attributes to ignore and which to report. For example, the selection-mask could be written to report changes in modification timestamp, number of links, size of the file, permission and
modes Mode ( meaning "manner, tune, measure, due measure, rhythm, melody") may refer to: Arts and entertainment * MO''D''E (magazine), a defunct U.S. women's fashion magazine * ''Mode'' magazine, a fictional fashion magazine which is the setting fo ...
, but ignore changes to the access timestamp. Also, there is an option to specify whether or not Tripwire should be recursing into a directory, i.e. checking the subdirectories, subdirectories of those subdirectories, etc. Example of the policy file: # system binaries SYSBIN = +pngu+sm; /usr/local/bin/pwgen -> $(SYSBIN); /usr/bin -> $(SYSBIN); /usr/sbin -> $(SYSBIN); /etc/security -> +pug (recurse=-1); # ignore last log !/etc/security/lastlog; # logs SYSLOGS = +p-lum; /var/adm/messages -> $(SYSLOGS); /opt -> $(SYSBIN); # ignore these do not scan !/opt/dump; !/opt/freeware; The following example of the policy file from "The Design and Implementation of Tripwire: A File System Integrity Checker" by Spafford and Kim makes use of the preprocessing language. Here it is used to ignore the directory with printer logs on a specific host, and this directory will be scanned on all other hosts. Thus, the preprocessing allows to use the same policy file on this specific host and on other hosts, otherwise the user would need to write separate policy files. # file/dir selection-mask /etc R # all files under /etc @@ifhost solaria.cs.purdue.edu !/etc/lp # except for SVR4 printer logs @@endif /etc/passwd R+12 # you can't be too careful /etc/mtab L # dynamic files /etc/motd L /etc/utmp L =/var/tmp R # only the directory, not its contents


Configuration file

The configuration file is called twcfg.txt, and it contains information about paths to the policy file, database file, report file, etc. It also has entries for mail settings (for instance, which program to use to send an e-mail with the report). Example of the configuration file: ROOT =/opt/freeware/sbin POLFILE =/etc/tripwire/tw.pol DBFILE =/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site.key LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key EDITOR =/usr/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t


Database file

The database file is unique for each machine, as opposed to the policy and configuration files which could be shared across multiple machines. It stores file permissions, modification dates and signatures of the files. For each file, the database can store up to ten signatures. The database does not store the content itself, because storing the content of the files would use too much disk space. The database file is
human-readable In computing, a human-readable medium or human-readable format is any encoding of data or information that can be naturally read by humans, resulting in human-readable data. It is often encoded as ASCII or Unicode text, rather than as binary da ...
, and the user can verify properties of individual files and check the database for potential tampering. When the integrity check detects a new file, but its path does not have an entry in the policy file, Tripwire chooses the closest ancestor entry and copies its selection-mask, or uses the default selection-mask if the entry could not be found at all. Tripwire has an interactive update mode which simplifies the process of reviewing every updated file. For each created, deleted or modified file it asks whether or not the corresponding database entry should be changed.


Signatures

In order to minimize the impact of
hash collision In computer science, a hash collision or hash clash is when two distinct pieces of data in a hash table share the same hash value. The hash value in this case is derived from a hash function which takes a data input and returns a fixed length of ...
s (i.e. the signature would not change even when the file was changed) on the security, Tripwire uses multiple different hashing algorithms to compute multiple signatures for each file. Because different hashing algorithms have different
performances A performance is an act or process of staging or presenting a play, concert, or other form of entertainment. It is also defined as the action or process of carrying out or accomplishing an action, task, or function. Performance has evolved glo ...
, Tripwire allows to configure which signatures to use and how frequently. For example, the system could be configured to compare CRC32 signatures every hour and compare MD5 signatures every day. This way the hourly integrity checks would run faster, and even if some file gets modified without changing its CRC32 checksum, it will get reported during the daily integrity check. Tripwire provides a generic interface to signature routines, so the user can include their own checksum methods.


See also

* AIDE * Host-based intrusion detection system comparison * OSSEC *
Samhain Samhain ( , , , ) or () is a Gaels, Gaelic festival on 1 November marking the end of the harvest season and beginning of winter or the "Celtic calendar#Medieval Irish and Welsh calendars, darker half" of the year.Dáithí Ó hÓgáin, Ó hÓ ...


References


External links


Tripwire, Inc.
* {{GitHub, Tripwire/tripwire-open-source Free security software Intrusion detection systems Linux security software Free software programmed in C++ Software using the GNU General Public License