Tripwire Goes Open Source 98
Brian McLaughlin writes: "Tripwire posted the source code to their integrity checking tool at SourceForge today. The press release can be consumed here."
This discussion has been archived.
No new comments can be posted.
Tripwire Goes Open Source
Related Links Top of the: day, week, month.
One person's error is another person's data.
Re:More free stuff. (Score:2)
I think I figured it out though... fill out the second address line (add Suite 100 or something)
--
In-kernel triggers? (Score:4)
I know there was a commercial product that did this (and much more) for Solaris back about 3-4 years ago, but I haven't heard about it since. There are some other triggers that would be nice:
- On any of unlink, rename, creat, mkdir
- On failed system calls that fail due to permissions (e.g. the above calls as well as kill, socket, etc)
I know you could do most of this in libc, but I don't think that would be wise, as someone with enough smarts could always do the syscalls directly using asm().distribution policy files (Score:3)
For example, alot of the files in the default policy file (setup for redhat) don't exist on my system (suse) and if they do exist, their in different locations. I can guess that this will be pretty much the same with debian, turbo, caldera and others as well.
Those that come from the sea return to the sea ... (Score:1)
## $Id: README,v 1.26 1994/08/26 08:22:48 gkim Exp $
##
## README for Tripwire
##
## Gene Kim & Gene Spafford
## The COAST Project
## Department of Computer Sciences
## Purdue University
##
## All files in the distribution of Tripwire are Copyright 1992, 1993, 1994
## by the Purdue Research Foundation of Purdue University. All rights
## reserved. Some individual files in this distribution may be covered
## by other copyrights, as noted in their embedded comments.
##
## Redistribution and use in source and binary forms are permitted
## provided that this entire copyright notice is duplicated in all such
## copies, and that any documentation, announcements, and other
## materials related to such distribution and use acknowledge that the
## software was developed at Purdue University, W. Lafayette, IN by
## Gene Kim and Eugene Spafford. No charge, other than an "at-cost"
## distribution fee, may be charged for copies, derivations, or
## distributions of this material without the express written consent
## of the copyright holder. Neither the name of the University nor the
## names of the authors may be used to endorse or promote products
## derived from this material without specific prior written
## permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY
## EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE
## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR
## PURPOSE.
This README file serves as a quick-and-dirty primer on Tripwire.
A PostScript formatted paper that fully describes the design and
rationale is also included in the
document is also available as a technical report (TR-CSD-93/71). This
document will be referenced throughout the Tripwire distribution as
the Tripwire design document or the comprehensive Tripwire paper.
This README file contains information needed to build, test,
and run Tripwire. A table of contents follow:
0.0. If you were running an earlier version
1.0. Background
1.1. Goals of Tripwire
2.0. How to build Tripwire
2.1. Common Tripwire compilation problems
2.2. The siggen utility
3.0. Getting Tripwire up and running
3.1. Creating your tw.config file
3.2. A caveat about your Tripwire database
3.3. Testing Tripwire
3.4. Running Tripwire as an integrity checker
3.5. Keeping your database up-to-date
3.5.1. Running Tripwire in Interactive mode
3.5.2. Running Tripwire in Database Update mode
3.6. A quick-checking mode
4.0. Some Tripwire scaling hints for using Tripwire
in large sites
4.1. The tw.config grammar
4.2. How you might use these directives
5.0. Notes on signature routines
5.1. Performance vs. security
6.0. Signature routines
6.1. MD5
6.2. Snefru
6.3. CRC-32
6.4. CRC-16
6.5. MD4
6.6. MD2
6.7. SHA/SHS
6.8. Haval
6.9. null signature
7.0. Feedback and bug-reports
8.0. User contributions
9.0. Acknowledgements
...
I'm glad to see it's back (sort of, anyways.)
What is TripWire. (Score:1)
Ok, I guess I deserved that. (Score:1)
Re:Poor Tripwire... (Score:1)
Bet we all get spammed with marketing material on security products in the future
Using their own code? (Score:2)
Re:Oh har-de-fscking-har-har! (Score:1)
Mom? Is that you?
Re:Tripwire is important because? (Score:4)
Actually, it's quite simple: It makes sure that when files change, someone is notified. Now, obviously you don't want Tripwire watching your logs (since they change constantly) or
As for the "policy language" they refer to, that's just another way of saying "a way to tell Tripwire what to watch, how to watch it, and what to do if something has changed".
To put it all in context, here is an example. Note that Tripwire is much more advanced than this, but essentially, this does the same thing: When I first install my system, I patch it, and capture all of the `ls -la` output of my important files to a file. Once an hour, I have a task (cron job) that does the same `ls -la` and compares the output to the original file. If they're different, either I changed something and forgot to update the original file, or someone is up to something. It then sends me an e-mail and I look into it.
I hope that explains what Tripwire does in a nutshell. If you would like more information, let me know.
Re:Poor Tripwire... (Score:1)
rosie_bhjp
How to DTWY for BSD (Score:1)
No complaining about GPL constraints, now, it's still Open Source and you can always apply another licensing paradigm, such as that used in BSD, on the portions of your code that you create for it.
Great, but . . . (Score:2)
Is there anything Tripwire can do that can't be done by a few shell scripts, a crontab, and the md5sum program? I mention this specificly because of a Secrurity Focus article [securityfocus.com] that mentions this (Section 8. Tripwires).
------
Re:"only the Linux version": DTWY for BSD (Score:1)
Tripwire, OpenSource, Linux Edition (Score:2)
Tripwire is a good product, it lets network and system admins sleep easier at night knowing they don't have to scan every box by hand every morning. I've found that sites running tripwire tend to have better system management policies, and know what security of internet boxes means.
Now we can make it better, and tie in some better automated functions for varying degrees of detection.
the AC
Re:More free stuff. (Score:1)
Woo hoo! It works. You rock.
Re:More free stuff. (Score:1)
---
Re:tripwire's site kinda pisses me off. (Score:2)
in the list? If you're going to rank countries,
where do the UK, Australia, France, Canada, and
Finland fit into your list? Even if you are the
biggest single country to use tripwire (which I
doubt), if you're going to put one country first
then you'd better rank everyone in order of use.
I've never heard anything so pathetic--whining
because your country came near the bottom of an
alphabetised list! Grow up.
Re:used to be free, didn't it? (Score:1)
Re:Geez, just hit U a couple times. (Score:1)
Yeah, but being from Michigan is punishment enough.
Re:In-kernel triggers? (Score:2)
Slightly less secure but still pretty easy to spot, just mount the system directories RO. That will guarantee log entries for changes!
Certain very popular operating systems have the odd habit of requiring that the system directories be read/write, but Linux isn't one of them.
Re:Hrm... (Score:1)
Re:AIDE (Score:1)
Re:tripwire's site kinda pisses me off. (Score:1)
We have, per capita, the most people on the Internet
Uh, no. According to many people [techmall.com], the USA holds a modest 4th place in terms of per capita Internet usage. Should we be putting Finland, Norway, and Iceland at the top of the list as well?
I'll bet you want everyone to speak English when you visit a foreign country too, right? Or have you never left the confines of your perfect little country
---
Re:Poor Man's Tripwire (Score:1)
Re: (Score:2)
ALREADY GPL'D IN RED HAT 7.0! (Score:1)
This isn't new - it was part of Red Hat Linux 7 (Score:2)
Re:In-kernel triggers? Immutability and LIDS (Score:3)
I wonder if it'd be easier/faster to 'chattr +i' certain critical files like /bin/login and then add logging code to the appropriate syscall to warn you when somebody changes it back.
Why allow anyone to change this back? Set the immutable attribute (+i) on anything that won't ever change, make your log records permanent with 'chattr +a /var/log/messages' so that the logs can't be editted, just appended to, and then install lids and set CAP_LINUX_IMMUTABLE to remove the ability to change these attributes on this system under this kernel. If you need to change things over, you'll need a second kernel image elsewhere for administration purposes (i.e. on floppy) but your key system will remain inviolate.
Cheers,
Toby Haynes
Re:Of course they open sourced it. (Score:2)
Re:used to be free, didn't it? (Score:2)
Cool! (Score:1)
Re:Not really open sourced... (Score:1)
I wish I could type with that....
Yeah, but the rsi [everything2.com] is a bear.
You just thought carpal tunnel was bad!
Cool. (Score:1)
Now if I just had something to use it on....
BSD work alike already? (Score:1)
Hrm... (Score:2)
Of course they open sourced it. (Score:1)
When will people realize there is no need to close source the obvious
Very little in an intrusion detection/change monitoring system is difficult to recreate. Using standard unix shell tools, you can create something just as useful with little more than md5sum, awk, cron, and a few lines of perl.
Just be sure to store your cryptographic hashes on a read only media (CD-R's are great for this).
Talk about timing! (Score:2)
Steven
Wow! (Score:3)
I had been running it on a RH 4.2 box. I was trying to use the version that was linked against libc5 (the only binary they had at the time) on a RH5.0 box, and was told I would have to wait several months before they released a new version that would link against glibc (aka libc6).
Source code gives a whole new meaning to free software.
Mike
"I would kill everyone in this room for a drop of sweet beer."
Re:tripwire's site kinda pisses me off. (Score:1)
Be Careful (Score:1)
Re:tripwire's site kinda pisses me off. (Score:2)
More free stuff. (Score:3)
Free (as in beer) posters [tripwire.org]. (You just have to figure out how to get past their poorly coded form validation to order one...).
Another Small Victory (Score:1)
Re:More free stuff. (Score:1)
I submitted this story 2 minutes after they announced it on their site..
---
open-sourcing at last (Score:1)
Re:tripwire's site kinda pisses me off. (Score:1)
This isn't some petty "my country is better than yours!" pissing contest. It's simple common sense.
- A.P.
--
* CmdrTaco is an idiot.
Read their license (Score:1)
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS....
Other Use Restrictions.
You may not use the Software for any purpose other than for use on your own internal computer networks, as set forth in this EULA. You may not place the Software onto a server that is accessible via a public network, such as the Internet.
Hopefully, now that it is open source, this little restriction on non-Internet servers is taken care of. I'm not sure though. Any information on this would be helpful to me. Thanks.
Other "Security Tools" on SourceForgery (Score:1)
---
Re:More free stuff. (Score:1)
Linux only... ports? (Score:2)
Re:tripwire's site kinda pisses me off. (Score:1)
Which is what I was implying. And which makes a hell of a lot more sense, at least for the top 5 or so countries (which probably make up 80-90% of all Internet users) than a completely alphabetized list.
- A.P.
--
* CmdrTaco is an idiot.
just linux?? (Score:1)
Poor Man's Tripwire (Score:1)
If you are running an RPM based distro. I hove found the following to be a good tripwire work-alike:
#!/bin/bash
rpms=`rpm -qa`
for i in $rpms do
echo $i
rpm --verify $i
done
Re:In-kernel triggers? (Score:3)
The subflavor of Solaris called "Trusted Solaris" will do this, I believe. The amount of hooks in the T.S. kernel is amazing. You can configure individual files to simply not be there when certain users read the directory listings. (I don't mean they get a "permission denied" or somthing; I mean the file just isn't there.
Even without running Trusted Solaris, normal Solaris has auditing mechanisms that you can turn on to do this. I don't think you can specify which files are to be audited at different levels. You can watch specific users at different levels, but I don't think you can restrict it to the file level. (And if you don't, the amount of auditing log message traffic becomes overwhelming.)
Poor Tripwire... (Score:2)
What does Tripwire get for open sourcing their
product?
20,000 free poster orders from leeching slashdoters! Shame on you!
(Of course I went and ordered my free poster before bitching about it...)
Re:AIDE has always been free (Score:1)
"only the Linux version": DTWY for BSD (Score:3)
In other words, Do The Work Yourselves. If you're upset that there's no BSD or other version, form a group and use the GPL to do it yourself. Don't complain, get to work.
It's not like it's closed source proprietary, where you can't do that.
Re:Using their own code? (Score:1)
This is how some code is distributed in a GPL form and a BSDL form. The authors just take their source code and slap a different comment section at the top. It may or may not be put under the GPL as the last step before release. In any case, as long as they authored 100% of the code, they can remove one liscence and slap on another. OF course, this doesn't affect previously released code. ("Oops! Just kidding, delete that GPLed code from your HD" doesn't hold water.)
Karl
I'm a slacker? You're the one who waited until now to just sit arround.
Re:Other "Security Tools" on SourceForgery (Score:1)
This is the funniest thing I have ever seen in my life.
Click here to look at a BO2K "bug" [sourceforge.net]
if you are not laughing yet, you need to get your pulse checked.
-inq
Re:tripwire's site kinda pisses me off. (Score:1)
BTW: Where do you go to have your country renamed? Is there a standard form?
--
Secure journaling filesystem? (Score:4)
Their database seems like the greatest potential gain for the community. The hashing of files is pretty simple, given the number of crytographically strong open-source hashes out there. The UI/customization end of tripwire seems like it would be relatively straightforward to design. It seems to me that most of the room for real software engineering is in the database file format.
People have already created driver-level crypto filesystems, but has anyone ever proposed a driver-level tripwire filesystem? Of course, you would need to tell the fs whcih files and directories to keep track of or you would be swamped with change logs.
Has anyone ever proposed a secured journaling filesystem? While we're replacing/overhauling the Linux filesystem, we might as well add secure functionality. (Assuming we don't cause a false sense of security.) Setting a file attribute flag to secure could cause any changes to the file or directory (including mv and cp) to be logged in a compact format. Any changes in the secure-log flag for all files in the fs would also have to be logged. In ultra-paranoid environments, one could even securely log file reads. (It's not that much more work to include this in a new driver.) Use an itterative one-time password scheme to watermark the logs (even a 64 bit hash would be relatively secure, because of the number of hashes that would need to be matched to change logs very far back in time). The easiest way to sign the hash is just to encrypt it with the one-time password. You keep the first one-time password on a locked floppy, along with a copy of the executable for checking the logs and computing the hashes of the files stored in the logs (add a hash to the logifile only when something changes). With the first password, you can compute the second, with the second you can compute the third, etc. This means that you can decrypt all of the hashes of the logfile if you have the floppy.
On the other hand, if the filesystem driver keeps only the current one-time password, then any attacker will be detected if s/he alters the logs for any time earlier than when they broke in. (Since creating the correct hashes requires knowing the password for that time, and passwords for earlier times cannot be computed from passwords for later times.) You can keep snapshots of the logfile if you like, but they are not necessary for intrusion detection. One only needs to first check the integrity of the logfile, then trace through the changes according to the logfile. Any discrepincies between a file and it's last recorded hash indicate file corruption or a security breach. People could "turn back the clock" on the filesystem by changing the files back to a previous state and deleting any logs since, but any subsequent changes to the fs would be logged with the wrong one-time-password and this would be detected.
First pos.. wow that took a while to write and revise! I'm surprised you actually read this far.
Karl
I'm a slacker? You're the one who waited until now to just sit arround.
Re:ALREADY GPL'D IN RED HAT 7.0! (Score:1)
Re:In-kernel triggers? (Score:1)
Sorry, should have been more clear. (Score:1)
Karl
I'm a slacker? You're the one who waited until now to just sit arround.
Re:Call me obtuse... (Score:1)
Re:tripwire's site kinda pisses me off. (Score:1)
Okay, so the figures are a year old, and my population of the US may be off, but I'm pretty sure Canada has the highest per capita connections to the 'net.
So, I guess Canada should be at the top, or at least higher up than the US. Sorry guys!
Open source attracts open source? (Score:4)
Is the reason the background of the OS? Linux users are used to having the source and a product which doesn't offer source can't expect a very wide acceptance in the Linux world (see for example some of the originally-closed drivers). In Windows, everybody is used to proprietary software, so they couldn't care less.
Another peculiar thing is, why do they keep different versions for different architechtures? I'd think it would be easier to manage only one code base with #ifdef's or separate low-level files. It might be possible that they only omit the Windows-specific files, but in this case any GPL additions to the Linux version (made by users) couldn't be compiled into the Windows version.
This, on the other hand, would mean that the Linux version would inevitably become better than the corresponding Windows version. The only legal way they could get the same features into the Windows version would be to code them themselves from scratch, and who's to say they didn't use any GPL-only code? Or do they demand everybody who contributes anything to dual-licence it so they can use it in the closed Windows version also?
Any ideas, anyone?
Re:Secure journaling filesystem? (Score:1)
Sure, you can implement something like tripwire (or various forms of capabilities) at the file system level. But that doesn't need to be anywhere near as complex as a JFS. You're probably better off with a simple, general change notification mechanism and a user-level daemon.
Re:That's what I think (Score:2)
At some point CVS will happen. Someone (or group) will take a Linux kernel and check it into CVS, with or without Linus's blessing. And Linus will have to either get with the program, or get passed by. The real world of software development understands why source code control systems matter.
The method right now puts Linus in control. He's "the man". CVS takes away from Linus's "power".
Re:Open source attracts open source? (Score:2)
Jeremy
Re:Hrm... (Score:1)
This is "only the Linux version" (Score:2)
Quoth the "Open Source Tripwire for Linux FAQ" [tripwire.org]:
Of course, since the open source release is GPLed, porting it to other OSes is perfectly legitimate.
Re:In-kernel triggers? (Score:1)
Yes, there is such a thing for Linux, and it is called LIDS [lids.org]. It is basically a kernel patch that, along with a user-mode administration program, does what you just described and much more. For example it can send a message (directly from the kernel!) to somebody on some IP address (which you preconfigured) instead of logging to syslog, also with the help of the capability support in the kernel you can limit the access to certain group of system calls. Check it out!
Re:Hrm... (Score:2)
Last I recall (circa version 1.3 or so), its sole purpose was to act as a system for generating and verifying checksums for system binaries, configuration files and their ilk. Generate sums with intact system, move to a not-easily-tampered-with medium (say, CD-R if you're paranoid, floppy followed by write-protect if you're not), and check against 'em later if your system is compromised or you otherwise feel a need to verify your files. Nothing more.
It cannot even be used as a tool for, let alone have a primary (stated or unstated) purpose of, gaining unauthorized access to a system any more than any other one-way hashing system, unless distributed on a sharpened, magical CD with the strange unerring accuracy of Xena's chakram and you go sysadmin-hunting.
Re:Tripwire is important because? (Score:1)
TripWired (Score:1)
the man who put the BOP in the BOP-SHIBOP-SHIBOP [mikegallay.com]
But Tripwire was open source already (Score:1)
Hm... maybe I've missed the point in time when Tripwire stopped to be available as source code, but I remember than 5-6 years ago and earlier I used to download and install it on various Unix boxes at the Univ. It was nothing more than checksum checker capable that was nice, because it checked many files and could be run automatically. Of course, it was available in source code (in the pre-RPM days even on Linux distros of that time - SLS, Slackware - everything installed with make install).
Anyway - glad to hear that this nice tool is living and is returning to the open source status.
Other Resources (Score:4)
T here is also a great article here [bastille-linux.org] regarding file system monitoring - and alternatives (additional OpenSource) to TripWire. Not quite as relevant now that TripWire is OpenSource but still a good read.
Not really open sourced... (Score:5)
They are changed their source encryption to ASCII encoding, triple ROT-26 under the provisions of the DMCA which just went into effect.
Also, you are allowed to view the source, but comprehension of it is a violation of the terms of use statement you agreed to when you first became aware of the term Tripwire. Failure to not comprehend the source is punishable by, but not limited to, confiscation of any or all of the following:
AIDE has always been free (Score:5)
Who needs Tripwire when we have AIDE?
To quote the web page: "AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more."
Check it out!
http://www.cs.tut.fi/~rammer/aide.html
See also, Qt, GhostScript, CUPS, MySQL, Quake (Score:2)
A GPL dual license is a gamble. Someone could add a compelling new feature to the GPL release that can't be integrated into the "value-added" proprietary version. There seems to be a strong resistance do doing so, however. Doing so would require a fork, because the company won't accept a contribution unless you assign copyright. This lessens the contribution to the free software community, but I'm not about the smell the gift fish.
Geez, just hit U a couple times. (Score:2)
Do Linux's leading browsers or underlying GUI elements support keyboards? If not, go hack it in, it's not rocket science.
Windows' standard combobox control (drop down list, whatever) will jump to any item when you hit the initial letters. I see 'Angola' in a combo box, I hit U. If it says 'United Kingdom', I hit U again. Oooo, tough.
I'm from Michigan. That's the fourth M state in a dropdown of the United States' states. Do I holler about that?
Certainly there are better things to whine about. And personally, I think it's better if US-centric Americans were subtly reminded that the US isn't the whole world.
Re:tripwire's site kinda pisses me off. (Score:1)
Re:Poor Man's Tripwire (Score:1)
--
Re:More free stuff. (Score:1)
Re:More free stuff. (Score:2)
Re:Poor Man's Tripwire (Score:1)
Re:"only the Linux version": DTWY for BSD (Score:1)
Re:AIDE has always been free (Score:1)
Re:In-kernel triggers? Immutability and LIDS (Score:3)
Do you need to put other mechanisms in place to cope with this?
Re:Using their own code? (Score:1)
Qt goes GPL, makes _more_ money! (Score:2)
TrollTec h CEO Haavard Nord said that after Qt was GPLed, they are now selling MORE commercial licenses, which "affected revenue in a positive way." [alllinuxdevices.com]
---
Re:If it compiled... (Score:1)
Re:Hrm... (Score:1)
AIDE (Score:2)
Re:TripWired (Score:1)
Business plan:
1) Start giving away our product
2) Get Slashdotted
3) ???
4) Profit!
Re:More free stuff. (Score:2)
Worked just fine then! (US Address)
-- Ravensfire