Open Source Tripwire

Last updated
Open Source Tripwire
Developer(s) Tripwire, Inc.
Stable release
2.4.3.7 / 31 March 2018;5 years ago (2018-03-31)
Repository
Written in C++, Perl
Operating system Linux, all POSIX/UNIX Systems
Type Security, Monitoring, HIDS
License GPLv2 [1]
Website https://github.com/Tripwire/tripwire-open-source

Open Source Tripwire is a free software security and data integrity tool for monitoring and alerting on specific file change(s) on a range of systems [2] [3] originally developed by Eugene H. Spafford and Gene Kim. [4] The project is based on code originally contributed by Tripwire, Inc. in 2000. [5] [6] It is released under the terms of GNU General Public License. [1] [7]

Contents

It works by creating a baseline database, and then regularly comparing the state of the file system with the database. If it detects changes (e.g. addition or modification of some files), it includes these changes in its report, so that the security administrators could check these changes. [2]

History

The Tripwire was created by Dr. Eugene Spafford and Gene Kim in 1992 in response to a series of stealthy intrusions that occurred in early 1991. These attacks circumvented the existing security systems by infecting the shared libraries in a way that their CRC checksums were unchanged. Tripwire was designed to use message digest functions from different hash families (e.g. MD5 and Snefru) in order to stay reliable even after one of the hashing algorithms gets compromised. [4]

The name "Tripwire" comes from the trap or tripwire files which alert administrators upon being accessed by intruders. [8] [9] :4 Spafford recalls:

We heard several stories where tripwire files were established, as per our original intent, which were used to detect insiders snooping into files and directories where they had no reason to explore. At least one such use was related to us as a trigger that uncovered insider-perpetrated fraud. [4]

Tripwire was written in C and its design emphasized the program and database portability. On November 2, 1992, it was released for a beta testing. In December 1993, the formal release was made after identifying and fixing several bugs. Early releases were developed in a cleanroom style, where Gene Kim did the development and Eugene Spafford ran the acceptance testing. [4]

The Tripwire was initially free and open-source, but it went commercial in 1997. Open Source Tripwire was released in October, 2000, [6] under the GNU General Public License. [7]

On May 4, 2015, the source code was moved from SourceForge to GitHub. [10]

Overview

Diagram of high level operation model of Tripwire Diagram of high level operation model of Tripwire.png
Diagram of high level operation model of Tripwire

During the installation, Open Source Tripwire asks the user to set the site-key and local key passphrases. The site-key passphrase encrypts the policy and configuration files which are shared across multiple systems. The local passphrase is used to protect files on a specific machine. The policy file contains the list of files and directories to scan and the rules (e.g. which attributes of the directory tree to look at). [2]

Open Source Tripwire later asks for the local passphrase when creating an initial database with file signatures. It runs the first scan of the system and saves the result to the database. Afterwards, it runs integrity checks and compares the result with the database. For example, if a new file is created then it will be listed in the subsequent integrity check report. [3] Open Source Tripwire can be configured to regularly run integrity checks and send report e-mails to the system administrator. [11] The database should be initialized before the system is at risk of being compromised.[ citation needed ]

The user can create the tripwire files which look like they have valuable information (e.g. the file called master-password.txt) and configure Open Source Tripwire to track these files in order to catch snooping intruders. When the intruder reads these files, their access timestamps get updated and the security administrators get notified about this incident. [4]

Unlike Tripwire Enterprise, Open Source Tripwire is not available for Windows and has only basic policies. [12] Windows users can run the Open Source Tripwire using the Cygwin, but it will not scan Windows specific attributes such as Windows Registry. [13]

Details

Policy file

The policy file is called twpol.txt [11] (or tw.config in the previous versions), and it tells which files and directories need to be monitored. It supports preprocessing which allows administrators to write only one policy file for many different machines. In the policy file, along with each file or directory there is a selection-mask that tells which attributes to ignore and which to report. For example, the selection-mask could be written to report changes in modification timestamp, number of links, size of the file, permission and modes, but ignore changes to the access timestamp. Also, there is an option to specify whether or not Tripwire should be recursing into a directory, i.e. checking the subdirectories, subdirectories of those subdirectories, etc. [14] [9] :11–12

Example of the policy file: [14] 

# system binariesSYSBIN=+pngu+sm;/usr/local/bin/pwgen->$(SYSBIN);/usr/bin->$(SYSBIN);/usr/sbin->$(SYSBIN);/etc/security->+pug(recurse=-1);# ignore last log!/etc/security/lastlog;# logsSYSLOGS=+p-lum;/var/adm/messages->$(SYSLOGS);/opt->$(SYSBIN);# ignore these do not scan!/opt/dump;!/opt/freeware;

The following example of the policy file from "The Design and Implementation of Tripwire: A File System Integrity Checker" by Spafford and Kim makes use of the preprocessing language. Here it is used to ignore the directory with printer logs on a specific host, and this directory will be scanned on all other hosts. Thus, the preprocessing allows to use the same policy file on this specific host and on other hosts, otherwise the user would need to write separate policy files. [9] :12

# file/dir selection-mask/etcR# all files under /etc@@ifhostsolaria.cs.purdue.edu!/etc/lp# except for SVR4 printer logs@@endif/etc/passwdR+12# you can't be too careful/etc/mtabL# dynamic files/etc/motdL/etc/utmpL=/var/tmpR# only the directory, not its contents

Configuration file

The configuration file is called twcfg.txt, and it contains information about paths to the policy file, database file, report file, etc. It also has entries for mail settings (for instance, which program to use to send an e-mail with the report). [14] [15] Example of the configuration file: [14] 

ROOT=/opt/freeware/sbin POLFILE=/etc/tripwire/tw.pol DBFILE=/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE=/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE=/etc/tripwire/site.key LOCALKEYFILE=/etc/tripwire/$(HOSTNAME)-local.key EDITOR=/usr/bin/vi LATEPROMPTING=falseLOOSEDIRECTORYCHECKING=falseMAILNOVIOLATIONS=trueEMAILREPORTLEVEL=3REPORTLEVEL=3MAILMETHOD=SENDMAIL SYSLOGREPORTING=falseMAILPROGRAM=/usr/sbin/sendmail-oi-t

Database file

The database file is unique for each machine, as opposed to the policy and configuration files which could be shared across multiple machines. It stores file permissions, modification dates and signatures of the files. For each file, the database can store up to ten signatures. The database does not store the content itself, because storing the content of the files would use too much disk space. [9] :13–15 The database file is human-readable, and the user can verify properties of individual files and check the database for potential tampering. [4] [9] :7

When the integrity check detects a new file, but its path does not have an entry in the policy file, Tripwire chooses the closest ancestor entry and copies its selection-mask, or uses the default selection-mask if the entry could not be found at all. Tripwire has an interactive update mode which simplifies the process of reviewing every updated file. For each created, deleted or modified file it asks whether or not the corresponding database entry should be changed. [9] :13–15

Signatures

In order to minimize the impact of hash collisions (i.e. the signature would not change even when the file was changed) on the security, Tripwire uses multiple different hashing algorithms to compute multiple signatures for each file. [4] Because different hashing algorithms have different performances, Tripwire allows to configure which signatures to use and how frequently. For example, the system could be configured to compare CRC32 signatures every hour and compare MD5 signatures every day. This way the hourly integrity checks would run faster, and even if some file gets modified without changing its CRC32 checksum, it will get reported during the daily integrity check. [9] :7,15 Tripwire provides a generic interface to signature routines, so the user can include their own checksum methods. [9] :15

See also

Related Research Articles

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control both access to, and the operation of, cryptographic programs and systems, especially those that derive an encryption key from a passphrase. The origin of the term is by analogy with password. The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.

cd (command) Computer command in various operating systems

The cd command, also known as chdir, is a command-line shell command used to change the current working directory in various operating systems. It can be used in shell scripts and batch files.

The Network Information Service, or NIS, is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors.

<span class="mw-page-title-main">GoboLinux</span> Linux distribution

GoboLinux is a Linux distribution whose most prominent feature is a reorganization of the traditional Linux file system. Rather than following the Filesystem Hierarchy Standard like most Unix-like systems, each program in a GoboLinux system has its own subdirectory tree, where all of its files may be found. Thus, a program "Foo" has all of its specific files and libraries in /Programs/Foo, under the corresponding version of this program at hand. For example, the commonly known GCC compiler suite version 8.1.0, would reside under the directory /Programs/GCC/8.1.0.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

A home directory is a file system directory on a multi-user operating system containing files for a given user of the system. The specifics of the home directory are defined by the operating system involved; for example, Linux / BSD (FHS) systems use /home/⟨username⟩ or /usr/home/⟨username⟩ and Windows systems since Windows Vista use \Users\⟨username⟩.

The Filesystem Hierarchy Standard (FHS) is a reference describing the conventions used for the layout of Unix-like systems. It has been made popular by its use in Linux distributions, but it is used by other Unix-like systems as well. It is maintained by the Linux Foundation. The latest version is 3.0, released on 3 June 2015.

The Andrew File System (AFS) is a distributed file system which uses a set of trusted servers to present a homogeneous, location-transparent file name space to all the client workstations. It was developed by Carnegie Mellon University as part of the Andrew Project. Originally named "Vice", "Andrew" refers to Andrew Carnegie and Andrew Mellon. Its primary use is in distributed computing.

File verification is the process of using an algorithm for verifying the integrity of a computer file, usually by checksum. This can be done by comparing two files bit-by-bit, but requires two copies of the same file, and may miss systematic corruptions which might occur to both files. A more popular approach is to generate a hash of the copied file and comparing that to the hash of the original file.

iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.

The Unix and Linux access rights flags setuid and setgid allow users to run an executable with the file system permissions of the executable's owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.

Quarantine was an antivirus software from the early 90s that automatically isolated infected files on a computer's hard disk. Files put in quarantine were then no longer capable of infecting their hosting system.

In computing, a shebang is the character sequence consisting of the characters number sign and exclamation mark at the beginning of a script. It is also called sharp-exclamation, sha-bang, hashbang, pound-bang, or hash-pling.

<span class="mw-page-title-main">Tripwire (company)</span> American software company

Tripwire, Inc. is a software company based in Portland, Oregon, that focuses on security and compliance automation. It is a subsidiary of technology company Fortra.

sha1sum is a computer program that calculates and verifies SHA-1 hashes. It is commonly used to verify the integrity of files. It is installed by default on most Linux distributions. Typically distributed alongside sha1sum are sha224sum, sha256sum, sha384sum and sha512sum, which use a specific SHA-2 hash function and b2sum, which uses the BLAKE2 cryptographic hash function.

Nix is a cross-platform package manager. It employs a model in which software packages are each installed into unique directories with immutable contents. These directory names correspond to cryptographic hashes that take into account all dependencies of a package, including other packages managed by Nix.

In Linux, and other Unix-like operating systems, the /boot/ directory holds files used in booting the operating system. The usage is standardized in the Filesystem Hierarchy Standard.

crypt is a POSIX C library function. It is typically used to compute the hash of user account passwords. The function outputs a text string which also encodes the salt, and identifies the hash algorithm used. This output string forms a password record, which is usually stored in a text file.

<span class="mw-page-title-main">System Integrity Protection</span> Security feature by Apple

System Integrity Protection is a security feature of Apple's macOS operating system introduced in OS X El Capitan (2015). It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

<span class="mw-page-title-main">Linux Malware Detect</span> Antivirus software for Linux

Linux Malware Detect, abbreviated as LMD or maldet, is a software package that looks for malware on Linux systems and reports on it.

References

  1. 1 2 "LICENSE". Github. Retrieved 5 September 2019.
  2. 1 2 3 Michael Kwaku Aboagye (January 18, 2018). "Securing the Linux filesystem with Tripwire". opensource.com. Archived from the original on May 6, 2023. Retrieved January 14, 2024.
  3. 1 2 Li, Hui; McGinty, Michael; Fu, Xinwen (2012). "Monitor and Secure Linux System with Open Source Tripwire" (PDF). University of Massachusetts Lowell. Archived (PDF) from the original on January 14, 2024. Retrieved January 14, 2024.
  4. 1 2 3 4 5 6 7 Spafford, Eugene H. "Tripwire: Pioneering Integrity Scanning for Cybersecurity" (PDF). Purdue University. Archived (PDF) from the original on February 4, 2023. Retrieved January 14, 2024.
  5. "Open Source Tripwire on SourceForge". 21 October 2018. Retrieved January 14, 2024.
  6. 1 2 Bauer, Mick (July 1, 2001). "Paranoid penguin: intrusion detection for the masses". Linux Journal. 2001 (87). Archived from the original on January 14, 2024. Retrieved January 14, 2024.
  7. 1 2 Mellem, Erik; Olsen, Frode (June 2004). "Real time Integrity Control of Operating systems" (PDF). Agder University College. Retrieved January 17, 2024.
  8. DeMara, Ronald F; Rocke, Adam J (February 2004). "Mitigation of network tampering using dynamic dispatch of mobile agents". Computers & Security. 23 (1): 31–42. doi:10.1016/S0167-4048(04)00068-9.
  9. 1 2 3 4 5 6 7 8 9 Kim, Gene H.; Spafford, Eugene H. (November 19, 1993). "The design and implementation of tripwire: A file system integrity checker". Proceedings of the 2nd ACM Conference on Computer and communications security - CCS '94. pp. 18–29. doi:10.1145/191177.191183. ISBN   0-89791-732-4. Archived from the original on March 22, 2016. Retrieved January 14, 2024.
  10. "Initial commit of code from Sourceforge repository". GitHub . Retrieved January 14, 2024.
  11. 1 2 Lynch, William (March 21, 2001). "Getting Started with Tripwire (Open Source Linux Edition)". LinuxSecurity. Retrieved January 17, 2024.
  12. Sen, Kaushik (October 17, 2021). "Tripwire Enterprise vs Free Tripwire Open Source". UpGuard. Archived from the original on January 19, 2022. Retrieved January 14, 2024.
  13. Jauhiainen, Juho (December 2021). "Ensuring system integrity and security on limited environment systems" (PDF). University of Turku. p. 18. Retrieved January 17, 2024.
  14. 1 2 3 4 Tansley, David (December 13, 2011). "Running with Tripwire: Using Tripwire to monitor file changes". IBM developerWorks. Archived from the original on May 3, 2012.
  15. Natarajan, Ramesh (December 8, 2008). "Tripwire Tutorial: Linux Host Based Intrusion Detection System". The Geek Stuff. Retrieved January 17, 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.