Slashdot Mirror
Tripwire Going GPL
Johnath writes: "Maybe it's a little early to break out the party hats, but after noticing that a new version of Tripwire had been released, I checked up on their site and noticed they are going to open source it. Supposed to open it up this fall, and under the GPL no less." There are a lot of people who swear by Tripwire, it'll be nice to see this come to fruition. One thing that's odd - This only applies to Tripwire for Linux.
Apparently tripwire can be defeated by a cleverly coded kernel module. What'd really be handy would be if tripwire would write its data to a bootable CD filesystem. You'd have to reboot your PC to check for intrusions, but I'd think that'd be much harder to defeat.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
As for the dual-platform thing, I don't think it's possible (and certainly thing it *shouldn't* be possible) to call it open-source if you're discriminating against users of a particular platform. It is possible to "discriminate" and still be open source. You just have to be specific. In this particular case, Tripwire is not open source. Tripwire for Linux is open source. There's a difference that needs to be specified, so that users know which one is open. As far as the "shouldn't be called open source," I would have to respectfully disagree with you. As long as you make it clear that you are referring to the Linux version, it is open source software. The GPL makes provisions, too, for a vendor/author to publish his software under more than one license. Those other licenses don't necessarily have to be open-source licenses, and in fact they can be as non-open-source as any other commercial license out there. As long as the Linux and non-Linux versions are kept separate once it goes open source, there's nothing legally, morally, or ethically requiring them to restrict their licensing to a single, open source license.
Of course, on your major servers, you *do* disable kernel modules, right?
There's no need to have loadable modules on a server with sensitive information.
One of two things is going to happen here: Either they are not actually going to use the GPL, or they're going to find people creating derivative works of the Linux version to make GPL'd versions for Solaris, BSD, Windows...
Christopher A. Bohn
cb
Oooh! What does this button do!?
I don't mean to say that OSS is bad or anything, but I don't think your statement is necessarily substantiated.
I went to a talk given by the Tripwire author, and half the talk was about his thoughts on how tripwire relates to open source. He made a couple points (I don't remember his whole talk, sorry, it was a very good one)...
His first point was that, basically, they hadn't gotten a lot of help from the open source community (on the non-commercial version). There was one programmer who regularly sent in updates, and there were maybe 20-30 people who contributed from time to time, and then a few odd updates from other people. This was a very small percentage of the open source user base. He showed how much the opportunity cost was for openning the source. He then compared that to the price of paying his own programmers to fix bugs. He found (in his case, so this doesn't necessarily apply to anything else) that it was cheaper to keep it closed, and more bugs were found by the paid programmers. And it wasn't for lack of an audience, OSS tripwire is pretty dang popular. His opinion was that OSS lets more eyes see it, but those eyes weren't very productive, even given that not every OSS tripwire user is a coder.
Secondly, he didn't wanna piss the linux people off.
Guess which point won out?
--
Yeah, make the CD bootable and cold boot to it. That would be extremely difficult to defeat, though it would require a reboot to run the check, which you don't want to do often on a production server. As someone else pointed out, disabling kernel modules on a production server is also an excellent idea.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
More seriously, what is this going to do for me that I can't do with ipchains, tcpdump, and chmod o-w? Do it for me? That would be nice, especially if it's going to be free. However, it has been my experience in the past that adding yet another factor (software suite/daemon) to the security equation is the last thing you want to do.
IMHO a system will never be truly safe unless it's unplugged from the wall. Even then you need at least one inept guard at the front door to watch over the physical hardware. I think the reason companies hire network and systems administrators is to make sure offsite backups happen every four hours, and that the permissions are set properly, and there are no security holes in the system software, etc.
But again, on the other hand, if I'm running a network of servers that spans the country, or even the world, it would be nice to have a summary screen saying "Tom Cruise just stole the corporate NOC list. Please attend immediately." At that point, however, I think it would be reasonable for my parent company to spot me a grand or ten to purchase said software suite. No need for open source here.
*sigh* Is it just me or do people not make sense sometimes?
(disclaimer: yes, I realize it's probably just me)
Alakaboo
It's plain silly for them only to release a Linux version, ESPECIALLY if it's under the GPL. In 6 months there will be a port for Tripwire for every platform under the sun....
Tripwire is a security tool. That having been said, these sorts of tools have quite commonly become *much* better by being open source utilities, since there are definitely a lot of people running around on lists like Bugtraq who go into a positive frenzy over making security related patches. Tripwire is also one of the few integrity checkers that many people are familiar with using, and while a skilled system administrator who can code in C could probably come up with something very similar in a few weeks, it's not really all that feasible. Anywhere where this sort of integrity checking would be _demanded_ to ensure certain policy requirements, the system administrators are likely to not have the time necessary to develop such a tool (at least in most companies, time for R&D is pretty limited). GPL or no, it's these same companies that are most likely to be looking for a support contract for such a tool, because places that have policies requiring this level of attention to detail are also quite likely to have made it standard operation procedure to get support contracts for every possible piece of software they use, no matter how small. (This all falls under "assurance" guidelines by my book)
GPLing this code will make it more friendly to the freelance security consultants, as well as those who aren't so freelance because now they'll have a chance to exercise their paranoia and examine the code themselves to see for sure that it's good and solid.
...not to mention that Tripwire has recieved a great deal of help from the hacking community in the way of pointing out potentially weak implementation methods, and generally just making things tidier.
So I don't see making the code GPL making any serious dent in the company's profit model, especially with more companies starting to get used to being able to obtain support contracts for software they didn't have to actually pay anything for. It's only recently that you could even think of being able to obtain support contracts for software that wasn't backed by a company whose profit model was based on the sale of the software, which makes the whole trick of making certain there are experts that can be called on in a flash to help solve problems when something goes wrong highly improbable, if not impossible.
I know it might sound silly trying to obtain a support contract for Tripwire, but at the last company I worked for, such a thing would not only be desired, but not too terribly hard to get upper management to sign off on. (For some reason the bigger a company gets, the less likely they are to want to trust the word of their own employees alone... but then again, that quickly falls under the umbrella of assurance in a good set of security policies.)
Lemme tell you something.
I'm really, really, really starting to like the concept of, at minimum, setuid binaries failing to execute unless they pass an MD5 test executed by the kernel before an execve().
Microsoft is already working with signed drivers and signed packages, and SecureBSD(a new *BSD variant) is advertising binary hashing out-of-the-box. I'm curious what the rest of you think about the kernel attempting to rely on the trust imbued in the first version installed to authenticate future executions of that version.
Best problem I can come up with is that a successful setuid hack could allow the root to reconfigure the kernel to ignore a specific file's changes...at that point, I'm thinking of some form of shared "setuid compile" secret that gets appended to the application for hash purposes...then, all apps get hashed as if they had the secret appended...come in as root and attempt to compile something such that it'll setuid, attempt to install into the kernel DB...and poof. You fail, because you're not consistent with the kernel hash secret.
Thoughts?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"MySQL, for example, is open-sourced under *nix, but is shareware under Windows."
.|` Clouds cross the black moonlight,
Impossible, out of date, and wrong. There never was an open-source MySQL apart from the one older GPL'd one-off, until a few days ago when the whole thing went GPL (quite sensibly). As for the dual-platform thing, I don't think it's possible (and certainly thing it *shouldn't* be possible) to call it open-source if you're discriminating against users of a particular platform.
Me, I just installed and configured aide from source over the last couple of days - can't see what tripwire would give me over and above it, and I can actually go round sticking it on whatever machinery I want (because not only do I run linux, I run linux*PPC* as well...), without having to think about it.
Of course, we wish tripwire well, but it's dubious whether they can pull off a 'market coup' (!) after the delay..
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
As for the dual-platform thing, I don't think it's possible (and certainly thing it *shouldn't* be possible) to call it open-source if you're discriminating against users of a particular platform.
There's two issues here. The first is that is is certainly possible, legal, and very common to license the very same product (code, prose, movies, etc) under two or more differing licenses. The licensee is bound by whatever terms they agreed to, and not to the terms someone else may have agreed to. If I license buddhafoo_1.1 to Tom under the GPL, and to Dick under the BSDL, then Tom's use of buddhafoo_1.1 is bound by the GPL, and Dick's use is bound by the BSDL. Absolutely no conflict there.
The second issue is basically aesthetic. Both the GPL and BSDL are considered open source licenses. But if I then license buddhafoo_1.1 to Harry under a proprietary license, do you still call buddhafoo an "open source" project? Tom and Dick still have open source licenses for buddhafoo_1.1, nothing has changed for them. Some would say "yes", others like you would say "no".
The lesson here is that any project can have both open source and closed source incarnations.
Minitel had some interesting features, but it was never as good as the Internet, which predated Minitel by over a decade. And I hate to say it, but London and New York will remain the financial centres of the world, with Silicon Valley and Germany doing just fine, thank you, in the technology end of things. France has a nice position in the world, but it will never be the `technological and financial centre.' It has its time: the entire Mediæval, Rennaisance and Early Modern periods. The mantle has passed.
Yes, I'd agree there's potential for the whole thing to be under a choice of licenses - but do you regard "Tripwire for Linux" as a separate *product* from "Tripwire"?
.|` Clouds cross the black moonlight,
/me doesn't like confusion.....
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
There have been many promises about this product and patches submitted and ideas submitted and although the product is a good one, I've heard people complain that they make lots of promises and don't keep them. I wouldn't hold my breath on this issue and I'll "believe it when I see it".
- Serge Wroclawski
This is a very complete list of security software for UNIX machines.
I was wondering about the changes to Tripwire, so I scrubbed the FAQ and found the following gem:
Will the open source version of Linux Tripwire be as secure as other versions of Tripwire? Explain the risks and advantages for an open source security solution.
An open source solution provides the user and the systems administrator the instructions that allow them to examine it for security holes, Trojan horses and trap doors. It provides an enhanced sense of security for those who would like to have the source code to examine.
Corporate IT managers and security administrators use good judgment everyday by deploying best-of-breed security products. Good security policy dictates that one purchases software or downloads software from the actual security vendor's site and not from "spurious sites" on the Internet. By taking the appropriate steps to create a solid security framework, the security community and the users of Tripwire vastly reduce any risks of the code being modified intentionally for wrongdoing.
--
Corporate IT managers and security administrators use good judgment everyday by deploying best-of-breed security products. Good security policy dictates that one purchases software or downloads software from the actual security vendor's site and not from "spurious sites" on the Internet.
Actually, this isn't technically correct.
They're essentially arguing that a "single point of failure increases security". In some practical senses, it does, because then attacks are always detected and have own group that owns stopping them. When the job is distributed, no single group can track the attacks.
But ahhhh, no single group can independantly attack either. Consider the situation where you have ten previous versions "out there". Distributing the load of archiving old versions means that you can't infect old versions yourself, and that (assuming the source and two mirrors) any attack that hit only one site would be detected and "outvoted" by the other two--for past, present, and future revisions. Total control in the hands of the original authors does imply a single point of attack, trojanization, and hash coverup.
Of course, the tools aren't available to cross check hashes against multiple sites...I'd love to see install-ssh retrieve ssh from one of ten sites, and then download hashes from two others. This changes the attack profile to within my perimeter(can spoof the content of all hosts) instead of from the central server's perimeter(which I have no control of.)
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Of course there have been a number of significant improvements since they started selling a closed source version, and I'm glad they ditched that path in favor of a true OS release. Probably the most welcome addition from the version I currently use is the ability to customize object blocks for directory recursion and improved email reporting
BTW, if you're interested in the Academic release it can still be downloaded here, but now that 2.2.1 is available for Linux (Intel only) I really don't see the point unless you're on one of those other platforms ;)
Advanced Intrusion Detection Enviroment (AIDE) has been GPL from the beginning, provides most of the features in Tripwire with all of the features being planned for future versions. The AIDE team has never violated the GPL or LGPL and as such has never declaired that sections of the LGPL should be temporarily suspendable.
The supposed Tripwire open source release announcement would be a big deal if Tripwire Security was honorable people. But the fact of the matter is these people don't have the slightest clue when they are informed that the GPL and LGPL are a list of *requirements*. They have spent the last 6 months going out of their way to *demostrate* on their website that they don't understand what the GPL or LGPL actually *is*. Hence, they may declair it is GPL'd and then make a legal brew-ha-ha over rights that they supposably provided.
Be VERY careful when dealing with a company that has a 6 month history of violating the LGPL! Unless you have a *really* good lawyer, a company that decides to pick and choose what GPL or LGPL requirements actually apply can really screw you over bad. I would like to see a summery of the GPL and LGPL in Tripwire's own words to get a feel for how they interpret these licenses before I ever get daring enough to contribute.
The AIDE team WILL NOT screw you over. They do not have the history of screwing over the glibc development team by ignoring redistribution licensing conditions. I'm not sure Tripwire is worth providing them a free peer review. AIDE is worth reviewing and contributing too.