Slashdot Mirror
Tripwire Goes Open Source
Brian McLaughlin writes: "Tripwire posted the source code to their integrity checking tool at SourceForge today. The press release can be consumed here."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
I was having problems too, it kept saying "There were some errors. Please see below for details." Of course there weren't any details below.
I think I figured it out though... fill out the second address line (add Suite 100 or something)
--
Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
I know there was a commercial product that did this (and much more) for Solaris back about 3-4 years ago, but I haven't heard about it since. There are some other triggers that would be nice:
- On any of unlink, rename, creat, mkdir
- On failed system calls that fail due to permissions (e.g. the above calls as well as kill, socket, etc)
I know you could do most of this in libc, but I don't think that would be wise, as someone with enough smarts could always do the syscalls directly using asm().Now we need distribution specific policy files, currently the policy files are only for redhat. It would be nice to see policy files for suse, debian, turbo, caldera, etc.. as they apply to that particular disribution.
For example, alot of the files in the default policy file (setup for redhat) don't exist on my system (suse) and if they do exist, their in different locations. I can guess that this will be pretty much the same with debian, turbo, caldera and others as well.
It seems that nobody remembers that tripwire was open source a long time ago ...
./docs directory. The design
## $Id: README,v 1.26 1994/08/26 08:22:48 gkim Exp $
##
## README for Tripwire
##
## Gene Kim & Gene Spafford
## The COAST Project
## Department of Computer Sciences
## Purdue University
##
## All files in the distribution of Tripwire are Copyright 1992, 1993, 1994
## by the Purdue Research Foundation of Purdue University. All rights
## reserved. Some individual files in this distribution may be covered
## by other copyrights, as noted in their embedded comments.
##
## Redistribution and use in source and binary forms are permitted
## provided that this entire copyright notice is duplicated in all such
## copies, and that any documentation, announcements, and other
## materials related to such distribution and use acknowledge that the
## software was developed at Purdue University, W. Lafayette, IN by
## Gene Kim and Eugene Spafford. No charge, other than an "at-cost"
## distribution fee, may be charged for copies, derivations, or
## distributions of this material without the express written consent
## of the copyright holder. Neither the name of the University nor the
## names of the authors may be used to endorse or promote products
## derived from this material without specific prior written
## permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY
## EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE
## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR
## PURPOSE.
This README file serves as a quick-and-dirty primer on Tripwire.
A PostScript formatted paper that fully describes the design and
rationale is also included in the
document is also available as a technical report (TR-CSD-93/71). This
document will be referenced throughout the Tripwire distribution as
the Tripwire design document or the comprehensive Tripwire paper.
This README file contains information needed to build, test,
and run Tripwire. A table of contents follow:
0.0. If you were running an earlier version
1.0. Background
1.1. Goals of Tripwire
2.0. How to build Tripwire
2.1. Common Tripwire compilation problems
2.2. The siggen utility
3.0. Getting Tripwire up and running
3.1. Creating your tw.config file
3.2. A caveat about your Tripwire database
3.3. Testing Tripwire
3.4. Running Tripwire as an integrity checker
3.5. Keeping your database up-to-date
3.5.1. Running Tripwire in Interactive mode
3.5.2. Running Tripwire in Database Update mode
3.6. A quick-checking mode
4.0. Some Tripwire scaling hints for using Tripwire
in large sites
4.1. The tw.config grammar
4.2. How you might use these directives
5.0. Notes on signature routines
5.1. Performance vs. security
6.0. Signature routines
6.1. MD5
6.2. Snefru
6.3. CRC-32
6.4. CRC-16
6.5. MD4
6.6. MD2
6.7. SHA/SHS
6.8. Haval
6.9. null signature
7.0. Feedback and bug-reports
8.0. User contributions
9.0. Acknowledgements
...
I'm glad to see it's back (sort of, anyways.)
You can get more information on what is TripWire by going to the following page on their website: http://www.tripwiresecurity. com /company/index.cfml?
I'll be more careful about revoking my +1 bonus in the future.
20,000 free valid mailing addresses pointing to security-interested geeks sounds like a mailing list gold mine to me, and probably the marketing genius who thought up the poster idea. A $1000 investment into some nice shiny poster, a couple hundred bucks in postage, and you get a qualified database of hackers you can market to, and also sell to other companies if you feel like it ...
...
Bet we all get spammed with marketing material on security products in the future
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
So do the Linux, commercial Unix, and Windows versions share any code? How is this effected by the GPL? Can a company, who owns all copyrights to GPLed product A and closed source product B take code from product A (which they own) and put it in product B (which they also own)?
Mom? Is that you?
This can (and should be) used by anyone who runs *NIX.
/tmp (since anyone can put files in there), but all of your other important area on your drive should be watched. Example: Someone gets root on your box, and they replace /bin/su (switch user, usually to root), with a trojan that has a backdoor. Tripwire will notice that it's not the correct file, and e-mail/page/alert someone.
Actually, it's quite simple: It makes sure that when files change, someone is notified. Now, obviously you don't want Tripwire watching your logs (since they change constantly) or
As for the "policy language" they refer to, that's just another way of saying "a way to tell Tripwire what to watch, how to watch it, and what to do if something has changed".
To put it all in context, here is an example. Note that Tripwire is much more advanced than this, but essentially, this does the same thing: When I first install my system, I patch it, and capture all of the `ls -la` output of my important files to a file. Once an hour, I have a task (cron job) that does the same `ls -la` and compares the output to the original file. If they're different, either I changed something and forgot to update the original file, or someone is up to something. It then sends me an e-mail and I look into it.
I hope that explains what Tripwire does in a nutshell. If you would like more information, let me know.
You can choose whether or not you wish to be contacted. And, IMHO, 20,000 security interested geeks are not the type of people you should lie to. ;)
rosie_bhjp
A radio maverick jumps to internet only. The Future of Rock n Roll
See - there is someone already working on it - so join them at source forge and get cracking.
No complaining about GPL constraints, now, it's still Open Source and you can always apply another licensing paradigm, such as that used in BSD, on the portions of your code that you create for it.
--- Will in Seattle - What are you doing to fight the War?
Is there anything Tripwire can do that can't be done by a few shell scripts, a crontab, and the md5sum program? I mention this specificly because of a Secrurity Focus article that mentions this (Section 8. Tripwires).
------
Not a typewriter
Fewer restrictions would mean less freedom in the long run. No one is forced to make the code available if asked, so your work could be modified into an incompatible decommoditized product. That would not be so free, would it? That's exactly what happens with BSD licensed code. Its ripe for the picking by commercial entities. The GPL keeps it free by placing a restriction that source must be made available if you are going to distribute your binaries.
How many marketing droids did it take to come up with a name like that? Are they planning on versions like "tripwire, BSD sourced, BSD edition", or "tripwire, ClosedProprietaryDMCAProtected Source, Windoze edition"?
Tripwire is a good product, it lets network and system admins sleep easier at night knowing they don't have to scan every box by hand every morning. I've found that sites running tripwire tend to have better system management policies, and know what security of internet boxes means.
Now we can make it better, and tie in some better automated functions for varying degrees of detection.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Woo hoo! It works. You rock.
Yeah after putting a - on the second address line it seemed to take it. All that work for "free" posters!
---
WHY should your precious little country be first
in the list? If you're going to rank countries,
where do the UK, Australia, France, Canada, and
Finland fit into your list? Even if you are the
biggest single country to use tripwire (which I
doubt), if you're going to put one country first
then you'd better rank everyone in order of use.
I've never heard anything so pathetic--whining
because your country came near the bottom of an
alphabetised list! Grow up.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Yes, it used to be free (shareware maybe?). Gene Kim, their CTO, wrote the initial releases while in college. After college, Tripwire the company was formed. I presume those old versions of Tripwire are still floating around somewhere.
I'm from Michigan. That's the fourth M state in a dropdown of the United States' states. Do I holler about that?
:)
Yeah, but being from Michigan is punishment enough.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
To get around your America Nazi-era laws, just host the shit in a different country that has more freedom, like China or Cuba.
Yeah, but are they giving away free posters? I don't think so...
We have, per capita, the most people on the Internet
Uh, no. According to many people, the USA holds a modest 4th place in terms of per capita Internet usage. Should we be putting Finland, Norway, and Iceland at the top of the list as well?
I'll bet you want everyone to speak English when you visit a foreign country too, right? Or have you never left the confines of your perfect little country
---
That's only good if you keep your RPM database on a read-only volume... which makes it somewhat difficult to install new software.
>Transmission Facilitation Device - Hands, 2. Fingers, 11
11 fingers?
Posted by: Some guy named Chris.
Oh...
I wish I could type with that....
--
This message brought to you by Colin Davis
Colin Davis
This would have been news a couple of weeks ago... I dug out my Red Hat 7.0 source disk, mounted it, installed the source RPM, got inside the build directory, and there's the COPYING file with the GNU GENERAL PUBLIC LICENSE...
This isn't news - they wanted to get into Red Hat Linux 7, and to do so they needed to have an opensource license. They did their part wrt. licensing, and was shipped as part of the distribution.
I wonder if it'd be easier/faster to 'chattr +i' certain critical files like /bin/login and then add logging code to the appropriate syscall to warn you when somebody changes it back.
Why allow anyone to change this back? Set the immutable attribute (+i) on anything that won't ever change, make your log records permanent with 'chattr +a /var/log/messages' so that the logs can't be editted, just appended to, and then install lids and set CAP_LINUX_IMMUTABLE to remove the ability to change these attributes on this system under this kernel. If you need to change things over, you'll need a second kernel image elsewhere for administration purposes (i.e. on floppy) but your key system will remain inviolate.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Actually i'd recomemnd RIPEMD160 since its more secure than MD5..but yeah. i wrote a tripwire clone in one evening (and it shows..but heck it works)...Its called sentinel and its available for some time now : http://zurk.sourceforge.net
It's called Tripwire "Academic Source Release", and is at version 1.3.1. http://www.tripwire.com/downloads/
Non impediti ratione cogitationis.
More free stuff!
"He who sacrifices beauty for efficiency gets what he deserves." - Bernard Mickey Wrangler a.k.a. the Woodpecker
I wish I could type with that....
Yeah, but the rsi is a bear.
You just thought carpal tunnel was bad!
Good to see that they followed up on their promise.
:)
Now if I just had something to use it on....
I like you, Stuart. You're not like everyone else, here, at Slashdot.
Isn't there a BSD work alike already? It's in OpenBSD and it's called mtree (I think).
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
Isn't this illegal in Europe now? Or will be, if they sign that cybercrimes treaty?
When will people realize there is no need to close source the obvious
Very little in an intrusion detection/change monitoring system is difficult to recreate. Using standard unix shell tools, you can create something just as useful with little more than md5sum, awk, cron, and a few lines of perl.
Just be sure to store your cryptographic hashes on a read only media (CD-R's are great for this).
Please bid on this Karmann Ghia! Please pleas
Tripwire couldn't have time its announcement any better on the heels of the the MS fiasco. In fact it's so well timed that.. nah! ;-)
Steven
This is so cool, I remember when I started using Tripwire about 3 years ago and it irked me that the source wasn't open.
I had been running it on a RH 4.2 box. I was trying to use the version that was linked against libc5 (the only binary they had at the time) on a RH5.0 box, and was told I would have to wait several months before they released a new version that would link against glibc (aka libc6).
Source code gives a whole new meaning to free software.
Mike
"I would kill everyone in this room for a drop of sweet beer."
Most sites do put United States at the top. It pisses me off that I usually have to search down 30 countries to find Canada though (grumble).
I downloaded the source, and the checksums don't pass.
Except you're a twit. A clueless twit who is factually wrong. The US is NOT the highest per capita user of the `net. It ranks fourth in countries.
Open Source. Closed Minds. We are Slashdot.
Free (as in speech) tripwire.
Free (as in beer) posters. (You just have to figure out how to get past their poorly coded form validation to order one...).
--- Where's my X.400 protocol decoder?
niceFire.com - Humor and Lego's or Lego's and Humor or Some Combination of
Maybe this will be an inspiration for Microsoft.. after all, they've already kind of gone open source anyway :-)
--TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
This isn't some petty "my country is better than yours!" pissing contest. It's simple common sense.
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I found it interesting when I downloaded their regular distribution (NOT the open source one!) that their license read:
...
...
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS....
Other Use Restrictions.
You may not use the Software for any purpose other than for use on your own internal computer networks, as set forth in this EULA. You may not place the Software onto a server that is accessible via a public network, such as the Internet.
Hopefully, now that it is open source, this little restriction on non-Internet servers is taken care of. I'm not sure though. Any information on this would be helpful to me. Thanks.
Check out Althea for a stable IMAP email client for X. Now with SSL!
Back Orifice 2000. It is quite amusing reading the idiotic questions from script kiddies in the forums and bug tracking.
---
GetSystemMetrics(SM_SECURE) == FALSE
So, it looks like the open source version is linux-only. Are there porting efforts under way to Solaris and BSD (AKA "The Other OSes")?
Which is what I was implying. And which makes a hell of a lot more sense, at least for the top 5 or so countries (which probably make up 80-90% of all Internet users) than a completely alphabetized list.
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
A while back (4+ years??) I started using the academic version. The cool thing about that was that it compiled on all the platforms I needed it for (R4k, PA-RISC, SPARC). Does the new open source incarnation of Tripwire port easily, I wonder? If not, one of it's coolest characteristics is missing. The original point of Tripwire was the creation of a working, widely-available integrity checker. Marketing a good idea is fine, but it sucks that portability might be taking a back seat to the targeting of specific markets. That seems to undermine the original intent a bit. It's cool that they are releasing the source, but it would be a lot cooler if they released the source trees for all supported platforms. Just switching back to the old version would suck. There is no encryption or signing done on the database (where the checksums & attribute data are stored). You had to use read-only media to store the database if you were using it as an anti-cracker tool.
If you are running an RPM based distro. I hove found the following to be a good tripwire work-alike:
#!/bin/bash
rpms=`rpm -qa`
for i in $rpms do
echo $i
rpm --verify $i
done
"Free (as in beer) posters. (You just have to figure out how to get past their poorly coded form validation to order one...). "
What does Tripwire get for open sourcing their
product?
20,000 free poster orders from leeching slashdoters! Shame on you!
(Of course I went and ordered my free poster before bitching about it...)
AdFuel
AIDE BLOWS I tried a year back god used like 100% CPU resources just to build the initial resource I even ran out of memmory a few times. Avoid AIDE its really bad imho.
- I came I saw I Conquered
Of course, since the open source release is GPLed, porting it to other OSes is perfectly legitimate.
In other words, Do The Work Yourselves. If you're upset that there's no BSD or other version, form a group and use the GPL to do it yourself. Don't complain, get to work.
It's not like it's closed source proprietary, where you can't do that.
--- Will in Seattle - What are you doing to fight the War?
BTW: Where do you go to have your country renamed? Is there a standard form?
--
Fuck the system? Nah, you might catch something.
Their database seems like the greatest potential gain for the community. The hashing of files is pretty simple, given the number of crytographically strong open-source hashes out there. The UI/customization end of tripwire seems like it would be relatively straightforward to design. It seems to me that most of the room for real software engineering is in the database file format.
People have already created driver-level crypto filesystems, but has anyone ever proposed a driver-level tripwire filesystem? Of course, you would need to tell the fs whcih files and directories to keep track of or you would be swamped with change logs.
Has anyone ever proposed a secured journaling filesystem? While we're replacing/overhauling the Linux filesystem, we might as well add secure functionality. (Assuming we don't cause a false sense of security.) Setting a file attribute flag to secure could cause any changes to the file or directory (including mv and cp) to be logged in a compact format. Any changes in the secure-log flag for all files in the fs would also have to be logged. In ultra-paranoid environments, one could even securely log file reads. (It's not that much more work to include this in a new driver.) Use an itterative one-time password scheme to watermark the logs (even a 64 bit hash would be relatively secure, because of the number of hashes that would need to be matched to change logs very far back in time). The easiest way to sign the hash is just to encrypt it with the one-time password. You keep the first one-time password on a locked floppy, along with a copy of the executable for checking the logs and computing the hashes of the files stored in the logs (add a hash to the logifile only when something changes). With the first password, you can compute the second, with the second you can compute the third, etc. This means that you can decrypt all of the hashes of the logfile if you have the floppy.
On the other hand, if the filesystem driver keeps only the current one-time password, then any attacker will be detected if s/he alters the logs for any time earlier than when they broke in. (Since creating the correct hashes requires knowing the password for that time, and passwords for earlier times cannot be computed from passwords for later times.) You can keep snapshots of the logfile if you like, but they are not necessary for intrusion detection. One only needs to first check the integrity of the logfile, then trace through the changes according to the logfile. Any discrepincies between a file and it's last recorded hash indicate file corruption or a security breach. People could "turn back the clock" on the filesystem by changing the files back to a previous state and deleting any logs since, but any subsequent changes to the fs would be logged with the wrong one-time-password and this would be detected.
First pos.. wow that took a while to write and revise! I'm surprised you actually read this far.
Karl
I'm a slacker? You're the one who waited until now to just sit arround.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Karl
I'm a slacker? You're the one who waited until now to just sit arround.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Yes it's the same program. But it's the non-free section of debian because it wasn't open sourced. The debain non-free section contains porgrams which do not fit the debian free software guidelines. see http://www.debian.org/social_contract#guidelines Essentially non-free contains binary versions of closed sourced programs and programs for which the source is avaible under a restrictive license.
Okay, so the figures are a year old, and my population of the US may be off, but I'm pretty sure Canada has the highest per capita connections to the 'net.
So, I guess Canada should be at the top, or at least higher up than the US. Sorry guys!
Has anybody else wondered why only Linux versions of software are made open source? For example, "At the present time, Tripwire has no plans to make its commercial UNIX versions or NT available as open source." (from the FAQ) and AFAIK Troll Tech has made only the Linux version of qt open.
Is the reason the background of the OS? Linux users are used to having the source and a product which doesn't offer source can't expect a very wide acceptance in the Linux world (see for example some of the originally-closed drivers). In Windows, everybody is used to proprietary software, so they couldn't care less.
Another peculiar thing is, why do they keep different versions for different architechtures? I'd think it would be easier to manage only one code base with #ifdef's or separate low-level files. It might be possible that they only omit the Windows-specific files, but in this case any GPL additions to the Linux version (made by users) couldn't be compiled into the Windows version.
This, on the other hand, would mean that the Linux version would inevitably become better than the corresponding Windows version. The only legal way they could get the same features into the Windows version would be to code them themselves from scratch, and who's to say they didn't use any GPL-only code? Or do they demand everybody who contributes anything to dual-licence it so they can use it in the closed Windows version also?
Any ideas, anyone?
I doubt, therefore I may be.
Linus does not like software control tools like CVS.
At some point CVS will happen. Someone (or group) will take a Linux kernel and check it into CVS, with or without Linus's blessing. And Linus will have to either get with the program, or get passed by. The real world of software development understands why source code control systems matter.
The method right now puts Linus in control. He's "the man". CVS takes away from Linus's "power".
If it was said on slashdot, it MUST be true!
Quoth the "Open Source Tripwire for Linux FAQ":
Of course, since the open source release is GPLed, porting it to other OSes is perfectly legitimate.
Thanx, now I now and I will get it!!!
the man who put the BOP in the BOP-SHIBOP-SHIBOP
great comedy company.
Hm... maybe I've missed the point in time when Tripwire stopped to be available as source code, but I remember than 5-6 years ago and earlier I used to download and install it on various Unix boxes at the Univ. It was nothing more than checksum checker capable that was nice, because it checked many files and could be run automatically. Of course, it was available in source code (in the pre-RPM days even on Linux distros of that time - SLS, Slackware - everything installed with make install).
Anyway - glad to hear that this nice tool is living and is returning to the open source status.
See the news from tripwire's new site TripWire.org which has the skinny from Tripwire directly. LinuxPower has an article. As does IGN over here.
T here is also a great article here regarding file system monitoring - and alternatives (additional OpenSource) to TripWire. Not quite as relevant now that TripWire is OpenSource but still a good read.
They are changed their source encryption to ASCII encoding, triple ROT-26 under the provisions of the DMCA which just went into effect.
Also, you are allowed to view the source, but comprehension of it is a violation of the terms of use statement you agreed to when you first became aware of the term Tripwire. Failure to not comprehend the source is punishable by, but not limited to, confiscation of any or all of the following:
Who needs Tripwire when we have AIDE?
To quote the web page: "AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more."
Check it out!
http://www.cs.tut.fi/~rammer/aide.html
A GPL dual license is a gamble. Someone could add a compelling new feature to the GPL release that can't be integrated into the "value-added" proprietary version. There seems to be a strong resistance do doing so, however. Doing so would require a fork, because the company won't accept a contribution unless you assign copyright. This lessens the contribution to the free software community, but I'm not about the smell the gift fish.
Do Linux's leading browsers or underlying GUI elements support keyboards? If not, go hack it in, it's not rocket science.
Windows' standard combobox control (drop down list, whatever) will jump to any item when you hit the initial letters. I see 'Angola' in a combo box, I hit U. If it says 'United Kingdom', I hit U again. Oooo, tough.
I'm from Michigan. That's the fourth M state in a dropdown of the United States' states. Do I holler about that?
Certainly there are better things to whine about. And personally, I think it's better if US-centric Americans were subtly reminded that the US isn't the whole world.
[
Your keyboard probably has the letter 'u' on it, hit it a couple of times, you will be where you want to be. oh yeah and I don't care.
~ppppppppö
If the log files can't be tampered with, does that include log rotation? If you can rotate them then so can a cracker, and if you can't then you'd better make sure you've got plenty of disk space...
Do you need to put other mechanisms in place to cope with this?
TrollTec h CEO Haavard Nord said that after Qt was GPLed, they are now selling MORE commercial licenses, which "affected revenue in a positive way."
---
How am I supposed to fit a pithy, relevant quote into 120 characters?
you need to upgrade your compiler to gcc 2.95.2, and it will build fine on all the platforms you mention. read the INSTALL file man, it's all there.
In case some people weren't aware, AIDE has been available as a GPL'ed replacement for Tripwire for a while now...