Slashdot Mirror
Tripwire Goes Open Source
Brian McLaughlin writes: "Tripwire posted the source code to their integrity checking tool at SourceForge today. The press release can be consumed here."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
I was having problems too, it kept saying "There were some errors. Please see below for details." Of course there weren't any details below.
I think I figured it out though... fill out the second address line (add Suite 100 or something)
--
Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
I know there was a commercial product that did this (and much more) for Solaris back about 3-4 years ago, but I haven't heard about it since. There are some other triggers that would be nice:
- On any of unlink, rename, creat, mkdir
- On failed system calls that fail due to permissions (e.g. the above calls as well as kill, socket, etc)
I know you could do most of this in libc, but I don't think that would be wise, as someone with enough smarts could always do the syscalls directly using asm().Now we need distribution specific policy files, currently the policy files are only for redhat. It would be nice to see policy files for suse, debian, turbo, caldera, etc.. as they apply to that particular disribution.
For example, alot of the files in the default policy file (setup for redhat) don't exist on my system (suse) and if they do exist, their in different locations. I can guess that this will be pretty much the same with debian, turbo, caldera and others as well.
So do the Linux, commercial Unix, and Windows versions share any code? How is this effected by the GPL? Can a company, who owns all copyrights to GPLed product A and closed source product B take code from product A (which they own) and put it in product B (which they also own)?
This can (and should be) used by anyone who runs *NIX.
/tmp (since anyone can put files in there), but all of your other important area on your drive should be watched. Example: Someone gets root on your box, and they replace /bin/su (switch user, usually to root), with a trojan that has a backdoor. Tripwire will notice that it's not the correct file, and e-mail/page/alert someone.
Actually, it's quite simple: It makes sure that when files change, someone is notified. Now, obviously you don't want Tripwire watching your logs (since they change constantly) or
As for the "policy language" they refer to, that's just another way of saying "a way to tell Tripwire what to watch, how to watch it, and what to do if something has changed".
To put it all in context, here is an example. Note that Tripwire is much more advanced than this, but essentially, this does the same thing: When I first install my system, I patch it, and capture all of the `ls -la` output of my important files to a file. Once an hour, I have a task (cron job) that does the same `ls -la` and compares the output to the original file. If they're different, either I changed something and forgot to update the original file, or someone is up to something. It then sends me an e-mail and I look into it.
I hope that explains what Tripwire does in a nutshell. If you would like more information, let me know.
Is there anything Tripwire can do that can't be done by a few shell scripts, a crontab, and the md5sum program? I mention this specificly because of a Secrurity Focus article that mentions this (Section 8. Tripwires).
------
Not a typewriter
How many marketing droids did it take to come up with a name like that? Are they planning on versions like "tripwire, BSD sourced, BSD edition", or "tripwire, ClosedProprietaryDMCAProtected Source, Windoze edition"?
Tripwire is a good product, it lets network and system admins sleep easier at night knowing they don't have to scan every box by hand every morning. I've found that sites running tripwire tend to have better system management policies, and know what security of internet boxes means.
Now we can make it better, and tie in some better automated functions for varying degrees of detection.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
WHY should your precious little country be first
in the list? If you're going to rank countries,
where do the UK, Australia, France, Canada, and
Finland fit into your list? Even if you are the
biggest single country to use tripwire (which I
doubt), if you're going to put one country first
then you'd better rank everyone in order of use.
I've never heard anything so pathetic--whining
because your country came near the bottom of an
alphabetised list! Grow up.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
>Transmission Facilitation Device - Hands, 2. Fingers, 11
11 fingers?
Posted by: Some guy named Chris.
Oh...
I wish I could type with that....
--
This message brought to you by Colin Davis
Colin Davis
This isn't news - they wanted to get into Red Hat Linux 7, and to do so they needed to have an opensource license. They did their part wrt. licensing, and was shipped as part of the distribution.
I wonder if it'd be easier/faster to 'chattr +i' certain critical files like /bin/login and then add logging code to the appropriate syscall to warn you when somebody changes it back.
Why allow anyone to change this back? Set the immutable attribute (+i) on anything that won't ever change, make your log records permanent with 'chattr +a /var/log/messages' so that the logs can't be editted, just appended to, and then install lids and set CAP_LINUX_IMMUTABLE to remove the ability to change these attributes on this system under this kernel. If you need to change things over, you'll need a second kernel image elsewhere for administration purposes (i.e. on floppy) but your key system will remain inviolate.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Actually i'd recomemnd RIPEMD160 since its more secure than MD5..but yeah. i wrote a tripwire clone in one evening (and it shows..but heck it works)...Its called sentinel and its available for some time now : http://zurk.sourceforge.net
It's called Tripwire "Academic Source Release", and is at version 1.3.1. http://www.tripwire.com/downloads/
Non impediti ratione cogitationis.
Isn't this illegal in Europe now? Or will be, if they sign that cybercrimes treaty?
Tripwire couldn't have time its announcement any better on the heels of the the MS fiasco. In fact it's so well timed that.. nah! ;-)
Steven
This is so cool, I remember when I started using Tripwire about 3 years ago and it irked me that the source wasn't open.
I had been running it on a RH 4.2 box. I was trying to use the version that was linked against libc5 (the only binary they had at the time) on a RH5.0 box, and was told I would have to wait several months before they released a new version that would link against glibc (aka libc6).
Source code gives a whole new meaning to free software.
Mike
"I would kill everyone in this room for a drop of sweet beer."
Except you're a twit. A clueless twit who is factually wrong. The US is NOT the highest per capita user of the `net. It ranks fourth in countries.
Open Source. Closed Minds. We are Slashdot.
Free (as in speech) tripwire.
Free (as in beer) posters. (You just have to figure out how to get past their poorly coded form validation to order one...).
--- Where's my X.400 protocol decoder?
So, it looks like the open source version is linux-only. Are there porting efforts under way to Solaris and BSD (AKA "The Other OSes")?
"Free (as in beer) posters. (You just have to figure out how to get past their poorly coded form validation to order one...). "
What does Tripwire get for open sourcing their
product?
20,000 free poster orders from leeching slashdoters! Shame on you!
(Of course I went and ordered my free poster before bitching about it...)
AdFuel
Of course, since the open source release is GPLed, porting it to other OSes is perfectly legitimate.
In other words, Do The Work Yourselves. If you're upset that there's no BSD or other version, form a group and use the GPL to do it yourself. Don't complain, get to work.
It's not like it's closed source proprietary, where you can't do that.
--- Will in Seattle - What are you doing to fight the War?
Their database seems like the greatest potential gain for the community. The hashing of files is pretty simple, given the number of crytographically strong open-source hashes out there. The UI/customization end of tripwire seems like it would be relatively straightforward to design. It seems to me that most of the room for real software engineering is in the database file format.
People have already created driver-level crypto filesystems, but has anyone ever proposed a driver-level tripwire filesystem? Of course, you would need to tell the fs whcih files and directories to keep track of or you would be swamped with change logs.
Has anyone ever proposed a secured journaling filesystem? While we're replacing/overhauling the Linux filesystem, we might as well add secure functionality. (Assuming we don't cause a false sense of security.) Setting a file attribute flag to secure could cause any changes to the file or directory (including mv and cp) to be logged in a compact format. Any changes in the secure-log flag for all files in the fs would also have to be logged. In ultra-paranoid environments, one could even securely log file reads. (It's not that much more work to include this in a new driver.) Use an itterative one-time password scheme to watermark the logs (even a 64 bit hash would be relatively secure, because of the number of hashes that would need to be matched to change logs very far back in time). The easiest way to sign the hash is just to encrypt it with the one-time password. You keep the first one-time password on a locked floppy, along with a copy of the executable for checking the logs and computing the hashes of the files stored in the logs (add a hash to the logifile only when something changes). With the first password, you can compute the second, with the second you can compute the third, etc. This means that you can decrypt all of the hashes of the logfile if you have the floppy.
On the other hand, if the filesystem driver keeps only the current one-time password, then any attacker will be detected if s/he alters the logs for any time earlier than when they broke in. (Since creating the correct hashes requires knowing the password for that time, and passwords for earlier times cannot be computed from passwords for later times.) You can keep snapshots of the logfile if you like, but they are not necessary for intrusion detection. One only needs to first check the integrity of the logfile, then trace through the changes according to the logfile. Any discrepincies between a file and it's last recorded hash indicate file corruption or a security breach. People could "turn back the clock" on the filesystem by changing the files back to a previous state and deleting any logs since, but any subsequent changes to the fs would be logged with the wrong one-time-password and this would be detected.
First pos.. wow that took a while to write and revise! I'm surprised you actually read this far.
Karl
I'm a slacker? You're the one who waited until now to just sit arround.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Has anybody else wondered why only Linux versions of software are made open source? For example, "At the present time, Tripwire has no plans to make its commercial UNIX versions or NT available as open source." (from the FAQ) and AFAIK Troll Tech has made only the Linux version of qt open.
Is the reason the background of the OS? Linux users are used to having the source and a product which doesn't offer source can't expect a very wide acceptance in the Linux world (see for example some of the originally-closed drivers). In Windows, everybody is used to proprietary software, so they couldn't care less.
Another peculiar thing is, why do they keep different versions for different architechtures? I'd think it would be easier to manage only one code base with #ifdef's or separate low-level files. It might be possible that they only omit the Windows-specific files, but in this case any GPL additions to the Linux version (made by users) couldn't be compiled into the Windows version.
This, on the other hand, would mean that the Linux version would inevitably become better than the corresponding Windows version. The only legal way they could get the same features into the Windows version would be to code them themselves from scratch, and who's to say they didn't use any GPL-only code? Or do they demand everybody who contributes anything to dual-licence it so they can use it in the closed Windows version also?
Any ideas, anyone?
I doubt, therefore I may be.
Linus does not like software control tools like CVS.
At some point CVS will happen. Someone (or group) will take a Linux kernel and check it into CVS, with or without Linus's blessing. And Linus will have to either get with the program, or get passed by. The real world of software development understands why source code control systems matter.
The method right now puts Linus in control. He's "the man". CVS takes away from Linus's "power".
If it was said on slashdot, it MUST be true!
Quoth the "Open Source Tripwire for Linux FAQ":
Of course, since the open source release is GPLed, porting it to other OSes is perfectly legitimate.
See the news from tripwire's new site TripWire.org which has the skinny from Tripwire directly. LinuxPower has an article. As does IGN over here.
T here is also a great article here regarding file system monitoring - and alternatives (additional OpenSource) to TripWire. Not quite as relevant now that TripWire is OpenSource but still a good read.
They are changed their source encryption to ASCII encoding, triple ROT-26 under the provisions of the DMCA which just went into effect.
Also, you are allowed to view the source, but comprehension of it is a violation of the terms of use statement you agreed to when you first became aware of the term Tripwire. Failure to not comprehend the source is punishable by, but not limited to, confiscation of any or all of the following:
Who needs Tripwire when we have AIDE?
To quote the web page: "AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more."
Check it out!
http://www.cs.tut.fi/~rammer/aide.html
A GPL dual license is a gamble. Someone could add a compelling new feature to the GPL release that can't be integrated into the "value-added" proprietary version. There seems to be a strong resistance do doing so, however. Doing so would require a fork, because the company won't accept a contribution unless you assign copyright. This lessens the contribution to the free software community, but I'm not about the smell the gift fish.
Do Linux's leading browsers or underlying GUI elements support keyboards? If not, go hack it in, it's not rocket science.
Windows' standard combobox control (drop down list, whatever) will jump to any item when you hit the initial letters. I see 'Angola' in a combo box, I hit U. If it says 'United Kingdom', I hit U again. Oooo, tough.
I'm from Michigan. That's the fourth M state in a dropdown of the United States' states. Do I holler about that?
Certainly there are better things to whine about. And personally, I think it's better if US-centric Americans were subtly reminded that the US isn't the whole world.
[
If the log files can't be tampered with, does that include log rotation? If you can rotate them then so can a cracker, and if you can't then you'd better make sure you've got plenty of disk space...
Do you need to put other mechanisms in place to cope with this?
TrollTec h CEO Haavard Nord said that after Qt was GPLed, they are now selling MORE commercial licenses, which "affected revenue in a positive way."
---
How am I supposed to fit a pithy, relevant quote into 120 characters?
In case some people weren't aware, AIDE has been available as a GPL'ed replacement for Tripwire for a while now...