Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Tripwire Still Relevent?

Posted by Cliff on from the insufficient-data dept.

Deagol asks "I work for a good-sized University. I've heard that Tripwire and our software licensing department is negotiating for a site-license. I was asked to comment on whether our department would like to buy in. I personally lost interest in Tripwire when they went commercial (I guess seeing a well-respected research tool go proprietary soured the milk for me), and though I've toyed briefly with the 'open source' version, I mainly have experience with the Academic Source Release. Seeing how their demo is only a 'simulation' (how lame is that?), I can't get a feel for what the commercial version can really do for me. Does anyone know the value (if any) of commercial Tripwire over the free one; Are there open source packages that have made Tripwire obsolete?"

2 of 49 comments (clear)

  1. One option... by MrIcee · · Score: 3, Insightful
    ...is to roll your own.

    I also was looking to use Tripwire mainly to occassionally scan the system to ensure that no important files had been modified (duh). I was extremely put off by the price and tone of the website.

    If your main interest is simply to retain a database with checksums of files on your drive, and occassionally compare them for new files/changes - roll you own. I did and it was both easy an effective.

    Simply stated, I use a configuration file to specify what directories and/or files should be scanned. Likewise, the configuration file has filters that will reject scanning files if any part of the filename matches the filter. The program reads the config and then goes out and reads the files on the drive. I use two different checksum schemes that produce checksum strings of about 80 characters each. These are stored in a database with the absolute file name, it's inode, it's last modify date, it's size, and the checksums.

    When the program scans it merely checks the files against the database. If a file is new, it reports it as new to a log and adds it to the database. If a file has changed it reports it as changed to the log and then corrects the information in the database to reflect the change. If no change has occured, nothing happens to the database.

    The program spits out little run-time facts about how many files it's scanning, number new, number change and number unchanged. When the run is completed all you have to do is glance at the log and determine if any of the files that changed in the log are a concern and need to be checked out.

    There are a couple of advantages to do it yourself... first, no fee to Tripwire. Second... Tripwire is a known product. If you get a hacker in your system and he finds tripwire you can bet he'll try to do something to circumvent it. On the other hand, having written your own tripwire (and don't call it tripwire) - the hacker will not know this, not be familiar with your mechanism, and thus, will be unable to circumvent it. And finally, if your scanner is pretty good, clean and useable, it becomes a nice competitive product against Tripwire.

    1. Re:One option... by JohnFluxx · · Score: 3, Insightful

      Jeez, aren't there any hackers in here any more?

      1) Tripwire and co. are interuder DETECTORS, i.e. after the fact. Your system is already comprimised.

      2) The data (checksums etc) must be on read only media, that cannot be altered no matter how what privilages you have to the system.

      3) The kernel should be assumed to be comprimised. This means to check your system, you must reboot the system to check your system.
      The alternative is not as secure, but easier, is to have a hardened kernel which makes root have limited access, and does not allow kernel modules, and does not allow raw memory access.