It is currently Tue, 17 May 2022 03:26:06 GMT



 
Author Message
 Version 1.1 of Tripwire released
Announcing the release of version 1.1 of Tripwire!  This version
supersedes all previous versions of Tripwire.  Version 1.1 includes
many new features, small performance improvements, and several bug
fixes.  This version also comes complete with a rationale/design
document (finally!).

Version 1.1 of Tripwire is probably the final release of Tripwire for
some time to come.  We have not heard any new bug reports or
suggestions for new features in some time, so there is little "outside
reason" to modify the program.  Gene Kim is graduating and moving on
to graduate school elsewhere, so there is also little "internal
reason" to continue to tinker with the code.

Enclosed below is a brief description of what Tripwire is, a
description of how to get a copy of the source code, and a list of new
features added since the Version 1.0.5 release.

We greatly appreciate the time and effort expended by all the people
who beta-tested various versions of Tripwire over the last year.
Without the contributions and reports of these people, we are certain
that the package would not be as complete as it is currently.  We have
tried to acknowledge all our testers and contributors in the
documentation and Changlog file in this distribution; our sincere
apologies if we forgot anyone.

Also, our thanks to COAST sponsors and sponsors of COAST research
projects who helped fund this project, directly or indirectly.  This
includes especially Bell Northern Research, Trident Data Systems
and the US Air Force.  (Be sure to read the COAST.info file!)

15 December 1993
Gene Kim <g...@cs.purdue.edu>
Gene Spafford <s...@cs.purdue.edu>

What is Tripwire?
-----------------
Tripwire is an integrity-monitor for Unix systems.  It uses several
checksum/message-digest/secure-hash/signature routines to detect
changes to files, as well as monitoring selected items of
system-maintained information.  The system also monitors for changes
in permissions, links, and sizes of files and directories.  It can be
made to detect additions or deletions of files from watched
directories.

The configuration of Tripwire is such that the system/security
administrator can easily specify files and directories to be monitored
or to be excluded from monitoring, and to specify files which are
allowed limited changes without generating a warning.  Tripwire can
also be configured with customized signature routines for
site-specific checks.

Tripwire, once installed on a clean system, can detect changes from
intruder activity, unauthorized modification of files to introduce
backdoor or logic-bomb code, and virus activity (if any were to exist)
in the Unix environment.

Tripwire is provided as source code with documentation.  The system,
as delivered, performs no changes to system files and does not require
root privilege to run (in the general case).  The code has been
extensively tested at many sites. Tripwire should work on almost any
version of Unix, from Xenix on 80386-based machines to Cray and ETA-10
supercomputers.

Tripwire may be used without charge, but it may not be sold or
modified for sale.   Tripwire was written as a project under the
auspices of the COAST Project at Purdue University.  The primary
author was Gene Kim, with the aid and under the direction of Gene
Spafford (COAST Director).

Where to Get Tripwire
---------------------
Copies of the Tripwire distribution may be ftp'd from
ftp.cs.purdue.edu from the directory pub/spaf/COAST/Tripwire.  The
distribution is available as a compressed tar file, and as
uncompressed shar kits.

A mailserver exists for distribution and to provide a means of
reporting bugs.  To use the mail server, send e-mail to
"tripwire-requ...@cs.purdue.edu" with a message body consisting solely
of the word "help".  The server will respond with instructions on how
to get sources, patches (if any are issued), and how to report a bug
(which we hope doesn't happen!).

Questions, comments, complaints, bugfixes, etc may be directed to:
g...@cs.purdue.edu (Gene Kim)
s...@cs.purdue.edu (Gene Spafford)

Changes from Version 1.0.x to Version 1.1
-----------------------------------------
    Version 1.1 considerably upgrades the functionality of Tripwire.
All known bugs have been fixed, and many selected features have been
added at the request of Tripwire users.

    Among the major changes are:

        - rewrite of the "-update" command.  
        - addition of an "-interactive" command that prompts the user
                whether a changed file's database entry should be
                updated.
        - addition of a "-loosedir" command for quieter Tripwire runs.
        - support for monotonically growing files in tw.config.
        - addition of comprehensive test suite to test Tripwire
                functionalities.
        - hooks for external services (i.e., compression, encryption,
                networking) through "-cfd" and "-dfd" options.
        - addition of the new NIST SHA/SHS signature algorithm.
        - corrections and changes in the MD2, MD4, MD5, CRC32,
                and Snefru signature routines.
        - addition of a more rigorous signature test suite.
        - more error checking in tw.config @@directives.
        - siggen replaces sigfetch.
        - addition of a tw.config file for Solaris v2.2 (SVR4).
        - change of base-64 alphabet to conform to standards.
        - preprocessor macro fixes.

  New Tripwire database format:
  =============================

    The Tripwire database format has changed slightly since v1.0, using
a different base-64 alphabet.  Use the twconvert program to convert
v1.0 databases to v1.1 databases (located in the ./aux directory).

  Updating the Tripwire database:
  ===============================

    There has been a major rewrite/rethink of the "tripwire -update"
command, as well as the addition of a "tripwire -interactive" command
which allows the user to interactively select which database entries
should be updated.  No vestiges of the "-add" or "-delete" command
remain, since the "-update" command now automatically deletes and adds
files.

    However, the preferred way of keeping Tripwire databases in sync
with the filesystems is using the "-interactive" command.  A Tripwire
session using Interactive mode might look like:

    6:25am (flounder) tw/src 1006 %% tripwire -interactive
    ### Phase 1:   Reading configuration file
    ### Phase 2:   Generating file list
    ### Phase 3:   Creating file information database
    ### Phase 4:   Searching for inconsistencies
    ###
    ###                     Total files scanned:            49
    ###                           Files added:              0
    ###                           Files deleted:            0
    ###                           Files changed:            49
    ###
    ###                     After applying rules:
    ###                           Changes discarded:        47
    ###                           Changes remaining:        2
    ###
    changed: drwx------ genek        1024 May  3 06:25:37 1993 /homes/genek/research/tw/src
    changed: -rw------- genek        7978 May  3 06:24:19 1993 /homes/genek/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old
    ### Phase 5:   Generating observed/expected pairs for changed files
    ###
    ### Attr        Observed (what it is)         Expected (what it should be)
    ### =========== ============================= =============================
    /homes/genek/research/tw/src
          st_mtime: Mon May  3 06:25:37 1993      Mon May  3 06:11:39 1993      
          st_ctime: Mon May  3 06:25:37 1993      Mon May  3 06:11:39 1993      
    ---> File: '/homes/genek/research/tw/src'
    ---> Update entry?  [YN(y)nh?] y

    ### Updating database...
    ###
    ### Phase 1:   Reading configuration file
    ### Phase 2:   Generating file list
    ### Phase 3:   Updating file information database
    ###
    ### Warning:   Old database file will be moved to `tw.db_flounder.Eng.Sun.COM.old'
    ###            in ./databases.
    ###
    6:25am (flounder) tw/src 1007 %%

    Tripwire prompts the user whether the database entry of the
current file should be updated to match the current file information.
Pressing either 'y' or 'n' either updates the current file or skips to
the next file.  Pressing 'Y' or 'N' applies your answer to the entire
entry.  (I.e., if /etc is changed, typing 'Y' will not only update /etc,
but it will also files update all the files in /etc.)

  Tripwire exit codes:
  ====================

    Tripwire exit status can be interpreted by the following mask:

        1:      run-time error.  aborted.
        2:      files added
        4:      files deleted
        8:      files changed

    For example, if Tripwire exits with status code 10, then files
were found added and changed.  (i.e., 8 + 2 = 10.)

  Tripwire quiet option:
  ======================

    When run with -q option, Tripwire really is quiet, printing only
one-line reports for each added, deleted, or changed file.  The output
is more suitable for parsing with awk or perl.

  Monotonically growing files:
  ============================

    The ">" template is now supported in the tw.config files.  This
template allows files to grow without being reported.  However, if the
file is deleted or is smaller than the size recorded in the database,
it is reported as changed.

  Loose directory checking:
  =========================

    This option was prompted by complaints that Tripwire in Integrity
Checking and Interactive mode unnecessarily complains about
directories whose nlink, ctime, mtime, or size have changed.  When
Tripwire is run with the "-loosedir" option, directories automatically
have these attributes included in their ignore-mask, thus quieting
these complaints.

    Note that this is option is not enabled by default, making normal
Tripwire behavior no different than previous releases.  However,
running with this option enabled considerably decreases "noise" in
Tripwire reports.  

    (Ideally, this "loose directory checking" should be offered on
a per-file basis in the tw.config file.  However, adding another field
to the tw.config file was too extensive a change to be considered for
this release.  A later release of Tripwire may rectify this.)

  Hooks for external services:
  ============================

    Tripwire now supports the "-cfd" and "-dfd" options that allow the
user to specify an open file descriptor for reading the configuration
file and database file, respectively.  Using these options, an
external program can feed Tripwire both input files through open file
descriptors.  This external program could supply services not provided
though Tripwire, such as encryption, data compression, or a
centralized network server.

    This program might do the following:  Open the database and
configuration files, process or decode (i.e., uncompress the file),
and then write out the reguarly formatted file to a temporary file.
Open file descriptors to these files are then passed to Tripwire by
command-line arguments though execl().

    An example of using a shell script to compress and encrypt your
files is given in ./contrib/zcatcrypt.  It is a four line Bourne shell
script that encrypts and compresses the database and configuration
files.  It uses a named pipe (FIFO) to do this.

  SHA/SHS signature routines:
  ===========================

    Tripwire now includes SHA/SHS, the proposed NIST Digital Signature
Standard.  See the README file for details on this algorithm.

    Please note that the SHA code in ./sigs/sha seems to be poorly
handled by many optimizing C compilers.  For example, the stock C
compiler included with SunOS 4.x takes almost two minutes to compile
this file with the -O option on a Sparcstation10.

    Other compilers (such as GCC) do not have this problem.

  Change in tw.config preprocessor:
  =================================

    The tw.config preprocessor has been changed to allow the proper
expansion of @@variables in filenames.  The following use of @@define
now works as expected:

        @@define DOMAIN_NAME    my_main_nis_domain
        /var/yp/@@DOMAIN_NAME   L
        @@DOMAIN_NAME/FOO       L

    (This is the third attempt at getting this working correctly.  We
finally fixed this by moving the macro expansion routines into the
lexical analyzer.)

  Expanded test suite:
  ====================

    The Tripwire test suite now includes runs a more standard
signature test suite.  This was prompted by discovery of several
implementation errors in the MD2, MD4, and MD5 signature routines that
was introduced right before the official release of Tripwire.  (Thanks
Eugene Zaustinsky.)

    Two more test suites have been added.  One iterates through all
the Tripwire reporting functionalities, and exercises all the database
update cases.  The other test suite checks for proper Tripwire
preprocessor macro expansions.

  CRC32 changes:
  ==============

    Furthermore, the CRC32 signature routine is now POSIX 1003.2
compliant.  (Thanks Dan Bernstein.)

  "siggen" replaces "sigfetch":
  =============================

    As a tester noted, "sigfetch" was a misnomer as nothing was
actually being fetched.  Consequently, it was easy to (incorrectly)
conclude that "sigfetch" retrieved signatures from the database.

    The "siggen" command is the current incarnation of "sigfetch".
The manual pages reflect this change.

  Source code cleanup:
  ====================

    The authors went through the sources, doing generic cleanups aid
in code comprehension.

  Bug fixes:
  ==========

    This release fixes all known bugs.  The TODO list, however, gives a
wishlist of features that may be included in future releases.
--
Gene Spafford, COAST Project Director
Software Engineering Research Center & Dept. of Computer Sciences
Purdue University, W. Lafayette IN 47907-1398
Internet:  s...@cs.purdue.edu    phone:  (317) 494-7825



 Mon, 03 Jun 1996 08:59:51 GMT   
 
   [ 1 post ] 

Similar Threads

1. Tripwire version 1.1 (patchlevel 0) on OSF1 V1.3

2. Version 1.1 of GNU miscfiles released

3. BMV - GhostScript front end for Linux, version 1.1 released

4. Release of Marx version 1.1 Beta 8

5. shql version 1.1 finally released

6. BMV - GhostScript front end for Linux, version 1.1 released

7. Version 1.1 of xosview released

8. Version 1.1 of sysklogd now released.

9. New Version of Tripwire Released! (v1.2)


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software