Developer(s) | Tripwire, Inc. |
---|---|
Stable release | 2.4.3.7
/ 31 March 2018 |
Repository | |
Written in | C++, Perl |
Operating system | Linux, all POSIX/UNIX Systems |
Type | Security, Monitoring, HIDS |
License | GPLv2[1] |
Website | https://github.com/Tripwire/tripwire-open-source |
Open Source Tripwire is a free software security and data integrity tool for monitoring and alerting on specific file change(s) on a range of systems[2][3] originally developed by Eugene H. Spafford and Gene Kim.[4] The project is based on code originally contributed by Tripwire, Inc. in 2000.[5][6] It is released under the terms of GNU General Public License.[1]
It works by creating a baseline database, and then regularly comparing the state of the file system with the database. If it detects changes (e.g. addition or modification of some files), it includes these changes in its report, so that the security administrators could check these changes.[2]
History
The Tripwire was created by Dr. Eugene Spafford and Gene Kim in 1992 in response to a series of stealthy intrusions that occurred in early 1991. These attacks circumvented the existing security systems by infecting the shared libraries in a way that their CRC checksums were unchanged. Tripwire was designed to use message digest functions from different hash families (e.g. MD5 and Snefru) in order to stay reliable even when a vulnerability is uncovered in some of the hashing algorithms. The name "Tripwire" comes from the trap or tripwire files which alert administrators upon being accessed by intruders.[7]: 4 Spafford recalls:
We heard several stories where tripwire files were established, as per our original intent, which were used to detect insiders snooping into files and directories where they had no reason to explore. At least one such use was related to us as a trigger that uncovered insider-perpetrated fraud.[4]
Tripwire was written in C and its design emphasized the program and database portability. On November 2, 1992, it was released for a beta testing. In December 1993, the formal release was made after identifying and fixing several bugs. Early releases were developed in a cleanroom style, where Gene Kim did the development and Eugene Spafford ran the acceptance testing.[4]
The Tripwire was initially free and open-source, but it went commercial in 1997. Open Source Tripwire was released in October, 2000.[6]
On May 4, 2015, the source code was moved from SourceForge to GitHub.[8]
Overview
During the installation, Open Source Tripwire asks the user to set the site-key and local key passphrases. The site-key passphrase is used to protect files across several systems (policy and configuration files) and the local passphrase is used to protect files on a specific machine. The policy file contains the list of files and directories to scan and the rules (e.g. which attributes of the directory tree to get).[2]
Open Source Tripwire later asks for the local passphrase when creating an initial database containing file signatures. It runs the first scan of the system and saves the result to the database. Afterwards, it runs integrity checks and compares the result with the database. For example, if a new file is created then it will be listed in the subsequent integrity check report.[3] The database file is designed to be human-readable, so that the user is able to verify properties of individual files or even check the database for potential tampering.[4][7]: 7 It is important that the database is initialized before the system is at risk of being compromised.[9]
A more sophisticated usage would include creating the tripwire files and configuring Open Source Tripwire to track these files in order to catch snooping intruders. When the intruder reads these files, their timestamps get updated and the security administrators get notified about this incident.[4]
Unlike Tripwire Enterprise, Open Source Tripwire is not available for Windows and has only basic policies.[10]
Implementation details
The configuration file is called tw.config
and it tells which files and directories need to be monitored for creations, deletions or modifications. It supports preprocessing which allows administrators to write only one configuration file for many different machines. In the configuration file, along with each file or directory there is a selection-mask that tells which attributes to ignore and which to report. For example, the selection-mask could be written to report changes in modification timestamp, number of links, size of the file, permission and modes, but ignore changes to the access timestamp. Also, there is an option to specify whether or not Tripwire should be recursing into a directory, i.e. checking the subdirectories, subdirectories of those subdirectories, etc.[7]: 11–12
The database file is unique for each machine, as opposed to the configuration file which could be shared across multiple machines. It stores signatures of the files, and not the content itself, because storing the content of the files would use too much disk space. For each file, the database can store up to ten signatures. There are six types of changes to the database: adding, deleting or updating a file, and adding, deleting or updating an entry. Most of them are straightforward except for adding a file when it does not have an entry in the tw.config
file. In this case Tripwire chooses the "closest" ancestor entry in the configuration file and copies its selection-mask, or uses the default selection-mask if the entry could not be found at all. Tripwire also has an interactive update mode which simplifies the process of reviewing every updated file. For each created, deleted or modified file it asks whether or not the corresponding database entry should be changed.[7]: 13–15
Because different hashing algorithms have different performances, Tripwire allows to configure which signatures to use and how frequently. For example, the system could be configured to compare CRC32 signatures every hour and compare MD5 signatures every day.[7]: 15
See also
References
- 1 2 "LICENSE". Github. Retrieved 5 September 2019.
- 1 2 3 Michael Kwaku Aboagye (January 18, 2018). "Securing the Linux filesystem with Tripwire". opensource.com. Archived from the original on May 6, 2023. Retrieved January 14, 2024.
- 1 2 Li, Hui; McGinty, Michael; Fu, Xinwen (2012). "Monitor and Secure Linux System with Open Source Tripwire" (PDF). University of Massachusetts Lowell. Archived (PDF) from the original on January 14, 2024. Retrieved January 14, 2024.
- 1 2 3 4 5 Spafford, Eugene H. "Tripwire: Pioneering Integrity Scanning for Cybersecurity" (PDF). Purdue University. Archived (PDF) from the original on February 4, 2023. Retrieved January 14, 2024.
- ↑ "Open Source Tripwire on SourceForge". Retrieved January 14, 2024.
- 1 2 Bauer, Mick (July 1, 2001). "Paranoid penguin: intrusion detection for the masses". Linux Journal. 2001 (87). Archived from the original on January 14, 2024. Retrieved January 14, 2024.
- 1 2 3 4 5 6 Kim, Gene H.; Spafford, Eugene H. (November 19, 1993). "The design and implementation of tripwire: a file system integrity checker". CCS '94: Proceedings of the 2nd ACM Conference on Computer and communications security. doi:10.1145/191177.191183. Archived from the original on March 22, 2016. Retrieved January 14, 2024.
- ↑ "Initial commit of code from Sourceforge repository". Retrieved January 14, 2024.
- ↑ Prof. Dhananjay R. Kalbande; Dr. G. T. Thampi; Mr. Manish Singh (2009). "Incidence Handling and Response System" (PDF). International Journal of Computer Science and Information Security. 2 (1). Archived (PDF) from the original on January 14, 2024. Retrieved January 14, 2024.
- ↑ Sen, Kaushik (October 17, 2021). "Tripwire Enterprise vs Free Tripwire Open Source". UpGuard. Archived from the original on January 19, 2022. Retrieved January 14, 2024.