TRIPWIRE

What is it?

Tripwire is a file system monitoring tool that determines the authen- tication of the contents of the file system. File systems may be altered with out authorization in a number of ways: an intruder, an authorized user viola- ting local policy or controls, or even the rare piece of malicious code alte- ring system executables as others are run (Kim). Tracking unauthorized changes for file system of any size is a difficult and tedious job. Using Tripwire, unauthorized changes are tracked in very little time.

Tripwire automates the creation of input lists and output lists of files. File attributes such as the file size, ownership, inode number, inode values and timestamps are compared between the input and output lists. For each file , the Tripwire program computes a digital signature. A digital signature is a fixed-sized output generated by a signature function whose input is an arbitrary file. If the contents of a file are changed in any way, then the signature should also change. Tripwire contains eight signature functions including the 16-bit additive checksum, and 16 and 32-bit CRC function. The 16- bit additive checksum adds the values of all the bytes in the file and outputs the lower 16 bits (remainder) (Kim). However the 16 and 32-bit signature functions are easy to break. One can generate an identical signature using a different input file. A solution to this is to use message digest algorithms. These functions use "one-way" functions that are difficult to invert and that usually generate a large value, making exhaustive searches for duplicate signatures more computationally difficult than those with 32 bits (Kim).

A value for security.

Tripwire is designed to detect and serves as a positive proof of unauthorized modifications of files. Many hours can be saved if it is known that certain hosts have not been corrupted, no reinstallation of the operating system is necessary when Tripwire verifies a systems integrity (Public).

Where to get Tripwire.

Tripwire was produced for the Computer Operations Audit and Security Technology (COAST) at Purdue University. It is available in C source code form. Locations for obtaining Tripwire are comp.sources.unix on the Usenet, pub/spaf/COAST/Tripwire via anonymous FTP, and by emailing tripwire-request@cs.purdue.edu with the word "help" in the message body to get instructions (Kim).

References

(Kim) -- http://www.cs.purdue.edu/homes/spaf/tech-reps/gkim

(Public) -- http://www.ccd.bnl.gov/pds/9412-tripwire.html

(COAST) -- http://www.cs.purdue.edu/coast/coast-tools.html