Announcing the release of version 1.2 of Tripwire! This version supersedes all previous versions of Tripwire. Version 1.2 includes several new features, small performance improvements, and several bug fixes. This version also includes a new signature routine, porting to new machines, support for symbolic links and HP CDF files, and more. (See the list below.) Version 1.2 of Tripwire is probably the final release of Tripwire for some time to come. Gene Kim is no longer at Purdue, Spaf is on sabbatical for the 1994/95 academic year, and no COAST sponsor has shown particular interest in funding continued development. Enclosed below is a brief description of what Tripwire is, a description of how to get a copy of the source code, and a list of new features added since the Version 1.1 release. We greatly appreciate the time and effort expended by all the people who beta-tested various versions of Tripwire over the last few years. Without the contributions and reports of these people, we are certain that the package would not be as complete as it is currently. We have tried to acknowledge all our testers and contributors in the documentation and Changlog file in this distribution; our sincere apologies if we forgot anyone. Also, our thanks to COAST sponsors and sponsors of COAST research projects who helped fund this project, directly or indirectly. This includes especially Bell Northern Research, Trident Data Systems, Sun Microsystems and the US Air Force. (Be sure to read the COAST.info file!) 30 August 1994 Gene Kim <gkim@cs.arizona.edu> Gene Spafford <spaf@cs.purdue.edu> What is Tripwire? ----------------- Tripwire is an integrity monitor for Unix systems. It uses several checksum/message-digest/secure-hash/signature routines to detect changes to files, as well as monitoring selected items of system-maintained information. The system also monitors for changes in permissions, links, and sizes of files and directories. It can be made to detect additions or deletions of files from watched directories. The configuration of Tripwire is such that the system/security administrator can easily specify files and directories to be monitored or to be excluded from monitoring, and to specify files which are allowed limited changes without generating a warning. Tripwire can also be configured with customized signature routines for site-specific checks. Tripwire, once installed on a clean system, can detect changes from intruder activity, unauthorized modification of files to introduce backdoor or logic-bomb code, and virus activity (if any were to exist) in the Unix environment. Tripwire is provided as source code with documentation. The system, as delivered, performs no changes to system files and does not require root privilege to run (in the general case). The code has been extensively tested at many sites. Tripwire should work on almost any version of Unix, from Xenix on 80386-based machines to Cray and ETA-10 supercomputers. It now even works properly on DEC Alphas, and on Linux and BSDI systems! Tripwire may be used without charge, but it may not be sold or modified for sale. Tripwire was written as a project under the auspices of the COAST Project at Purdue University. The primary author was Gene Kim, with the aid and under the direction of Gene Spafford (COAST Director). Where to Get Tripwire --------------------- Copies of the Tripwire distribution may be obtained from "ftp://coast.cs.purdue.edu/pub/COAST/Tripwire". The distribution is available as a compressed tar file. When you untar the file, you will find another tar file, a Readme file, and a PGP external signature to give proof against tampering. A mailserver exists for distribution and to provide a means of reporting bugs. To use the mail server, send e-mail to "tripwire-request@cs.purdue.edu" with a message body consisting solely of the word "help". The server will respond with instructions on how to get sources, patches (if any are issued), and how to report a bug (which we hope doesn't happen!). Questions, comments, complaints, bugfixes, etc may be directed to: gkim@cs.arizona.edu (Gene Kim) spaf@cs.purdue.edu (Gene Spafford) The address "tripwire@cs.purdue.edu" is aliased to both of us. The mailserver, and the "tripwire-request" address have been discontinued. What's New in Version 1.2 ------------------------- Version 1.2 adds several new features, as well as fixing reported bugs. Among the changes are: - Signature checking for symbolic link contents has been added. - Tripwire now correctly runs on Alpha AXPs, and other machines with "long" types that are not 32 bits wide. - The Haval digital hash routine has been added as the eighth signature routine (faster than MD5, and purportedly more secure). - The SHA signature routine has been changed to conform to the recent fix introducted in its FIPS definition by NIST/NSA to correct an unspecified weakness. - The database format changes slightly to correct a boundary condition error. Because database entry numbers change, because the SHA signatures change, and because of Haval, old Tripwire databases must be reinitialized. - Handling specified configuration and database files (and file descriptors) has been fixed to better accomodate pipes. - Full support for flex added. - Signature checking is now considerably faster through the use of the stdio library for file I/O. - A Perl script has been added to update Tripwire databases where all inode numbers were changed by "fsirand" (NFS sites only); See FAQ. - Another fix to make database updates more predictable. - All reported bugs have been fixed in this revision. - A new README section describes some documented attacks on systems running Tripwire. - Many small changes have been made to the documentation to correct and update information. NOTE: The script `twdb_check.pl' (written in Perl) has been added to the distribution. It checks database consistency after updates of the tw.config file. This functionality will be put into the Tripwire program in the next release. Run this script after Tripwire database updates to ensure that database entry numbers are consistent with the tw.config file. See the README file for details (section 3.5.2).