Message-Id: <9209081407.AA12831@tictac.cert.org> Date: Tue, 8 Sep 92 10:05:13 EDT To: cert-tools@cert.org From: Gene Spafford Subject: Beta testers needed for new security tool Announcing the pending availability of Tripwire: A Unix File Integrity Checker This message is being posted to various newsgroups and mailing lists to gather a group of beta-testers for a new security tool called Tripwire. Tripwire was written by Gene Kim, currently at Purdue University, under the direction of Professor Gene Spafford. Tripwire should be of significant interest to system administrators concerned about timely detection of system file tampering on their Unix hosts. Goal of Tripwire: ================= With the advent of increasingly sophisticated and subtle account break-ins on Unix systems, the need for tools to aid the detection of unauthorized modification of files becomes clear. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. Tripwire is a system file integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Any differences are flagged and logged, and optionally, a user is notified through mail. When run against system files on a regular basis, changes in critical system files would be spotted at the next time-interval when Tripwire is run, so damage control measures may be implemented immediately. With Tripwire, system administrators can conclude with a high degree of certainty that a given set of files remain untouched from unauthorized modifications, provided the program and database are appropriately protected (e.g., stored on read-only disk). Tripwire uses message digest algorithms (cryptographic checksums) to detect changes in a hard-to-spoof manner. This should be able to detect significant changes to critical files, including those caused by insertion of backdoors or viruses. It also monitors changes to file permissions, modification times, and other significant changes to inodes as selected by the system administrator on a per-file/directory basis. What we need: ============= As of this writing, Tripwire runs successfully on both BSD and System V variants of Unix. Among the operating systems Tripwire has run on are: SunOS 5.x (SVR4) SunOS 4.x (BSD 4.3) Dynix 3.x (BSD 4.2) Compiling Tripwire should be as simple as editing the config.h file to set the appropriate #defines, and typing 'make'. A pool of beta-testers is needed to ensure that Tripwire works predictably on a wide variety of systems. Of particular interest are system administrators using the following operating systems: AIX AUX BSD4.4 HP/UX Mach NextOS OSF/1 SVR3.x Ultrix Unicos Xenix System III Versions 6, 7, 8, & 9 :-) other versions we didn't list A config.h file allows you to tailor Tripwire around your system specifics, such as the locations of system utilities (like sort and diff), and desired lookup pathnames to your Tripwire database files. Possible porting trouble-spots are generally restricted to dirent(S5)/direct(BSD) funkiness and #defines that changed for POSIX compliance (such as those in for stat.st_mode). Hopefully the process of beta-testing will highlight any problems before any widely-released distribution. It is also hoped that reasonable system defaults for a wide variety of systems can be gathered from a diverse set of beta-testers. This would allow useful plug-and-play builds for the majority of Tripwire users. What you'd get as a beta-tester: ================================ The entire source to Tripwire, manual pages, a README, and the Tripwire design document. What you'd need to do: ====================== You will need to install the code on your system and run it. You will need to report back any bugfixes, enhancements, optimizations or other code-diddling that you believe useful. If you build a configuration file for a new system, you will need to send this back. You will have to collect some performance data. You will need to provide some honest, critical feedback on utility, clarity, documentation, etc. You will need to do all this by about October 21. Are you interested? =================== If so, please fill out the form at the end of this message, and send it to (genek@mentor.cc.purdue.edu). We will only take two or three respondents for each system type for the beta test. Please allow some time for processing and selection of beta-testers. I promise to reply to all requests as expeditiously as possible. A formal release of Tripwire is planned for sometime in November. Watch this space for details! Gene Kim September 4, 1992 =============================================================================== Name: Email address: System configuration: machine type operating system version Site information: (completely optional) type of site (ie: university, corporate, military, etc...) comments on machine security (ie: numerous break-in attempts on our dialback servers, repeated intrusions through network, etc...) =============================================================================== **CERT-Tools Information:**************************************************** * Submissions : cert-tools@cert.org * * Address additions/deletions/changes : cert-tools-request@cert.org * * Moderator : tools@cert.org * * * * The CERT/CC will not formally review, evaluate, or endorse the tools * * and techniques described. The decision to use the tools and * * techniques described is the responsibility of each user or * * organization and we encourage each organization to thoroughly evaluate * * new tools and techniques before installation or use. * *****************************************************************************