October 02, 2001, 10:41 AM — If you have ever discovered a system attack, you know that reloading the system and all its applications would be the first thing to do because you can't identify the files an intruder may have tampered with. Reloading from scratch is tedious and time consuming, and putting a firewall in front of each host on the network still wouldn't guarantee an uncompromised system.
Network intrusion detection systems (IDSs) can monitor and notify you of attacks, but how many IDSs do you really want to manage? An IDS relies on knowing a method of attack, and it can be bypassed if that method were to change with the help of an anti-IDS scanner, such as Whisker by Rain Forest Puppy.
A layered, or "onion," approach to security is preferred because no single security mechanism is without its flaws. Previous Unix Insider articles have discussed hardening the host to minimize security exposures; this one covers Tripwire, a method for intrusion detection on a host level.
What is Tripwire?
Tripwire is an integrity assessment software package that maintains a database of file attributes and sends alerts when any of those attributes change. Essentially, it tells you if your servers' files have changed since the previous day. Because it works on the host level, it should be integrated with other security mechanisms such as firewalls and network intrusion detection. While Tripwire's primary purpose is to provide security, it provides the administrator with some source control as well.
Two versions of Tripwire are available: Tripwire 1.3.1 Academic Source Release (ASR) and the commercial version, Tripwire 2.2.1. Tripwire's ASR was developed at Purdue University in 1992 by Gene Kim and Gene Spafford. The release (it's still freely available) is the most widely used piece of integrity assessment software in the world. However, the relatively static ASR isn't often upgraded. Tripwire does provide bug fixes and minor feature updates, but if you want support and the major new features, you'll have to pay for them ($495 per host).
Tripwire 2.2.1 for Solaris
I haven't used Tripwire 1.3 very much, mostly because it's a hassle to configure and it requires meticulous care to keep the database on a write-protected floppy. Although maintenance on a large installation would be a nightmare, I see good reason to use it on static systems such as firewalls.
Recently I took a critical look at the improvements made to Tripwire 2.2.1 for Sun Solaris. They include: