Tripwire is an intrusion detection system. It is a
software tool that checks to see what has changed on your system.
The program monitors the key attributes of files that should not
change, including the size, binary signature, expected change of size,
and other related important datas. Tripwire is an open source program
created to monitor changes in a key subset of files identified by the
user and report on any changes in any of those files. When changes are
detected the system Administrator can determine whether those changes
occurred due to normal, permitted activity, or whether they were caused
by a breakin. If the former, the administrator can update the system
baseline to the new files. If the latter, then repair and recovery
activity begins. Tripwireâ„¢s principle is simple enough. The system
administrator identifies key files and causes Tripwire to record
checksum for those files. Administrator also puts a cron job to scan
those files at intervals(daily or more frequently), comparing to the
original checksum. Any changes, addition, or deletion are reported, so
the proper action can be taken.
Tripwire is a reliable intrusion detection system. It is a
software tool that checks to see what has changed in your system. It
mainly monitors the key attribute of your files, by key attribute we
mean the binary signature, size and other related data. Security and
operational stability must go hand in hand, if the user does not have
control over the various operations taking place then naturally the
security of the system is also compromised. Tripwire has a powerful
feature which pinpoints the changes that has taken place, notifies the
administrator of these changes, determines the nature of the changes
and provide you with information you need for deciding how to manage
Tripwire Integrity management solutions monitor changes to
vital system and configuration files. Any changes that occur are
compared to a snapshot of the established good baseline. The software
detects the changes, notifies the staff and enables rapid recovery and
remedy for changes. All Tripwire installation can be centrally managed.
Tripwire softwareâ„¢s cross platform functionality enables you to manage
thousands of devices across your infrastructure.
Security not only means protecting your system against various
attacks but also means taking quick and decisive actions when your
system is attacked. First of all we must find out whether our system is
attacked or not, earlier system logs were certainly handy. You can see
evidences of password guessing and other suspicious activities. Logs
are ideal for tracing steps of the cracker as he tries to penetrate
into the system. But who has the time and the patience to examine the
logs on a daily basis?
Penetration usually involves a change of some kind, like a new
port has been opened or a new service. The most common change you can
see is that a file has changed. If you can identify the key subsets of
these files and monitor them on a daily basis, then we will be able to
detect whether any intrusion took place. Tripwire is an open source
program created to monitor the changes in a key subset of files
identified by the user and report on any changes in any of those files.
When changes made are detected, the system administrator is informed.
Tripwire Ëœs principle is very simple, the system administrator
identifies key files and causes tripwire to record checksum for those
files. He also puts in place a cron job, whose job is to scan those
files at regular intervals (daily or more frequently), comparing to the
original checksum. Any changes, addition or deletion, are reported to
the administrator. The administrator will be able to determine whether
the changes were permitted or unauthorized changes. If it was the
earlier case the n the database will be updated so that in future the
same violation wouldnâ„¢t be repeated. In the latter case then proper
recovery action would be taken immediately.
TRIPWIRE FOR SERVERS
Tripwire for Servers is a software that is exclusively
used by servers. This software can be installed on any server that
needs to be monitored for any changes. Typical servers include mail
servers, web servers, firewalls, transaction server, development server
etc, Any server where it is imperative to identity if and when a file
system change has occurred should b monitored with tripwire for
servers. For the tripwire for servers software to work two important
things should be present â€œ the policy file and the database.
The tripwire for Servers software conducts subsequent file
checks, automatically comparing the state of the system with the
baseline database. Any inconsistencies are reported to the Tripwire
Manager and to the host system log file. Reports can also be emailed to
an administrator. If a violation is an authorized change, a user can
update the database so changes no longer show up as violations.
FLEXIBLE POLICY LANGUAGE
The power behind Tripwire technology lies in its highly
configurable policy language. The policy file is how a user directs
Tripwire for Servers to monitor specific files or directories. The
flexible policy tool can be customized to fit the needs of each and
every server. With the release of version 4.0, policy file creation has
become even easier. From Tripwire Manager 4.0, a graphical policy
editor allows users to select the files and directories, along with the
scanning options that need to be monitored in each integrity check.
Included in the products are default policy files for each supported
operating system to make it easy for the user to set up which files
should be monitored. In the latest version, wildcard application is
also supported which enables users to add objects to the policy file by
specifying the file type. In 4.0, objects listed in the policy file but
not present on the userâ„¢s machine will no longer be categorized as
violations. By only showing violations caused by added, deleted or
changed files, report noise is greatly reduced. Tripwire policy
languages also allow you to group objects around easy-to-understand
rule names and then prioritize them.
The snapshot and the policy file are cryptographically signed
with 168-bit Triple DES encryption algorithm that detects any
unauthorized tampering. The default policy file also monitors the
tripwire binary files, in short, it uses tripwire itself to monitor the
In the latest version 4.0 in addition to reporting the
administrator which file has changed, when the change occurred and
where the change took place it also to some extend determines who made
these changes. Tripwire for Servers track the identity of who made the
change by correlating the information from the operating systemâ„¢s event
and audit log with the integrity information that is detected by
Tripwire for Servers. It uses this information to provide the identity
of who made a certain change. Since we rely on the operating system to
gather this information, the product only captures the who
information from the operating system that track this. Linux and
FreeBSD do not track this information. This feature is called Event Log
Each Tripwire for Servers report details when the database was
last updated, providing a quick benchmark of if or when detailing if
the data files have been replaced. In order to replace these files, an
attacker requires root or administrator level privileges and must know
where Tripwire for Servers has been installed. On a properly secured
system, gaining this level of access takes time and leaves physical
evidence behind for Tripwire for Servers to detect prior to the system
being compromised. Methods for reducing the risk of an intruder being
able to replace a Tripwire for Servers installation include:
Â¢ Hiding the application by renaming configuration, data, and
binary files and installing to a hidden location.
Â¢ Installing Tripwire for Servers to a read-only partition such
as a CD-ROM.
Tripwire Manger is a fully functional, cross platform
management console that allows system and security professionals to
easily manage all installations of Tripwire for Servers software across
an enterprise network. Tripwire Manager eliminates the need to manually
monitor multiple discrete network platforms and point solutions.
Instead, IT professionals have a comprehensive view of data integrity
status from a single centralized console. Tripwire Manager also enables
you to view and analyze reports from installations of Tripwire for
Servers. With Tripwire Manager you can retrieve an integrity system,
which is made up of the configuration, database, policy, local and site
key, from a single golden machine which can then be distributed to as
many servers that need to be compared against this snapshot. In version
4.0 of the Tripwire Manager you can create and modify policy files by
using graphical policy editor. This GUI will scan the remote file
system of a Tripwire for Servers installation and provide you with an
easy mechanism for editing or creating a policy file without having to
know the policy file syntax. Tripwire Manager can manage the functions
of Tripwire for Servers on up to 2500 machines.
Adding or removing recognition of Tripwire for Servers is easy
to do from within the Tripwire Manager console. All you need to know is
host name, IP address and a port number. The Tripwire for Servers
database can be updated by using the database update mode within
Tripwire Manager. All communication between Tripwire Manager and
installation of Tripwire for Servers takes place using Secured Socket
Layer (SSL) technology with 168-bit Triple DES encryption. To protect
against unauthorized modification, important files on each Tripwire for
Servers installation are stored in a binary-encoded and signed form.
Database, policy, configuration, and report files generated by the
integrity assessment are protected by using El Gamal asymmetric
cryptography with a 1024-bit signature.
There are mainly two types of Tripwire Manager
Â¢ Active Tripwire Manager
Â¢ Passive Tripwire Manager
A user can have more than one Tripwire Manager managing the
same set of Tripwire for Servers machines. However, only one can be in
active mode and have complete management control of Tripwire for
Servers machines. This active Tripwire Manager gives a user the ability
to update the database, schedule integrity checks, update and
distribute policy and configuration files and view integrity reports.
The other Tripwire Manager are in a passive mode. The passive mode only
allows these Tripwire Manager to view the status of the machines and
integrity reports. Once the active Tripwire Manager shuts down, the
next time the passive Tripwire Manager pings the Tripwire for Servers
machine it connects as an active Tripwire Manager. If more than two
passive Tripwire Managers, the one that connects first to the Tripwire
for Servers machine after the active Manager has hut down becomes the
TRIPWIRE FOR NETWORK DEVICES
Router, switch, and firewall configurations are critical to
overall network operation. Unwanted changes to configuration files can
result in downtime and security issues and waste hours of staff time
searching for the cause. Tripwire for Network Devices monitors the
integrity of routers, switches and firewalls-network devices that
communicate network traffic within and between networks. It helps
network administrator answer the question, Has the state of my network
devices changed from a known, trusted state? If so, how?. Problem s
with one network device can seriously disable an organizationâ„¢s entire
network. Network downtime can result in lost revenue and lost customer
confidence. Manual processes to secure your network devices are
available and important. Tripwire for Network Devices augments and
helps guarantee that the security of your network devices remains in
tact. With Tripwire for Network Devices, downtime is minimized. Network
administrators can use Tripwire for Network Devices to quickly
investigate and isolate changes and restore changed configuration files
within minutes of an alert.
Tripwire for Network Device includes six primary functions :
Â¢ Automatic notification of changes to your routers, switches and
Â¢ Automatic restoration of critical network devices
Â¢ Audit trail from log files and change reports â€œ ideal for
internal/external network audits.
Â¢ Baseline archiving and configuration file Hot Back-up
Â¢ Heterogeneous support for todayâ„¢s most commonly used network
Â¢ Sets a framework for autonomic recovery
Tripwire for Network Devices does not provide real time
monitoring. It checks your network devices for change according to
schedule you set. Device passwords stored by the software are protected
by robust 1024-bit Blowfish cryptography. The software has four user
Â¢ Monitors are allowed only to monitor the application. They
cannot make changes to Tripwire for Network Devices or to the devices
that the software monitors.
Â¢ Users can make changes to Tripwire for Network Devices, such
as add routers, switches. Groups, tasks, etc., but they cannot make
changes to the devices it monitors.
Â¢ Powerusers can make changes to the software and to the
devices it monitors.
Â¢ Administrator can perform all actions, plus delete violations
and log messages as well as add, delete, or modify user accounts.
Tripwire for Network Devices maintains a log of all significant
actions, including adding and deleting nodes, rules, tasks, and user
accounts. All log entries include a time and date, and identify the
user who initiated the process. The log entries cannot be modified by
anyone other than the administrator and can be copied and pasted into a
text file so you can create a library of log activities that are ideal
for network audits.
Device password are stored by the software are protected by
robust 1024-bit Blowfish cryptography. Tripwire for Network Devices has
been tested and can monitor thousands of network devices. Tripwire for
Network Devices software has been tested up to 6,000 network devices
running integrity checks every 10 minutes. With correct configuration,
the software can monitor more than 6,000 devices at one time.
HOW TRIPWIRE WORKS?
1. Install Tripwire and customize the policy file
Install the Tripwire software into the system and then specify
the files to be checked by writing the policy files. Using the version
4.0 writing the policy file is made very easy.
2. Initialize the Tripwire database
The database is initialized with the important key attribute in
the file to be checked. Build database of critical system files to
monitor based on the contents of the new, signed Tripwire policy file.
3. Run the integrity check
Compare the newly created Tripwire database with the actual
system files, looking for missing or altered files, according to the
integrity check timing specified by in the policy file for different
files that are to be monitored.
4. Examine the Tripwire report file
View the Tripwire report file to note any integrity violations.
5. If unauthorized integrity violations occur, take appropriate
If monitored files have been altered inappropriately, the
system administrator have to take immediate action, you can either
replace the original files from backup copies reinstall the program, or
completely reinstall the operating system.
6. If the file alterations were valid, verify and update the Tripwire
If the changes made to monitor files are intentional, edit
Tripwireâ„¢s database file to ignore those changes in subsequent report.
7. If the policy file fails verification, update the Tripwire policy
To change the list of files Tripwire monitors or how it treats
integrity violations, update the supplied policy file, regenerate a
signed copy, and update the Tripwire database.
Tripwire Integrity Management solutions give organizations
visibility into service affecting changes and, in the process, increase
security, instill process accountability, and improve system
1. Increase security
Tripwire software immediately detects and pinpoints
unauthorized change-whether malicious or accidental, initiated
externally or internally. Tripwire provides the only way to know, with
certainty, that systems remains uncompromised.
2. Instill Accountability
Tripwire identifies and reports the sources of change, enabling
IT to manage by fact. It also captures an audit trail of changes to
servers and network devices.
3. Gain Visibility
Tripwire software provides a centralized view of changes across
the enterprise infrastructure and support multiple devices from
4. Ensure Availability
Tripwire software reduces troubleshooting time, enabling rapid
discovery and recovery. Immediate detection of change enables the
fastest possible restoration back to a desired, good state.
Tripwire is a reliable intrusion detection system. It is a
software that can be installed in any type of system where damaged
files are to be detected. The main attractive feature of this system is
that the software generates a report about which file have been
violated, when the file have been violated and also what in the files
have been changed. To some extend it also helps to detect who made the
changes. New versions of Tripwire is under research and development.
The latest version under research is the Tripwire for Open Source.
4. Cryptography and network security â€œ William Stallings
5. Operating System â€œ SilberSchertz
6. Linux for you magazine
1. INTRODUCTION 1
2. TRIPWIRE FOR SERVERS 3
3. TRIPWIRE MANAGER 6
4. TRIPWIRE FOR NETWORK DEVICES 9
5. HOW TRIPWIRE WORKS? 12
6. ADVANTAGES 15
7. CONCLUSION 16
8. REFERENCES 17
I express my sincere gratitude to Dr. Agnisarman Namboodiri, Head of
Department of Information Technology and Computer Science , for his
guidance and support to shape this paper in a systematic way.
I am also greatly indebted to Mr. Saheer H.B. and
Ms. S.S. Deepa, Department of IT for their valuable suggestions in the
preparation of the paper.
In addition I would like to thank all staff members of IT department
and all my friends of S7 IT for their suggestions and constrictive