Tripwire V1.2 Release (Finally!)
edu (Gene Spafford)
COAST, Department of Computer Sciences, Purdue Univ.
Tue, 30 Aug 1994 10:14:32 -0500
org, sage-security @
org, pcert-advisory @
edu, bugtraq @
com, firewalls @
COM, ids @
au, virus-l @
mil, cert-tools @
Announcing the release of version 1.2 of Tripwire! This version
supersedes all previous versions of Tripwire. Version 1.2 includes
several new features, small performance improvements, and several bug
fixes. This version also includes a new signature routine, porting
to new machines, support for symbolic links and HP CDF files, and
more. (See the list below.)
Version 1.2 of Tripwire is probably the final release of Tripwire for
some time to come. Gene Kim is no longer at Purdue, Spaf is on
sabbatical for the 1994/95 academic year, and no COAST sponsor has
shown particular interest in funding continued development.
Enclosed below is a brief description of what Tripwire is, a
description of how to get a copy of the source code, and a list of new
features added since the Version 1.1 release.
We greatly appreciate the time and effort expended by all the people
who beta-tested various versions of Tripwire over the last few years.
Without the contributions and reports of these people, we are certain
that the package would not be as complete as it is currently. We have
tried to acknowledge all our testers and contributors in the
documentation and Changlog file in this distribution; our sincere
apologies if we forgot anyone.
Also, our thanks to COAST sponsors and sponsors of COAST research
projects who helped fund this project, directly or indirectly. This
includes especially Bell Northern Research, Trident Data Systems, Sun
Microsystems and the US Air Force. (Be sure to read the COAST.info
30 August 1994
Gene Kim <gkim @
Gene Spafford <spaf @
What is Tripwire?
Tripwire is an integrity monitor for Unix systems. It uses several
checksum/message-digest/secure-hash/signature routines to detect
changes to files, as well as monitoring selected items of
system-maintained information. The system also monitors for changes
in permissions, links, and sizes of files and directories. It can be
made to detect additions or deletions of files from watched
The configuration of Tripwire is such that the system/security
administrator can easily specify files and directories to be monitored
or to be excluded from monitoring, and to specify files which are
allowed limited changes without generating a warning. Tripwire can
also be configured with customized signature routines for
Tripwire, once installed on a clean system, can detect changes from
intruder activity, unauthorized modification of files to introduce
backdoor or logic-bomb code, and virus activity (if any were to exist)
in the Unix environment.
Tripwire is provided as source code with documentation. The system,
as delivered, performs no changes to system files and does not require
root privilege to run (in the general case). The code has been
extensively tested at many sites. Tripwire should work on almost any
version of Unix, from Xenix on 80386-based machines to Cray and ETA-10
supercomputers. It now even works properly on DEC Alphas, and on
Linux and BSDI systems!
Tripwire may be used without charge, but it may not be sold or
modified for sale. Tripwire was written as a project under the
auspices of the COAST Project at Purdue University. The primary
author was Gene Kim, with the aid and under the direction of Gene
Spafford (COAST Director).
Where to Get Tripwire
Copies of the Tripwire distribution may be obtained from
distribution is available as a compressed tar file. When you untar
the file, you will find another tar file, a Readme file, and a PGP
external signature to give proof against tampering.
A mailserver exists for distribution and to provide a means of
reporting bugs. To use the mail server, send e-mail to
edu" with a message body consisting solely
of the word "help". The server will respond with instructions on how
to get sources, patches (if any are issued), and how to report a bug
(which we hope doesn't happen!).
Questions, comments, complaints, bugfixes, etc may be directed to:
edu (Gene Kim)
edu (Gene Spafford)
The address "tripwire @
edu" is aliased to both of us. The
mailserver, and the "tripwire-request" address have been discontinued.
What's New in Version 1.2
Version 1.2 adds several new features, as well as fixing reported
bugs. Among the changes are:
- Signature checking for symbolic link contents has been added.
- Tripwire now correctly runs on Alpha AXPs, and other machines
with "long" types that are not 32 bits wide.
- The Haval digital hash routine has been added as the eighth
signature routine (faster than MD5, and purportedly
- The SHA signature routine has been changed to conform to the
recent fix introducted in its FIPS definition by NIST/NSA
to correct an unspecified weakness.
- The database format changes slightly to correct a boundary
condition error. Because database entry numbers change,
because the SHA signatures change, and because of Haval,
old Tripwire databases must be reinitialized.
- Handling specified configuration and database files (and file
descriptors) has been fixed to better accomodate pipes.
- Full support for flex added.
- Signature checking is now considerably faster through the use
of the stdio library for file I/O.
- A Perl script has been added to update Tripwire databases where
all inode numbers were changed by "fsirand" (NFS sites only);
- Another fix to make database updates more predictable.
- All reported bugs have been fixed in this revision.
- A new README section describes some documented attacks on
systems running Tripwire.
- Many small changes have been made to the documentation to correct
and update information.
NOTE: The script `twdb_check.pl' (written in Perl) has been added
to the distribution. It checks database consistency after updates of
the tw.config file. This functionality will be put into the Tripwire
program in the next release. Run this script after Tripwire database updates
to ensure that database entry numbers are consistent with the tw.config
file. See the README file for details (section 3.5.2).