Newsgroups: comp.sources.unix From: spaf@cs.purdue.edu (Gene Spafford) Subject: v27i155: tripwire-1.1 - security integrity monitor, V1.1, Part09/26 References: <1.756157401.21864@gw.home.vix.com> Sender: unix-sources-moderator@gw.home.vix.com Approved: vixie@gw.home.vix.com Submitted-By: spaf@cs.purdue.edu (Gene Spafford) Posting-Number: Volume 27, Issue 155 Archive-Name: tripwire-1.1/part09 #! /bin/sh # This is a shell archive. Remove anything before this line, then unpack # it by saving it into a file and typing "sh file". To overwrite existing # files, type "sh file -c". You can also feed this as standard input via # unshar, or by typing "sh 'tripwire-1.1/docs/designae' <<'END_OF_FILE' X(than)0 1551 y(\014lter)i(meaningful)g(ev)o(en)o(ts)f(from)g(a)g(collection)i X(of)d(all)i(p)q(ossible)h(ev)o(en)o(ts.)0 1693 y Fg(2.3)56 Xb(Database)19 b(issues)0 1798 y Fp(The)11 b(database)g(used)h(b)o(y)f(the)g X(in)o(tegrit)o(y)g(c)o(hec)o(k)o(er)g(should)h(b)q(e)g(protected)f(from)g X(unauthorized)h(mo)q(di\014cations;)h(an)0 1855 y(in)o(truder)j(who)f(can)g X(c)o(hange)h(the)f(database)g(can)g(sub)o(v)o(ert)g(the)h(en)o(tire)f(in)o X(tegrit)o(y)h(c)o(hec)o(king)g(sc)o(heme.)k(Although)0 1911 Xy(the)i(system)f(administrator)h(can)g(secure)g(the)g(database)f(b)o(y)h X(storing)f(it)h(on)g(some)g(media)g(inaccessible)j(to)0 1967 Xy(remote)15 b(in)o(truders)h(\(e.g.,)e(pap)q(er)i(prin)o(tout\),)f(usabilit)o X(y)h(is)g(sacri\014ced.)22 b(A)16 b(database)f(stored)g(in)h(some)f(mac)o X(hine)0 2024 y(readable)e(format)e(ma)o(y)g(risk)i(unauthorized)g(mo)q X(di\014cation,)g(but)g(allo)o(ws)f(the)g(in)o(tegrit)o(y)g(c)o(hec)o(king)h X(pro)q(cess)g(to)e(b)q(e)0 2080 y(automated.)18 b(Storing)11 Xb(the)h(database)f(on)h(read-only)g(media)g(pro)o(vides)g(the)g(b)q(est)g(of) Xf(b)q(oth)g(approac)o(hes,)h(allo)o(wing)0 2137 y(mac)o(hine)k(access)g(but)g X(prev)o(en)o(ting)g(c)o(hanges.)21 b(This)16 b(also)g(will)h(allo)o(w)f X(users)f(to)g(use)h(the)g(to)q(ol)f(to)g(monitor)g(their)0 X2193 y(o)o(wn)g(\014les,)g(if)h(they)f(wish.)71 2269 y(After)k(a)h(rep)q X(orted)g(\014le)h(addition,)h(deletion,)g(or)d(c)o(hange)h(is)h(determined)g X(to)f(b)q(e)g(b)q(enign,)i(the)f(database)0 2326 y(should)13 Xb(b)q(e)g(up)q(dated)g(to)e(re\015ect)h(the)g(c)o(hange.)19 Xb(This)13 b(prev)o(en)o(ts)f(the)g(c)o(hange)g(from)f(app)q(earing)i(in)g X(future)f(rep)q(orts.)0 2382 y(F)l(urthermore,)g(comparisons)h(for)f(c)o X(hanged)h(\014les)h(should)g(b)q(e)f(made)g(with)g(up-to-date)g(information.) X19 b(Up)q(dating)0 2439 y(a)c(database)f(stored)g(on)h(read-only)h(media)g(p) Xq(oses)f(ob)o(vious)g(pro)q(cedural)h(di\016culties.)22 b(The)15 Xb(in)o(tegrit)o(y)g(c)o(hec)o(king)0 2495 y(proto)q(col)e(m)o(ust)f(allo)o(w) Xh(some)g(mec)o(hanism)g(or)g(pro)q(cedure)h(for)e(the)h(secure)g X(installation)i(of)d(up)q(dated)i(databases.)p 0 2535 780 2 Xv 52 2562 a Fo(3)69 2577 y Fm(This)g(is)f(quite)h(similar)i(to)d(the)g X(problem)h(of)f(audit)h(trail)g(reduction.)52 2607 y Fo(4)69 X2623 y Fm(Hence)f(the)g(original)j(motiv)n(ation)f(for)e(the)g(name)h(\\T)m X(rip)o(wire.")964 2790 y Fp(4)p eop X%%Page: 5 5 X4 bop 71 307 a Fp(Because)17 b(\014les)g(systems)f(are)g(dynamic)h(in)h X(nature,)e(their)h(asso)q(ciated)f(databases)g(ma)o(y)g(require)h(up)q X(dating)0 364 y(often.)j(Therefore,)14 b(up)q(dating)i(sp)q(eci\014c)h(en)o X(tries)e(should)h(not)f(require)h(regenerating)f(the)g(en)o(tire)h(database.) Xj(As)0 420 y(man)o(y)d(\014les)i(ma)o(y)e(c)o(hange,)h(en)o(umerating)g(eac)o X(h)g(\014le)h(to)e(b)q(e)h(up)q(dated)h(could)g(b)q(e)f(tedious.)26 Xb(T)l(edium)18 b(should)f(b)q(e)0 477 y(a)o(v)o(oided)e(to)g(encourage)g(and) Xh(supp)q(ort)f(use)g(of)g(the)g(to)q(ol.)71 553 y(The)d(database)f(should)i X(con)o(tain)f(no)g(information)g(that)f(allo)o(ws)h(an)g(in)o(truder)h(to)e X(compromise)h(the)g(in)o(tegrit)o(y)0 609 y(c)o(hec)o(king)17 Xb(sc)o(heme.)23 b(This)17 b(allo)o(ws)f(databases)f(to)h(b)q(e)h(shipp)q(ed)h X(with)e(soft)o(w)o(are)e(distribution)k(pac)o(k)m(ages,)e(whose)0 X665 y(circulation)h(can)e(not)g(b)q(e)h(easily)g(restricted.)0 X807 y Fg(2.4)56 b(File)17 b(signature)h(issues)0 912 y Fp(Selection)f(of)f X(appropriate)f(signatures)h(to)f(use)h(in)g(an)g(in)o(tegrit)o(y)g(c)o(hec)o X(king)g(to)q(ol)g(should)g(help)h(engender)g(trust)0 969 y(in)e(the)e(to)q X(ol.)20 b(Th)o(us,)13 b(it)h(is)h(imp)q(ortan)o(t)e(to)g(address)h(issues)g X(related)g(to)g(the)f(selection)j(of)d(one)h(or)f(more)g(functions)0 X1025 y(to)i(generate)g(the)g(\014le)h(signatures.)0 1165 y XFf(2.4.1)52 b(Change)17 b(detection)0 1270 y Fp(A)d(simple)i(metho)q(d)e(for) Xg(detecting)h(a)f(c)o(hanged)g(\014le)i(is)e(comparing)h(it)f(against)g(a)g X(previously)i(made)e(cop)o(y)l(.)19 b(This)0 1327 y(has)13 Xb(the)g(adv)m(an)o(tage)f(of)h(giving)h(system)e(administrators)h(the)g X(abilit)o(y)h(to)f(tell)h(exactly)f(what)g(c)o(hange)g(w)o(as)f(made)0 X1383 y(to)18 b(the)h(\014le.)32 b(Ho)o(w)o(ev)o(er,)18 b(this)h(metho)q(d)g X(is)h(resource)f(and)g(time)g(in)o(tensiv)o(e,)h(p)q(oten)o(tially)g X(doubling)h(the)e(space)0 1439 y(used)12 b(b)o(y)g(the)g(\014le)h(system)f X(and)g(necessitating)g(further)g(supp)q(ort)g(from)f(system)h(administration) Xg(sta\013.)18 b(In)12 b(man)o(y)0 1496 y(cases,)j(kno)o(wing)g(that)g(a)f(c)o X(hange)i(has)f(b)q(een)h(made)f(is)h(all)g(that)f(is)g(necessary)l(.)71 X1572 y(A)e(more)h(e\016cien)o(t)g(metho)q(d)g(w)o(ould)g(record)g(the)f X(\014le's)i(\014xed-size)g(signature)f(in)g(the)g(database.)19 Xb(One)c(conse-)0 1628 y(quence)i(of)f(\014xed-sized)i(signatures)e(is)h(m)o X(ultiple)h(mappings:)23 b(for)15 b(an)o(y)h(giv)o(en)h(signature)f(generated) Xg(b)o(y)g(a)g(\014le,)0 1685 y(there)d(are)f(man)o(y)h(\(p)q(ossibly)h X(in\014nite\))g(other)e(\014les)i(of)e(v)m(arying)i(sizes)f(that)f(also)h X(generate)g(that)f(same)g(signature.)0 1741 y(What)20 b(is)h(imp)q(ortan)o(t) Xf(here)h(is)g(that)f(the)h(functions)g(b)q(e)g(c)o(hosen)g(suc)o(h)g(that)f X(it)g(is)h(highly)h(unlik)o(ely)h(that)d(an)0 1798 y(attac)o(k)o(er)14 Xb(could)i(alter)f(a)g(\014le)h(in)g(suc)o(h)g(a)f(w)o(a)o(y)f(that)g(it)i X(coinciden)o(tally)i(retains)d(its)g(original)i(signatures.)0 X1937 y Ff(2.4.2)52 b(Signature)18 b(sp)q(o)q(o\014ng)0 2043 Xy Fp(In)o(truders)j(could)h(mo)q(dify)g(a)e(\014le)i(and)f(remain)h X(undetected)g(in)f(an)g(in)o(tegrit)o(y)g(c)o(hec)o(king)h(sc)o(heme)f(using) Xh(\014le)0 2099 y(signatures)17 b(if)g(the)g(\014le)h(can)e(b)q(e)i(further)e X(mo)q(di\014ed)j(to)d(generate)g(the)h(same)f(signature)h(as)g(the)f X(original.)26 b(Tw)o(o)0 2156 y(metho)q(ds)20 b(for)e(\014nding)j(suc)o(h)f X(a)f(mo)q(di\014cation)i(are)e(brute)g(force)h(searc)o(h,)g(and)f(in)o(v)o X(erting)h(then)g(sp)q(o)q(o\014ng)g(the)0 2212 y(signature)15 Xb(function.)71 2288 y(Giv)o(en)e(a)f(mo)q(di\014ed)i(\014le,)g(someone)f X(using)h(a)e(brute)h(force)g(searc)o(h)f(w)o(ould)h(iterativ)o(ely)h(scan)f X(for)f(an)h(o\013setting)0 2345 y(c)o(hange)j(in)h(the)f(\014le)h(that)e X(yields)j(the)e(desired)h(signature.)22 b(F)l(or)16 b(a)f(signature)h(of)g X(size)h Fe(n)f Fp(bits,)g(on)g(a)o(v)o(erage,)f(one)0 2401 Xy(migh)o(t)g(exp)q(ect)h(to)f(p)q(erform)g(2)525 2385 y Fd(n)p XFc(\000)p Fi(1)608 2401 y Fp(attempts)f(to)h(\014nd)h(suc)o(h)f(a)g X(signature)g(collision.)71 2477 y(F)l(or)d(small)i(\014les,)g(this)g(searc)o X(h)f(is)h(a)f(trivial)h(op)q(eration)g(using)g(high-sp)q(eed,)h(general-purp) Xq(ose)g(w)o(orkstations.)0 2534 y(Consider)i(the)f(case)h(of)e(\014nding)j(a) Xe(duplicate)i(signature)f(for)e(the)i Fb(/bin/login)d Fp(program)i(under)h X(SunOS)g(4.1.)0 2590 y(This)k(is)g(a)f(47)f(kilob)o(yte)i(binary)g(\014le.)36 Xb(Using)21 b(a)f(SparcStation)g(1+)h(\(a)e(common)h(12.5)f(MIPS)i(mac)o X(hine\),)g(a)964 2790 y(5)p eop X%%Page: 6 6 X5 bop 115 267 1721 2 v 114 324 2 57 v 592 307 a Ff(F)l(requency)16 Xb(of)h(Signature)i(Collisions)p 1834 324 V 114 380 V 775 363 Xa Fp(\(254,686)13 b(signatures\))p 1834 380 V 115 382 1721 X2 v 114 438 2 57 v 611 438 V 611 438 V 935 421 a(Num)o(b)q(er)j(of)f X(collisions)p 1663 438 V 1672 438 V 1834 438 V 612 440 1061 X2 v 114 516 2 78 v 140 470 a(Signature)p 611 516 V 728 499 Xa(1)p 774 516 V 117 w(2)p 915 516 V 118 w(3)p 1056 516 V 95 Xw(4)p 1174 516 V 95 w(5)p 1292 516 V 72 w(6)p 1387 516 V 73 Xw(7)p 1482 516 V 49 w(8)p 1555 516 V 50 w Fe(>)p Fp(9)p 1663 X516 V 1672 516 V 1706 470 a(T)l(otal)p 1834 516 V 115 518 1721 X2 v 115 528 V 114 584 2 57 v 140 567 a(16-bit)g(c)o(hec)o(ksum)g(\()p XFa(sum)p Fp(\))p 611 584 V 48 w(14177)p 774 584 V 48 w(6647)p X915 584 V 49 w(2437)p 1056 584 V 49 w(800)p 1174 584 V 49 w(235)p X1292 584 V 49 w(62)p 1387 584 V 49 w(12)p 1482 584 V 49 w(2)p X1555 584 V 85 w(1)p 1663 584 V 1672 584 V 58 w(24375)p 1834 X584 V 114 641 V 140 624 a(16-bit)g(CR)o(C)p 611 641 V 268 w(15022)p X774 641 V 48 w(6769)p 915 641 V 49 w(2387)p 1056 641 V 49 w(677)p X1174 641 V 49 w(164)p 1292 641 V 49 w(33)p 1387 641 V 72 w(5)p X1482 641 V 49 w(0)p 1555 641 V 85 w(0)p 1663 641 V 1672 641 XV 58 w(25059)p 1834 641 V 114 697 V 140 680 a(32-bit)g(CR)o(C)p X611 697 V 359 w(3)p 774 697 V 117 w(1)p 915 697 V 118 w(1)p X1056 697 V 95 w(0)p 1174 697 V 95 w(0)p 1292 697 V 72 w(0)p X1387 697 V 73 w(0)p 1482 697 V 49 w(0)p 1555 697 V 85 w(0)p X1663 697 V 1672 697 V 149 w(5)p 1834 697 V 114 754 V 140 737 Xa(64-bit)g(DES-CBC)p 611 754 V 253 w(1)p 774 754 V 117 w(1)p X915 754 V 118 w(0)p 1056 754 V 95 w(0)p 1174 754 V 95 w(0)p X1292 754 V 72 w(0)p 1387 754 V 73 w(0)p 1482 754 V 49 w(0)p X1555 754 V 85 w(0)p 1663 754 V 1672 754 V 149 w(2)p 1834 754 XV 114 810 V 140 793 a(128-bit)g(MD4)p 611 810 V 334 w(0)p 774 X810 V 117 w(0)p 915 810 V 118 w(0)p 1056 810 V 95 w(0)p 1174 X810 V 95 w(0)p 1292 810 V 72 w(0)p 1387 810 V 73 w(0)p 1482 X810 V 49 w(0)p 1555 810 V 85 w(0)p 1663 810 V 1672 810 V 149 Xw(0)p 1834 810 V 114 867 V 140 850 a(128-bit)g(MD5)p 611 867 XV 334 w(0)p 774 867 V 117 w(0)p 915 867 V 118 w(0)p 1056 867 XV 95 w(0)p 1174 867 V 95 w(0)p 1292 867 V 72 w(0)p 1387 867 XV 73 w(0)p 1482 867 V 49 w(0)p 1555 867 V 85 w(0)p 1663 867 XV 1672 867 V 149 w(0)p 1834 867 V 114 923 V 140 906 a(128-bit)g(Snefru)p X611 923 V 307 w(0)p 774 923 V 117 w(0)p 915 923 V 118 w(0)p X1056 923 V 95 w(0)p 1174 923 V 95 w(0)p 1292 923 V 72 w(0)p X1387 923 V 73 w(0)p 1482 923 V 49 w(0)p 1555 923 V 85 w(0)p X1663 923 V 1672 923 V 149 w(0)p 1834 923 V 115 925 1721 2 v X0 1002 a(T)l(able)k(1:)25 b(Collision)20 b(frequencies)f(of)f(signatures)g X(gathered)g(from)f(\014le)i(systems)e(at)h(Purdue)g(Univ)o(ersit)o(y)h(and)0 X1058 y(Sun)d(Microsystems,)e(Inc.)0 1242 y(duplicate)j(16-bit)e(CR)o(C)g(\()p XFj(Cyclic)g(R)n(e)n(dundancy)h(Che)n(ckc)n(o)n(de)p Fp(\))d(signature)i X(preserving)h(the)g(\014le's)f(length)h(can)f(b)q(e)0 1298 Xy(found)h(in)g(0.42)e(seconds.)20 b(A)15 b(duplicate)i(32-bit)e(CR)o(C)g X(signature)h(can)f(b)q(e)h(found)f(in)h(four)f(hours.)71 1374 Xy(Ho)o(w)o(ev)o(er,)g(exhaustiv)o(e)j(searc)o(h)e(b)q(ecomes)i(unnecessary)f X(if)h(one)f(exploits)g(kno)o(wledge)h(of)e(the)h(w)o(orkings)f(of)0 X1430 y(the)j(signature)f(function)i(itself.)31 b(By)18 b(understanding)i(ho)o X(w)e(a)g(function)i(generates)e(a)g(signature,)h(one)g(could)0 X1487 y(rev)o(erse-engineer)g(the)f(function.)30 b(F)l(or)17 Xb(an)o(y)h(desired)h(signature,)f(an)g(in)o(truder)h(could)g(rev)o(erse)f X(the)g(signature)0 1543 y(function)e(and)f(generate)g(an)g(arbitrary)g X(\014le)h(that)f(also)g(yields)i(that)d(signature[14)o(].)71 X1619 y(F)l(or)19 b(these)h(reasons,)g(message-digest)g(algorithms)f(\(also)h X(kno)o(wn)f(as)g(one-w)o(a)o(y)g(hash)h(functions,)i(\014nger-)0 X1676 y(prin)o(ting)17 b(routines,)g(or)f(manipulation)i(detection)f(co)q X(des\))g(as)f(describ)q(ed)i(in)g([7)o(,)e(15)o(,)g(14])g(b)q(ecome)h(v)m X(aluable)h(as)0 1732 y(in)o(tegrit)o(y)g(c)o(hec)o(king)g(to)q(ols.)27 Xb(Message-digests)17 b(are)g(usually)i(large,)f(often)f(at)g(least)h(128)e X(bits,)i(and)g(computa-)0 1789 y(tionally)e(infeasible)i(to)c(rev)o(erse.)0 X1928 y Ff(2.4.3)52 b(Empirical)19 b(results)71 2034 y Fp(T)l(able)e(1)f(sho)o X(ws)f(signature)i(collision)h(frequencies)g(for)e(254,686)e(\014les.)24 Xb(These)17 b(signatures)f(w)o(ere)g(gathered)0 2090 y(from)g(\014le)h X(systems)f(residing)i(on)f(\014v)o(e)f(computers)h(at)f(Purdue)h(Univ)o X(ersit)o(y)g(and)g(t)o(w)o(o)e(computers)h(at)g(Sun)i(Mi-)0 X2147 y(crosystems,)12 b(Inc.)19 b(These)13 b(\014les)g(w)o(ere)e(in)i(activ)o X(e)g(user)f(directories)h(and)f(source)g(trees,)g(and)g(are)g(a)g(represen)o X(tativ)o(e)0 2203 y(sampling)18 b(of)e(\014les)i(residing)g(on)f(large,)g X(timeshared,)h(general)f(purp)q(ose)h(serv)o(ers)e(and)h(large)g(\014le)h X(serv)o(ers)e(used)0 2260 y(as)f(source)g(rep)q(ositories.)71 X2336 y(Eac)o(h)10 b(\014le)h(examined)g(had)g(its)f(signatures)h(generated)f X(using)h(\(in)g(order\))f(the)g(16-bit)h(SunOS)g Fa(sum)d Fp(command,)0 X2392 y(t)o(w)o(o)k(standard)g(CR)o(C)h(algorithms,)g(the)f(\014nal)i(64)e X(bits)i(from)e(a)g(DES-CBC[6])g(enco)q(ded)i(v)o(ersion)f(of)g(the)g(\014le,) Xh(and)0 2449 y(the)f(128-bit)g(v)m(alues)i(tak)o(en)d(from)h(standard)f X(message)h(digest)h(functions.)19 b(The)14 b(large)f(n)o(um)o(b)q(er)g(of)g X(collisions)j(for)0 2505 y(the)f(16-bit)g(signatures,)g(and)g(the)h(absence)f X(of)g(an)o(y)g(collisions)i(for)d(the)h(128-bit)g(signatures,)g(helps)h(to)f X(con\014rm)0 2561 y(our)g(b)q(elief)i(that)e(larger)g(signatures)g(are)g X(unlik)o(ely)i(to)e(collide)i(b)o(y)e(acciden)o(t.)71 2637 Xy(W)l(e)d(also)h(generated)f(empirical)i(supp)q(ort)f(of)f(the)g(di\016cult)o X(y)i(of)e(sp)q(o)q(o\014ng)h(128-bit)f(signatures.)19 b(An)13 Xb(attempt)964 2790 y(6)p eop X%%Page: 7 7 X6 bop 0 307 a Fp(w)o(as)21 b(made)g(to)g(\014nd)h(a)f(duplicate)i(Snefru[14]) Xe(signature)h(for)f(the)g Fb(/bin/login)f Fp(program)g(using)j(130)d(Sun)0 X364 y(w)o(orkstations.)265 347 y Fi(5)309 364 y Fp(Ov)o(er)e(a)f(time)g(of)g X(sev)o(eral)g(w)o(eeks,)h(17)e(million)k(signatures)d(w)o(ere)g(generated)h X(and)f(compared)0 420 y(with)11 b(ten)h(thousand)f(stored)g(signatures,)g X(the)g(maxim)o(um)h(n)o(um)o(b)q(er)f(of)g(signatures)g(that)f(\014t)h(in)h X(memory)f(without)0 477 y(forcing)19 b(virtual)g(memory)f(page)h(faults)f(on) Xh(eac)o(h)g(searc)o(h)f(iteration.)31 b(Appro)o(ximately)19 Xb(2)1586 460 y Fi(24)1642 477 y Fp(signatures)f(w)o(ere)0 533 Xy(searc)o(hed)d(without)h(\014nding)g(an)o(y)f(collisions,)i(lea)o(ving)f X(appro)o(ximately)f(10)1294 517 y Fi(15)1346 533 y Fp(remaining)i(unsearc)o X(hed.)0 674 y Fg(2.5)56 b(P)n(erformance)17 b(and)i(resource)f(issues)0 X780 y Fp(Detecting)c(\014le)h(tamp)q(ering)f(b)o(y)g(comparing)f(eac)o(h)h X(\014le)h(against)e(a)h(duplicate)h(cop)o(y)f(is)g(easy)g(to)f(do,)g(but)h X(requires)0 836 y(considerable)19 b(storage)d(and)i(time.)26 Xb(Generating)18 b(and)f(comparing)h(\014le)g(signatures)f(ma)o(y)g(require)h X(more)f(com-)0 893 y(putation,)g(but)g(it)g(requires)h(less)g(storage.)24 Xb(Some)17 b(signature)g(functions)g(are)g(quite)h(exp)q(ensiv)o(e)g(to)e X(execute)i(in)0 949 y(soft)o(w)o(are,)e(while)i(others)f(are)g(simpler.)28 Xb(Lo)q(cal)18 b(p)q(olicy)h(should)f(dictate)g(the)f(signatures)h(and)f X(resources)g(used)0 1005 y(to)e(satisfy)f(the)i(lev)o(el)g(of)f(trust)g X(desired.)0 1147 y Fg(2.6)56 b(Other)18 b(issues)0 1252 y Fp(Securit)o(y)k X(to)q(ols)f(should)h(b)q(e)g(completely)h(self-contained,)h(needing)f(no)e X(auxiliary)i(programs)d(to)g(run.)39 b(F)l(or)0 1309 y(example,)18 Xb(an)e(in)o(tegrit)o(y)h(c)o(hec)o(k)o(er)g(that)f(dep)q(ends)i(on)f X(utilities)i(suc)o(h)e(as)f Fb(diff)g Fp(or)g Fb(sum)h Fp(could)g(b)q(e)h X(sub)o(v)o(erted)e(if)0 1365 y(either)g(of)e(those)h(programs)f(w)o(ere)g X(compromised.)21 b(Th)o(us,)14 b(b)o(y)h(making)g(this)h(to)q(ol)f(self-con)o X(tained,)h(it)f(w)o(ould)g(b)q(e)0 1422 y(p)q(ossible)i(to)e(run)g(the)g X(program)f(without)i(relying)g(on)f(outside,)g(p)q(oten)o(tially)i X(vulnerable,)g(help)q(er)f(programs.)71 1498 y(The)c(database)f(for)h(the)g X(to)q(ol)g(should)h(b)q(e)f(h)o(uman-readable.)20 b(This)13 Xb(not)e(only)i(pro)o(vides)f(an)g(alternate)g(means)0 1554 Xy(of)j(c)o(hec)o(king)i(the)f(database)g(for)f(p)q(oten)o(tial)i(tamp)q X(ering)f(\(e.g.,)e(comparison)j(against)e(a)h(prin)o(ted)g(cop)o(y\),)g(but)g X(it)0 1610 y(also)j(pro)o(vides)g(a)f(means)g(for)g(users)h(to)f(v)o(erify)h X(individual)j(\014les.)31 b(By)19 b(including)i(a)d(standalone)h(program)f X(to)0 1667 y(apply)f(the)f(signature)g(functions)h(to)e(an)h(arbitrary)f X(\014le,)i(a)f(user)g(could)h(compare)f(this)g(against)g(the)g(signature)0 X1723 y(database.)71 1799 y(The)h(program)f(should)i(b)q(e)g(able)g(to)e(run)h X(without)h(privilege,)h(p)q(ossibly)f(on)f(a)g(user's)g(priv)m(ate)h(set)f X(of)f(\014les.)0 1856 y(Additionally)l(,)k(it)d(should)h(only)f(rep)q(ort,)g X(and)g(not)f(e\013ect,)h(c)o(hanges.)25 b(Although)18 b(a)e(user)h(could)h X(use)f(the)g(to)q(ol's)0 1912 y(output)d(to)g(driv)o(e)h(c)o(hanges,)f(the)g X(to)q(ol)h(itself)g(w)o(ould)g(not)f(pro)o(vide)h(an)o(y)f(explicit)i(means)f X(of)e(making)i(alterations)0 1969 y(to)f(the)g(system.)19 b(This)c(w)o(as)f X(also)g(one)h(of)f(the)g(principles)k(at)13 b(the)i(heart)f(of)g(the)g(COPS)h X(to)q(ol,[8)o(])f(and)h(one)f(whic)o(h)0 2025 y(w)o(e)h(b)q(eliev)o(e)i(con)o X(tributed)f(greatly)f(to)f(its)i(wide-spread)g(acceptance)g(and)f(use.)0 X2188 y Fq(3)69 b(Existing)22 b(T)-6 b(o)r(ols)0 2309 y Fp(Most)10 Xb(a)o(v)m(ailable)i Fl(UNIX)g Fp(securit)o(y)f(to)q(ols)g(fall)h(in)o(to)e(t) Xo(w)o(o)g(categories:)17 b(static)11 b(audit)h(to)q(ols)e(and)h(in)o(tegrit)o X(y)g(c)o(hec)o(k)o(ers.)0 2366 y(Among)17 b(the)h(most)e(prominen)o(t)i(are)g X(COPS[8)o(],)g(T)l(AMU[20)o(],)f(crc)p 1158 2366 14 2 v 16 Xw(c)o(hec)o(k[8],)g(Hobgoblin[13)q(],)g(and)h(A)l(TP[25)o(].)1931 X2349 y Fi(6)0 2422 y Fp(A)f(few)f(commercial)i(securit)o(y)f(to)q(ols)g(also) Xg(exist,)g(but)g(they)f(are)h(comparable)g(to)f(the)h(user-comm)o(unit)o(y)g X(to)q(ols)p 0 2462 780 2 v 52 2488 a Fo(5)69 2504 y Fm(W)m(e)c(measured)h(a)f X(Sun)h(SparcStation)h(1)e(as)h(capable)g(of)f(generating)i(37)e(Snefru)h X(signatures)g(p)q(er)g(second)52 2534 y Fo(6)69 2550 y Fm(SPI,)g(a)f X(widely-used)j(to)q(ol)f(dev)o(elop)q(ed)h(b)o(y)e(the)f(U.)g(S.)h(Departmen) Xo(t)g(of)g(Energy)g(and)h(the)f(U.)f(S.)g(Air)h(F)m(orce,)g(is)g(not)g X(discussed)0 2596 y(in)g(this)g(pap)q(er;)f(future)g(releases)i(of)d(SPI)h X(are)h(to)e(b)q(e)i(based)g(on)f(the)g(COPS)g(to)q(ol.)964 X2790 y Fp(7)p eop X%%Page: 8 8 X7 bop 0 307 a Fp(men)o(tioned)23 b(here.)40 b(While)24 b(man)o(y)d(of)h X(these)g(to)q(ols)g(ma)o(y)f(b)q(e)h(outstanding)g(in)h(their)g(o)o(wn)e X(righ)o(t,)i(most)e(are)0 364 y(mismatc)o(hes)15 b(for)g(in)o(tegrit)o(y)g(c) Xo(hec)o(king)h(in)g Fl(UNIX)g Fp(en)o(vironmen)o(ts.)0 505 Xy Fg(3.1)56 b(COPS)0 610 y Fp(COPS)23 b(serv)o(es)f(as)g(a)g(go)q(o)q(d)h(b)q X(enc)o(hmark)g(for)e(static)i(audit)g(to)q(ols.)41 b(F)l(reely)23 Xb(distributed)h(since)g(1989,)f(it)f(is)0 667 y(widely)d(used)f(and)f(supp)q X(orts)h(a)f(large)g(n)o(um)o(b)q(er)h(of)f Fl(UNIX)h Fp(platforms.)25 Xb(It)18 b(is)g(comprehensiv)o(e,)g(con\014gurable,)0 723 y(and)g(thorough.)29 Xb(Ho)o(w)o(ev)o(er,)18 b(as)g(a)g(static)g(audit)g(to)q(ol,)h(it)g(do)q(es)f X(not)g(aid)h(in)g(in)o(trusion)g(detection)g(other)f(than)0 X780 y(iden)o(tifying)f(kno)o(wn)e(a)o(v)o(en)o(ues)g(of)g(p)q(enetration.)71 X856 y(The)f(lac)o(k)g(of)g(in)o(tegrit)o(y)g(monitoring)h(in)g(COPS)g(w)o(as) Xe(addressed)i(after)e(its)h(release)h(b)o(y)f(the)h(addition)g(of)f(the)0 X912 y Fk(crc)p 61 912 14 2 v 17 w(c)o(hec)o(k)g Fp(program.)k(It)d(is)f(a)g X(\\c)o(hec)o(klisting")i(program,)c(similar)k(to)d(the)i(shell)g(scripts)g X(describ)q(ed)h(in)f([9)o(,)f(4].)19 b(It)0 969 y(is)f(based)f(on)h(a)f X(simple)h(CR)o(C)f(c)o(hec)o(ksum)h(of)f(the)g(\014les)i(b)q(eing)f X(monitored.)26 b(Numerous)18 b(problems)g(prev)o(en)o(t)f(it)0 X1025 y(from)11 b(b)q(eing)j(a)e(comprehensiv)o(e)h(in)o(tegrit)o(y)f(c)o(hec) Xo(king)h(solution)g(as)f(w)o(e)f(ha)o(v)o(e)h(outlined)i(in)f(the)f(previous) Xh(sections.)71 1101 y(Most)h(ob)o(vious)i(is)g(the)g(lac)o(k)g(of)f X(extensibilit)o(y)j(and)e(\015exibilit)o(y)i(in)f(crc)p 1284 X1101 V 16 w(c)o(hec)o(k.)22 b(It)15 b(is)h(imp)q(ossible)i(to)d(up)q(date)0 X1158 y(a)20 b(database)f(en)o(try)h(without)g(regenerating)h(the)f(en)o(tire) Xg(database.)34 b(Exp)q(erience)22 b(has)e(sho)o(wn)g(that)g(a)f(more)0 X1214 y(sophisticated)14 b(program)e(is)i(necessary)f(to)f(b)q(e)i(useful.)20 Xb(F)l(or)13 b(larger)f(sites,)i(main)o(taining)g(crc)p 1583 X1214 V 16 w(c)o(hec)o(k)g(is)f(esp)q(ecially)0 1270 y(tedious.)71 X1346 y(crc)p 132 1346 V 16 w(c)o(hec)o(k)k(do)q(es)f(not)g(allo)o(w)g(all)h X(the)f(\014elds)i(in)e(the)h Fl(UNIX)f Fp(\014le)h(ino)q(de)h(structure)d(to) Xh(b)q(e)h(monitored.)22 b(This)0 1403 y(prev)o(en)o(ts)e(certain)h(c)o X(hanges)f(from)g(b)q(eing)i(monitored.)35 b(F)l(urthermore,)21 Xb(the)f(rep)q(orting)h(cannot)f(b)q(e)h(tailored)0 1459 y(within)g(crc)p X207 1459 V 17 w(c)o(hec)o(k.)35 b(Although)21 b(\014lter)g(programs)e(can)i X(b)q(e)f(written)h(to)e(transform)g(the)i(output,)g(relying)g(on)0 X1516 y(outside)16 b(programs)e(that)g(can)i(b)q(e)g(sub)o(v)o(erted)f(in)o X(tro)q(duces)h(another)f(p)q(oin)o(t)g(of)g(compromise.)71 X1592 y(The)20 b(use)g(of)f(CR)o(C)g(signatures)h(are)f(p)q(o)q(orly)i(suited) Xf(for)f(in)o(tegrit)o(y)h(c)o(hec)o(king.)34 b(Originally)22 Xb(in)o(tended)g(for)0 1648 y(hardw)o(are-based)12 b(error-detection,)g(CR)o X(C)f(functions)i(w)o(ere)e(designed)j(to)d(detect)h(m)o(ultiple)h(bit)g X(errors)e(in)h(a)g(data)0 1705 y(stream)18 b(\(e.g.,)g([3)o(]\).)30 Xb(Rev)o(ersing)20 b(the)f(CR)o(C)f(function)i(to)e(yield)i(a)f(desired)h X(signature)f(is)g(a)f(w)o(ell-understo)q(o)q(d)0 1761 y(pro)q(cess,)d(and)g X(to)q(ols)h(to)e(assist)h(a)g(p)q(oten)o(tial)h(in)o(truder)g(are)f(widely)h X(a)o(v)m(ailable[10)q(].)0 1903 y Fg(3.2)56 b(T)-5 b(AMU)0 X2008 y Fp(T)l(AMU)19 b(is)h(a)g(set)f(of)g(securit)o(y)h(utilities)h(b)q X(eing)g(distributed)g(b)o(y)f(T)l(exas)f(A&M)h(Univ)o(ersit)o(y)l(.[20)o(])f X(Included)j(in)0 2064 y(the)d(pac)o(k)m(age)h(is)g(a)e(static)i(audit)f(to)q X(ol,)h(a)f(signature)h(database)f(to)f(c)o(hec)o(k)i(system)f(binaries)h X(against)f(kno)o(wn)0 2121 y(signatures)10 b(of)g(patc)o(h)g(\014les,)i(and)f X(a)f(sophisticated)h(net)o(w)o(ork)f(tra\016c)f(analyzer)i(that)f(aids)g X(system)g(administrators)0 2177 y(in)16 b(assessing)f(outside)h(threats.)71 X2253 y(T)l(AMU)10 b(is)h(shipp)q(ed)h(with)f(a)f(database)g(of)g(signatures)h X(for)f(system)g(binaries)i(of)e(p)q(opular)h(op)q(erating)g(systems.)0 X2310 y(T)l(AMU)h(compares)h(signatures)g(of)f(critical)i(system)e(\014les)i X(against)e(those)g(stored)g(in)i(its)f(database)f(to)g(determine)0 X2366 y(whether)i(they)g(matc)o(h)f(an)o(y)g(of)h(the)f(kno)o(wn)h(v)o X(ersions.)20 b(T)l(AMU)13 b(can)h(th)o(us)g(notify)f(the)h(securit)o(y)g X(administrators)0 2423 y(of)j(binaries)i(with)f(securit)o(y)f(patc)o(hes)h X(that)e(ha)o(v)o(e)i(not)f(b)q(een)h(installed)h(b)o(y)f(the)f(op)q(erating)h X(system)f(v)o(endor)g(as)0 2479 y(determined)g(b)o(y)e(records)g(in)h(its)f X(signature)g(database.)71 2555 y(T)l(AMU)h(is)g(more)g(sp)q(ecialized)j(than) Xd(most)f(integrit)o(y)i(c)o(hec)o(kers,)f(but)g(requires)h(that)f(its)g X(database)g(b)q(e)g(up-)0 2612 y(dated)21 b(as)f(new)h(op)q(erating)h(system) Xe(v)o(ersions)h(and)g(patc)o(hes)g(are)f(released.)38 b(Although)21 Xb(this)h(to)q(ol)e(pro)o(vides)964 2790 y(8)p eop X%%Page: 9 9 X8 bop 0 307 a Fp(v)m(aluable)23 b(information)e(to)f(system)g X(administrators,)i(it)f(is)g(not)g(a)f(general-purp)q(ose)j(in)o(tegrit)o(y)d X(c)o(hec)o(k)o(er:)32 b(it)0 364 y(pro)o(vides)16 b(no)f(facilities)i(to)e X(scan)g(the)g(en)o(tire)h(\014le)g(system)f(for)f(c)o(hanges.)0 X505 y Fg(3.3)56 b(Hobgoblin)0 610 y Fp(Hobgoblin)12 b(w)o(as)f(written)g(as)f X(to)q(ol)h(to)g(aid)g(system)g(administrators)g(in)h(enforcing)f(lo)q(cal)h X(\014le)h(system)d(p)q(olicies.[13)q(])0 667 y(F)l(or)15 b(instance,)i(when)f X(more)f(than)h(one)g(p)q(erson)g(is)h(allo)o(w)o(ed)f(to)f(install)i(and)f X(delete)h(\014les,)g(it)f(b)q(ecomes)g(di\016cult)0 723 y(to)f(trac)o(k)f(c)o X(hanges.)20 b(Hobgoblin)c(can)f(assist)g(in)h(trac)o(king)f(these)h(c)o X(hanges.)71 799 y(Hobgoblin)d(uses)g(a)g(template)g(description)h(that)e(sp)q X(eci\014ed)j(\014les)e(and)g(directories)h(are)e(exp)q(ected)i(to)e(matc)o X(h.)0 856 y(It)19 b(then)g(scans)g(those)g(\014les)h(to)e(c)o(hec)o(k)h X(whether)h(the)f(\014les)h(matc)o(h)e(the)h(descriptions.)33 Xb(In)19 b(this)h(manner,)f(an)o(y)0 912 y(c)o(hanges)c(can)h(b)q(e)f(rep)q X(orted)h(to)e(the)i(system)e(administrator.)71 988 y(Hobgoblin)g(do)q(es)g X(not)f(ha)o(v)o(e)g(all)i(the)e(capabilities)j(asso)q(ciated)e(with)g(in)o X(tegrit)o(y)f(c)o(hec)o(k)o(ers:)19 b(detecting)14 b(added)0 X1045 y(and)k(deleted)h(\014les)f(is)g(not)g(straigh)o(tforw)o(ard)d(in)k X(Hobgoblin.)28 b(There)18 b(is)g(no)g(existing)g(in)o(terface)g(for)f X(storing)g(a)0 1101 y(\014le's)g(signature)f(in)h(the)f(database.)23 Xb(F)l(urthermore,)15 b(Hobgoblin)j(assumes)e(that)f(\014les)i(in)g(its)g X(database)e(do)h(not)0 1158 y(c)o(hange)e(often.)20 b(Because)15 Xb(of)f(this,)g(no)h(pro)o(visions)g(for)e(up)q(dating)j(the)e(database)g X(exist.)20 b(This)15 b(mak)o(es)f(its)g(use)h(in)0 1214 y(dynamic)h(\014le)g X(systems)f(di\016cult.)0 1355 y Fg(3.4)56 b(A)-5 b(TP)0 1461 Xy Fp(A)20 b(recen)o(t)f(pap)q(er)h(describ)q(es)h(a)f(forthcoming)f(program)f X(for)h Fl(UNIX)p Fp(,)h(named)f(A)l(TP)l(.[25)o(])h(It)f(emplo)o(ys)h(a)f X(dual)0 1517 y(signature)g(to)g(v)o(erify)g(\014les,)h(using)g(a)f(32-bit)g X(CR)o(C)g(and)g(the)g(MD5)f(message)h(digest)g(algorithm.)32 Xb(The)19 b(A)l(TP)0 1574 y(database)d(is)h(encrypted)h(using)g(DES)e(in)i X(Cipher)f(Blo)q(c)o(k)h(Chaining)g(mo)q(de,)f(and)g(is)g(c)o(hec)o(ksummed)h X(to)e(detect)0 1630 y(tamp)q(ering)21 b(and)g(prev)o(en)o(t)g(unauthorized)h X(up)q(dates.)37 b(Ho)o(w)o(ev)o(er,)21 b(this)h(prev)o(en)o(ts)e(its)h(use)g X(in)h(an)f(automated)0 1686 y(manner:)g(the)16 b(secure)g(en)o(try)f(of)g X(the)h(encryption)h(k)o(ey)e(requires)h(h)o(uman)g(in)o(terv)o(en)o(tion)g X(or)f(else)i(storage)d(in)j(the)0 1743 y(\014le)i(system)f(|)g(th)o(us)g X(compromising)g(the)h(en)o(tire)f(program.)27 b(The)18 b(lac)o(k)h(of)e(an)o X(y)h(mec)o(hanisms)h(for)e(up)q(dating)0 1799 y(the)e(database)g(p)q(oten)o X(tially)h(mak)o(es)f(main)o(tenance)h(as)f(tedious)h(as)e(crc)p X1226 1799 14 2 v 17 w(c)o(hec)o(k.)71 1875 y(An)h(in)o(teresting)h(design)g X(decision)h(w)o(as)e(in)o(tro)q(duction)h(of)f Fk(action)h(lists)p XFp(.)k(Ha)o(ving)c(detected)g(a)f(c)o(hanged)g(\014le,)0 1932 Xy(A)l(TP)i(can)g(automatically)g(c)o(hange)g(the)g(o)o(wnership)g(to)f XFb(root)h Fp(and)g(mak)o(e)f(it)h(inaccessible)j(to)c(all)i(users.)24 Xb(This)0 1988 y(feature)19 b(mak)o(es)f(A)l(TP)h(unique)h(among)f(the)g X(securit)o(y)g(to)q(ols)g(listed)h(in)g(this)f(section,)h(b)q(ecause)g(it)f X(do)q(es)g(more)0 2045 y(than)h(rep)q(ort)g(p)q(oten)o(tial)h(dangers.)35 Xb(Pro)o(vided)21 b(that)e(the)i(actions)f(are)g(suitable)i(under)f(lo)q(cal)g X(p)q(olicies,)j(this)0 2101 y(automated)19 b(form)f(of)i(damage)f(con)o(trol) Xg(could)h(b)q(e)h(v)o(ery)e(useful)i(to)d(system)i(administrators.)32 Xb(Ho)o(w)o(ev)o(er,)19 b(as)0 2158 y(w)o(e)e(noted)h(earlier,)g(this)g(is)g X(of)f(questionable)i(utilit)o(y)l(.)28 b(Acciden)o(tal)19 b(triggering)f(of)f X(the)g(rules)h(and)g(malformed)0 2214 y(actions)f(are)f(t)o(w)o(o)g(dangers)g X(in)i(suc)o(h)f(a)g(mec)o(hanism.)25 b(F)l(urthermore,)16 b(a)h(determined)h X(attac)o(k)o(er)d(migh)o(t)i(w)o(ell)g(b)q(e)0 2271 y(able)f(to)f(exploit)h X(this)f(mec)o(hanism)h(to)f(p)q(erform)g(denial-of-service)i(attac)o(ks.)0 X2433 y Fq(4)69 b(Implemen)n(tati)o(on)21 b(of)i(T)-6 b(rip)n(wire)0 X2554 y Fp(T)l(rip)o(wire)19 b(w)o(as)e(written)g(o)o(v)o(er)g(a)h(p)q(erio)q X(d)h(of)e(t)o(w)o(o)g(mon)o(ths)g(in)i(1992.)26 b(It)18 b(w)o(as)f(released)i X(in)f(the)g(fall)h(of)e(1992)g(to)0 2611 y(a)f(group)f(of)g(o)o(v)o(er)g(one) Xh(h)o(undred)h(b)q(eta)f(testers)f(around)h(the)g(w)o(orld)g(who)f(pro)o X(vided)i(v)m(aluable)h(feedbac)o(k)e(on)g(its)964 2790 y(9)p Xeop X%%Page: 10 10 X9 bop 0 307 a Fp(p)q(ortabilit)o(y)14 b(and)f(features.)19 Xb(Sev)o(eral)14 b(bugs)f(ha)o(v)o(e)g(b)q(een)h(iden)o(ti\014ed,)i(and)d X(four)g(up)q(dates)g(w)o(ere)g(released)h(in)g(1993.)0 364 Xy(In)i(Decem)o(b)q(er)f(1993,)f(the)h(formal)g(release)h(of)f(T)l(rip)o(wire) Xh(w)o(as)e(made.)71 440 y(This)k(section)h(describ)q(es)h(the)e(structure)g X(of)g(T)l(rip)o(wire.)30 b(A)18 b(high)h(lev)o(el)h(mo)q(del)f(of)f(T)l(rip)o X(wire)h(op)q(eration)f(is)0 496 y(sho)o(wn)13 b(in)h(Figure)f(1.)19 Xb(This)14 b(sho)o(ws)f(ho)o(w)f(T)l(rip)o(wire)j(uses)e(t)o(w)o(o)f(inputs:) X20 b(a)13 b Fk(con\014guration)g Fp(describing)i(\014le)f(system)0 X553 y(ob)s(jects)21 b(to)f(monitor,)j(and)e(a)g Fk(database)g XFp(of)g(previously-generated)i(signatures)e(putativ)o(ely)h(matc)o(hing)g X(the)0 609 y(con\014guration.)29 b Fk(Selection-masks)19 b XFp(\(describ)q(ed)h(b)q(elo)o(w\))f(sp)q(ecify)g(\014le)g(system)f X(attributes)g(and)g(signatures)h(to)0 665 y(monitor)c(for)f(the)i(sp)q X(eci\014ed)h(items.)375 1448 y @beginspecial 69 @llx 215 @lly X459 @urx 434 @ury 2880 @rwi @setspecial X%%BeginDocument: twmodel.ps X X/arrowhead { X0 begin Xtransform originalCTM itransform X/taily exch def X/tailx exch def Xtransform originalCTM itransform X/tipy exch def X/tipx exch def X/dy tipy taily sub def X/dx tipx tailx sub def X/angle dx 0 ne dy 0 ne or { dy dx atan } { 90 } ifelse def Xgsave XoriginalCTM setmatrix Xtipx tipy translate Xangle rotate Xnewpath XarrowHeight neg arrowWidth 2 div moveto X0 0 lineto XarrowHeight neg arrowWidth 2 div neg lineto XpatternNone not { XoriginalCTM setmatrix X/padtip arrowHeight 2 exp 0.25 arrowWidth 2 exp mul add sqrt brushWidth mul XarrowWidth div def X/padtail brushWidth 2 div def Xtipx tipy translate Xangle rotate Xpadtip 0 translate XarrowHeight padtip add padtail add arrowHeight div dup scale Xarrowheadpath Xifill X} if XbrushNone not { XoriginalCTM setmatrix Xtipx tipy translate Xangle rotate Xarrowheadpath Xistroke X} if Xgrestore Xend X} dup 0 9 dict put def END_OF_FILE if test 28820 -ne `wc -c <'tripwire-1.1/docs/designae'`; then echo shar: \"'tripwire-1.1/docs/designae'\" unpacked with wrong size! fi # end of 'tripwire-1.1/docs/designae' fi if test -f 'tripwire-1.1/configs/tw.conf.sun.old' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'tripwire-1.1/configs/tw.conf.sun.old'\" else echo shar: Extracting \"'tripwire-1.1/configs/tw.conf.sun.old'\" \(5359 characters\) sed "s/^X//" >'tripwire-1.1/configs/tw.conf.sun.old' <<'END_OF_FILE' X# $Id: tw.conf.sun.old,v 1.1 1993/11/30 19:29:53 genek Exp $ X# X# tripwire.config X# Generic version for SunOS 4.x X# Will need editing...see comments below X# X# This file contains a list of files and directories that System X# Preener will scan. Information collected from these files will be X# stored in the tripwire.database file. X# X# Format: [!|=] entry [ignore-flags] X# X# where: '!' signifies the entry is to be pruned (inclusive) from X# the list of files to be scanned. X# '=' signifies the entry is to be added, but if it is X# a directory, then all its contents are pruned X# (useful for /tmp). X# X# where: entry is the absolute pathname of a file or a directory X# X# where ignore-flags are in the format: X# [template][ [+|-][pinugsam12] ... ] X# X# - : ignore the following atributes X# + : do not ignore the following attributes X# X# p : permission and file mode bits a: access timestamp X# i : inode number m: modification timestamp X# n : number of links (ref count) c: inode creation timestamp X# u : user id of owner 1: signature 1 X# g : group id of owner 2: signature 2 X# s : size of file X# X# X# Ex: The following entry will scan all the files in /etc, and report X# any changes in mode bits, inode number, reference count, uid, X# gid, modification and creation timestamp, and the signatures. X# However, it will ignore any changes in the access timestamp. X# X# /etc +pinugsm12-a X# X# The following templates have been pre-defined to make these long ignore X# mask descriptions unecessary. X# X# Templates: (default) R : [R]ead-only (+pinugsm12-a) X# L : [L]og file (+pinug-sam12) X# N : ignore [N]othing (+pinusgsamc12) X# E : ignore [E]verything (-pinusgsamc12) X# X# By default, Tripwire uses the R template -- it ignores X# only the access timestamp. X# X# You can use templates with modifiers, like: X# Ex: /etc/lp E+ug X# X# Example configuration file: X# /etc R # all system files X# !/etc/lp R # ...but not those logs X# =/tmp N # just the directory, not its files X# X# Note the difference between pruning (via "!") and ignoring everything X# (via "E" template): Ignoring everything in a directory still monitors X# for added and deleted files. Pruning a directory will prevent Tripwire X# from even looking in the specified directory. X# X# X# Tripwire running slowly? Modify your tripwire.config entries to X# ignore the (signature 2) attribute when this computationally-exorbitant X# protection is not needed. (See README and design document for further X# details.) X# X X# First, root's "home" X=/ L X/.rhosts R # may not exist X/.profile R # may not exist X/.cshrc R # may not exist X/.login R # may not exist X/.exrc R # may not exist X/.logout R # may not exist X/.emacs R # may not exist X/.forward R # may not exist X/.netrc R # may not exist X X# Unix itself X/vmunix R X X# Now, some critical directories and files X# Some exceptions are noted further down X/etc R X/etc/inetd.conf R X/etc/rc R X/etc/rc.boot R X/etc/rc.local R X/etc/rc.single R X/etc/rc.ip R X/etc/ttytab R X/etc/exports R X/etc/ttys L X/etc/dumpdates L X/etc/mtab L X/etc/motd L X/etc/rmtab L X/etc/utmp L X/etc/group R # changes should be infrequent X# The next line may need to be replaced with /etc/security X# if C2 is enabled X/etc/passwd L X X/var L X X/dev L X X/usr/etc R X X# Checksumming the following is not so critical. However, X# setuid/setgid files are special-cased further down. X X/lib R-2 X X/bin R-2 X X/usr/bin R-2 X X/usr/ucb R-2 X X/usr/lib R-2 X X=/usr L X=/usr/spool L X/usr/spool/cron L X/usr/spool/mqueue L X/usr/spool/mail L X X# You may or may not have the following X#/usr/ftp L X#/usr/ftp/bin R X#/usr/ftp/etc R X X# put entries in for /var/yp if you need it X# put entries for uucp if you need them X# put entries for /var/adm if you need it X X=/tmp X=/var/tmp X X# Here are entries for setuid/setgid files. On these, we use X# both signatures just to be sure. X# X# You may want/need to edit this list. Batteries not inc. X X/bin/at R X/bin/atq R X/bin/atrm R X/bin/cancel R X/bin/chfn R X/bin/chsh R X/bin/crontab R X/bin/cu R X/bin/df R X/bin/iostat R X/bin/ipcs R X/bin/login R X/bin/lpstat R X/bin/mail R X/bin/newgrp R X/bin/passwd R X/bin/su R X/bin/sunview1/sv_acquire R X/bin/sunview1/sv_release R X/bin/sunview1/toolplaces R X/bin/tip R X/bin/uucp R X/bin/uuname R X/bin/uustat R X/bin/uux R X/bin/wall R X/bin/write R X/bin/ypchfn R X/bin/ypchsh R X/bin/yppasswd R X/usr/bin/at R X/usr/bin/atq R X/usr/bin/atrm R X/usr/bin/cancel R X/usr/bin/chfn R X/usr/bin/chsh R X/usr/bin/crontab R X/usr/bin/cu R X/usr/bin/df R X/usr/bin/iostat R X/usr/bin/ipcs R X/usr/bin/login R X/usr/bin/lpstat R X/usr/bin/mail R X/usr/bin/newgrp R X/usr/bin/passwd R X/usr/bin/su R X/usr/bin/sunview1/sv_acquire R X/usr/bin/sunview1/sv_release R X/usr/bin/sunview1/toolplaces R X/usr/bin/tip R X/usr/bin/uucp R X/usr/bin/uuname R X/usr/bin/uustat R X/usr/bin/uux R X/usr/bin/wall R X/usr/bin/write R X/usr/bin/ypchfn R X/usr/bin/ypchsh R X/usr/bin/yppasswd R X/usr/etc/arp R X/usr/etc/chill R X/usr/etc/devinfo R X/usr/etc/dkinfo R X/usr/etc/dmesg R X/usr/etc/dump R X/usr/etc/dumpfs R X/usr/etc/keyenvoy R X/usr/etc/kgmon R X/usr/etc/lpc R X/usr/etc/nfsstat R X/usr/etc/ping R X/usr/etc/rpc.rwalld R X/usr/etc/trpt R X/usr/ucb/lpq R X/usr/ucb/lpr R X/usr/ucb/netstat R X/usr/ucb/rcp R X/usr/ucb/rdist R X/usr/ucb/rlogin R X/usr/ucb/rsh R X/usr/ucb/talk R X/usr/ucb/vmstat R X END_OF_FILE if test 5359 -ne `wc -c <'tripwire-1.1/configs/tw.conf.sun.old'`; then echo shar: \"'tripwire-1.1/configs/tw.conf.sun.old'\" unpacked with wrong size! fi # end of 'tripwire-1.1/configs/tw.conf.sun.old' fi if test -f 'tripwire-1.1/configs/conf-osx-ucb.h' -a "${1}" != "-c" ; then echo shar: Will not clobber existing file \"'tripwire-1.1/configs/conf-osx-ucb.h'\" else echo shar: Extracting \"'tripwire-1.1/configs/conf-osx-ucb.h'\" \(804 characters\) sed "s/^X//" >'tripwire-1.1/configs/conf-osx-ucb.h' <<'END_OF_FILE' X/* $Id: conf-osx-ucb.h,v 1.2 1993/08/19 05:27:02 genek Exp $ */ X X/* X * conf-osx-ucb.h X * X * Tripwire configuration file for Pyramid's OSx and ucb universe X * X * Ken McDonell X * Pyramid Technology X * X */ X X/* X * is your OS a System V derivitive? if so, what version? X * (e.g., define SYSV 4) X */ X X#undef SYSV X X/* X * does your system have a like System V? X */ X X#undef MALLOCH X X/* X * does your system have a like POSIX says you should? X */ X X#undef STDLIBH X X/* X * does your system use readdir(3) that returns (struct dirent *)? X * -- yes, but we do not have a to #include X */ X X#undef DIRENT X X/* X * is #include ok? (as opposed to ) X */ X X#undef STRINGH X X/* X * does your system have gethostname(2) (instead of uname(2))? X */ X X#define GETHOSTNAME END_OF_FILE if test 804 -ne `wc -c <'tripwire-1.1/configs/conf-osx-ucb.h'`; then echo shar: \"'tripwire-1.1/configs/conf-osx-ucb.h'\" unpacked with wrong size! fi # end of 'tripwire-1.1/configs/conf-osx-ucb.h' fi echo shar: End of archive 9 \(of 25\). cp /dev/null ark9isdone MISSING="" for I in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ; do if test ! -f ark${I}isdone ; then MISSING="${MISSING} ${I}" fi done if test "${MISSING}" = "" ; then echo You have unpacked all 25 archives. echo "Now read tripwire-1.1/README.kits" rm -f ark[1-9]isdone ark[1-9][0-9]isdone else echo You still need to unpack the following archives: echo " " ${MISSING} fi ## End of shell archive. exit 0