TRIPWIRESection: Maintenance Commands (8)
Updated: October 14, 1992
Return to Main Contents
NAMEtripwire - a file integrity checker for UNIX systems
SYNOPSIStripwire [ options ... ]
Tripwire is a file integrity checker - a utility that compares a designated set of files and directories against information stored in a previously generated database. Added or deleted files are flagged and reported, as are any files that have changed from their previously recorded state in the database. When run against system files on a regular basis, any file changes would be spotted when Tripwire is next run, giving system administrators information to enact damage control measures immediately.
Using Tripwire, system administrators can conclude with an extremely high degree of certainty that a given set of files and directories remain untouched from unauthorized modifications, provided the program and database are appropriately protected (e.g., stored on read-only media). Note that reports of changed files indicate a change from the time of the last Tripwire database installation or update. For best effect, the files being monitored should be reinstalled from known good sources. (See the Tripwire design document for further details.)
Tripwire uses message-digest algorithms (one-way hash functions) to detect changes in a hard-to-spoof manner. This should be able to detect significant changes to critical files, including those caused by insertion of backdoors or viruses. Tripwire also monitors changes to file permissions, modification times, and other significant changes to inodes as selected by the system administrator on a per-file/directory basis.
Tripwire runs in one of four modes: Database Generation, Database Update, Integrity Checking, or Interactive Update mode. In Database Generation mode, Tripwire initializes the database based upon the entries enumerated in the tw.config file. Database Update mode provides incremental database update functionality on a per-file/directory basis. This obviates having to regenerate the entire database every time a file or set of files change. The Integrity Checking mode generates a report of added, deleted, or changed files, comparing all the files described by the tw.config file against the files residing on the filesystem. Lastly, the Interactive Update mode reports added, deleted, and changed files and prompts the user whether those database entries should be updated.
When run without any arguments, tripwire runs in Integrity Checking mode.
DATABASE GENERATION MODE
In Database Generation mode, tripwire creates the database file based upon the entries in tw.config. The name of this database file is defined at compile-time in config.h - it defaults to tw.db_[hostname]. The generated database is placed in the ./databases directory, and must be moved to the target directory manually.
DATABASE UPDATE MODE
In Database Update mode, tripwire updates the specified files, directories, or entries in the database. The old database is saved in the ./databases directory with the .old suffix. The new, updated database is also written to the ./databases directory. As in the Database Generation mode, the new database must be manually moved to the Tripwire database directory.
tripwire in Database Update mode requires at least one argument, which is used as an entry. The entry argument specifies which file or directory is to be updated, and is interpreted similar to tw.config entries. If the argument is a filename, only that file is updated in the database. Similarly, if the argument is a directory name, the directory and its children are updated. If the argument is also an entry in the tw.config file, the entire entry is updated.
Database updates yield a new database file with added, deleted, or changed entries. This functionality is provided to allow Tripwire databases to be updated in a controlled manner to reflect filesystem changes, obviating the need to regenerate the entire database again.
INTEGRITY CHECKING MODE
In Integrity Checking mode, tripwire reads in the tw.config file, and rebuilds a new database to reflect the current files. Tripwire then compares the new database with the existing Tripwire database stored on the filesystem, reporting added or deleted files, as well as those files that have changed.
The tw.config file, in addition to the list of files and directories, also lists which attributes can change and be safely ignored by Tripwire. Tripwire applies these select-flags to decide which changes can be safely unreported.
Each file that differs from the information stored in the database is considered ``changed.'' However, only the changes that remain after the select-flags are applied are displayed. For each change, the expected and actual information is printed. For instance:
Tripwire in Interactive Update mode will look similar. However, for each added, deleted, or changed file, the user is prompted whether the entry corresponding to the file or directory should be updated. The user can answer with either ``y'', ``n'', ``Y'', or ``N''. The first two answers are simply ``yes, update the specified file'' and ``no, don't update the file'' respectively.
Answering ``Y'' not only updates the specified file or directory, but all other files or directories that share the same entry in the tw.config file. For example, if ``Y'' were answered for /etc, then all the files generated by the /etc entry will also be updated. Answering ``N'' is similar, but skips all files and directories corresponding to the specified entry.
A possible Tripwire session running in Interactive Update mode may look like:
DIAGNOSTICSTripwire exit status is 1 for any error condition. Otherwise, the exit status is the logical OR'ing of the following: 2 for files added, 4 for files deleted, and 8 for files changed. (e.g., if Tripwire exits with status code 10, then files were added and change. 8 + 2 = 10.)
BUGSThis manual page is not self-contained - users are referred to the Tripwire design document to better understand the issues of integrity checking.
Gene Kim Purdue University email@example.com Eugene Spafford Purdue University firstname.lastname@example.org
This document was created by man2html, using the manual pages.
Time: 23:36:01 GMT, March 01, 2024