## $Id$ ## ## WHATSNEW for Tripwire v1.2, v1.1.1, and v1.1 ## ## Gene Kim & Gene Spafford ## The COAST Project ## Department of Computer Sciences ## Purdue University ## ## ## Version 1.2 -- July 15, 1994 ## Version 1.2 adds several new features, as well as fixing reported bugs. Among the changes are: - Signature checking for symbolic link contents has been added. - Tripwire now correctly runs on Alpha AXPs, and other machines with "long" types that are not 32 bits wide. - The Haval digital hash routine has been added as the eighth signature routine (faster than MD5, and purportedly more secure). - The SHA signature routine has been changed to conform to the recent fix introducted in its FIPS definition by NIST/NSA to correct an unspecified weakness. - The database format changes slightly to correct a boundary condition error. Because database entry numbers change, because the SHA signatures change, and because of Haval, old Tripwire databases must be reinitialized. - Handling specified configuration and database files (and file descriptors) has been fixed to better accomodate pipes. - Full support for flex added. - Signature checking is now considerably faster through the use of the stdio library for file I/O. - A Perl script has been added to update Tripwire databases where all inode numbers were changed by "fsirand" (NFS sites only); See FAQ. - Another fix to make database updates more predictable. - All reported bugs have been fixed in this revision. - A new README section describes some documented attacks on systems running Tripwire. - Many small changes have been made to the documentation to correct and update information. NOTE: The script `twdb_check.pl' (written in Perl) has been added to the distribution. It checks database consistency after updates of the tw.config file. This functionality will be put into the Tripwire program in the next release. Run this script after Tripwire database updates to ensure that database entry numbers are consistent with the tw.config file. See the README file for details (section 3.5.2). Numerous other people played a crucial role in shaping this release: Paul Szabo is responsible for a number of fixes and cleaning up the way filenames are handled internally, leading to a much simpler treatment to filenames with escaped characters in Tripwire. Paul Hilchey is responsible for rewriting the list routines, fixing a number of bugs and replacing a hideous implementation with one that is elegant and succinct. Asokan is responsible for going through all the Tripwire code to remove assumptions about the size of certain types (e.g., "long" is not 32 bits on the Alpha). Casper H.S. Dik pointed out how some signature routines used very small reads, leading to suboptimal performance. He offered a simple fix through the use of the stdio library for file I/O. Cal Page modified the lex and yacc files to accomodate newer versions of GNU flex and bison, which continue to diverge from the traditional tools. Tom Orban spent many an afternoon on the phone with me, guiding me step-by-step to find elusive database update bugs. Among other things, Tom Orban and Terry Kennedy helped track down the problems that led to the addition of the twdb_check.pl script. Keith Rickert and Eugene Zaustinsky painstakingly pointed out distribution errors. Keith Rickert and Greg Black helped us with the last batch of fixes that shortly preceded this release. We appreciate their help. Thanks go to those people who helped test Tripwire: Eric Berg, Eric M. Boehm, Lothar Butsch, John Crosswhite, Jason Downs, Peter Evans, Jon Freivald, Kevin Johnson, Lothar Kaul, Terry Kennedy, Chris Kern, Paul Madden, Fred Marchand, Mitchell Marks, Jim Moreno, Tom Orban, Lorraine Padour, Calvin Page, Tom Painter, Roger Peyton, Peter Phillips, Keith W. Rickert, Jim Roche, D Seddon, Paul Szabo, Gene C Van Nostern, John Wiegley, Robert Wilhite, Alain Williams, Eugene Zaustinsky. Gene & Gene Kim & Spafford ## ## Version 1.1 -- December 15, 1994 ## Introduction: ============= Version 1.1 considerably upgrades the functionality of Tripwire. All known bugs have been fixed, and many selected features have been added at the request of Tripwire users. Among the major changes are: - rewrite of the "-update" command. - addition of an "-interactive" command that prompts the user whether a changed file's database entry should be updated. - addition of a "-loosedir" command for quieter Tripwire runs. - support for monotonically growing files in tw.config. - addition of comprehensive test suite to test Tripwire functionalities. - hooks for external services (i.e., compression, encryption, networking) through "-cfd" and "-dfd" options. - addition of the new NIST SHA/SHS signature algorithm. - corrections and changes in the MD2, MD4, MD5, CRC32, and Snefru signature routines. - addition of a more rigorous signature test suite. - more error checking in tw.config @@directives. - siggen replaces sigfetch. - addition of a tw.config file for Solaris v2.2 (SVR4). - change of base-64 alphabet to conform to standards. - preprocessor macro fixes. New Tripwire database format: ============================= The Tripwire database format has changed since v1.0, using a different base-64 alphabet and encoding scheme. Use the twconvert program to convert v1.0 databases to v1.1 databases (located in the ./src directory). If you have been using an older version of Tripwire, you will need to use twconvert convert your databases to the new format. Updating the Tripwire database: =============================== There has been a major rewrite/rethink of the "tripwire -update" command, as well as the addition of a "tripwire -interactive" command which allows the user to interactively select which database entries should be updated. No vestiges of the "-add" or "-delete" command remain, since the "-update" command now automatically deletes and adds files. However, the preferred way of keeping Tripwire databases in sync with the filesystems is using the "-interactive" command. A Tripwire session using Interactive mode might look like: 6:25am (flounder) tw/src 1006 %% tripwire -interactive ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Creating file information database ### Phase 4: Searching for inconsistencies ### ### Total files scanned: 49 ### Files added: 0 ### Files deleted: 0 ### Files changed: 49 ### ### After applying rules: ### Changes discarded: 47 ### Changes remaining: 2 ### changed: drwx------ genek 1024 May 3 06:25:37 1993 /homes/genek/research/tw/src changed: -rw------- genek 7978 May 3 06:24:19 1993 /homes/genek/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old ### Phase 5: Generating observed/expected pairs for changed files ### ### Attr Observed (what it is) Expected (what it should be) ### =========== ============================= ============================= /homes/genek/research/tw/src st_mtime: Mon May 3 06:25:37 1993 Mon May 3 06:11:39 1993 st_ctime: Mon May 3 06:25:37 1993 Mon May 3 06:11:39 1993 ---> File: '/homes/genek/research/tw/src' ---> Update entry? [YN(y)nh?] y ### Updating database... ### ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Updating file information database ### ### Warning: Old database file will be moved to `tw.db_flounder.Eng.Sun.COM.old' ### in ./databases. ### 6:25am (flounder) tw/src 1007 %% Tripwire prompts the user whether the database entry of the current file should be updated to match the current file information. Pressing either 'y' or 'n' either updates the current file or skips to the next file. Pressing 'Y' or 'N' applies your answer to the entire entry. (I.e., if /etc is changed, typing 'Y' will not only update /etc, but it will also files update all the files in /etc.) Tripwire exit codes: ==================== Tripwire exit status can be interpreted by the following mask: 1: run-time error. aborted. 2: files added 4: files deleted 8: files changed For example, if Tripwire exits with status code 10, then files were found added and changed. (i.e., 8 + 2 = 10.) Tripwire quiet option: ====================== When run with -q option, Tripwire really is quiet, printing only one-line reports for each added, deleted, or changed file. The output is more suitable for parsing with awk or perl. Monotonically growing files: ============================ The ">" template is now supported in the tw.config files. This template allows files to grow without being reported. However, if the file is deleted or is smaller than the size recorded in the database, it is reported as changed. Loose directory checking: ========================= This option was prompted by complaints that Tripwire in Integrity Checking and Interactive mode unnecessarily complains about directories whose nlink, ctime, mtime, or size have changed. When Tripwire is run with the "-loosedir" option, directories automatically have these attributes included in their ignore-mask, thus quieting these complaints. Note that this is option is not enabled by default, making normal Tripwire behavior no different than previous releases. However, running with this option enabled considerably decreases "noise" in Tripwire reports. (Ideally, this "loose directory checking" should be offered on a per-file basis in the tw.config file. However, adding another field to the tw.config file was too extensive a change to be considered for this release. A later release of Tripwire may rectify this.) Hooks for external services: ============================ Tripwire now supports the "-cfd" and "-dfd" option that allows the user to specify an open file descriptor for reading the configuration file and database file, respectively. Using these options, an external program can feed Tripwire both input files through open file descriptors. This external program could supply services not provided though Tripwire, such as encryption, data compression, or a centralized network server. This program might do the following: Open the database and configuration files, process or decode (i.e., uncompress the file), and then write out the reguarly formatted file to a temporary file. Open file descriptors to these files are then passed to Tripwire by command-line arguments though execl(). An example of using a shell script to compress and encrypt your files is given in ./contrib/zcatcrypt. It is a four line Bourne shell script that encrypts and compresses the database and configuration files. SHA/SHS signature routines: =========================== Tripwire now includes SHA/SHS, the proposed NIST Digital Signature Standard. See the README file for details on this algorithm. Please note that the SHA code in ./sigs/sha seems to be poorly handled by many optimizing C compilers. For example, the stock C compiler included with SunOS 4.x takes almost two minutes to compile this file with the -O option on a Sparcstation10. Other compilers (such as GCC) do not have this problem. Change in tw.config preprocessor: ================================= The tw.config preprocessor has been changed to allow the proper expansion of @@variables in filenames. The following use of @@define now works as expected: @@define DOMAIN_NAME my_main_nis_domain /var/yp/@@DOMAIN_NAME L @@DOMAIN_NAME/FOO L (This is the third attempt at getting this working correctly. We finally fixed this by moving the macro expansion routines into the lexical analyzer.) Expanded test suite: ==================== The Tripwire test suite now includes runs a more standard signature test suite. This was prompted by discovery of several implementation errors in the MD2, MD4, and MD5 signature routines that was introduced right before the official release of Tripwire. (Thanks Eugene Zaustinsky.) Two more test suites have been added. One iterates through all the Tripwire reporting functionalities, and exercises all the database update cases. The other test suite checks for proper Tripwire preprocessor macro expansions. CRC32 changes: ============== Furthermore, the CRC32 signature routine is now POSIX 1003.2 compliant. (Thanks Dan Bernstein.) "siggen" replaces "sigfetch": ============================= As a tester noted, "sigfetch" was a misnomer since nothing was actually being fetched. Consequently, it was easy to (incorrectly) conclude that "sigfetch" retrieved signatures from the database. The "siggen" command is the current incarnation of "sigfetch". The manual pages reflect this change. Source code cleanup: ==================== The authors went through the sources, doing generic cleanups aid in code comprehension. Bug fixes: ========== This release fixes all known bugs. The TODO list, however, gives a wishlist of features that may be included in future releases. List of thanks: =============== Special thanks go to the testers of disappearing v1.0.3. Reports of critical bug fixes go to (in no special order): E. Clinton Arbaugh, Pat Macdonald, Eric Demerling, John Rouillard, Bob Cunningham, and Neil Todd. Sam Gassel, Edward DeHart, Drew Gonczi, Rik Farrow, Jim Napier, Drew Jolliffe, John Rouillard, Alain Brossard, Eric Bergren, Patrick Sullivan, Nora Hermida, Juergen Schmidt, Debbie Pomerance, Michael Hines, Tim Ramsey, Georges Tomazi, Mitchell Marks, Philip Cox, Kevin Dupre', Chris Kern, and Eugene Zaustinsky helped in getting the Tripwire v1.1 release in shape for our December 1993 release. Gene & Gene Kim & Spafford