08-02-2013, 04:03 PM
TRIPWIRE
TRIPWIRE.docx (Size: 124.86 KB / Downloads: 19)
ABSTRACT
Tripwire is an intrusion detection system. It is a software tool that checks to see what has changed on your system.
The program monitors the key attributes of files that should not
change, including the size, binary signature, expected change of size,
and other related important data’s. Tripwire is an open source program created to monitor changes in a key subset of files identified by the user and report on any changes in any of those files. When changes are detected the system Administrator can determine whether those changes occurred due to normal, permitted activity, or whether they were caused by a break-in. If the former, the administrator can update the system baseline to the new files. If the latter, then repair and recovery activity begins. Tripwire principle is simple enough. The system administrator identifies key files and causes Tripwire to record checksum for those files. Administrator also puts a cron job to scan those files at intervals (daily or more frequently), comparing to the original checksum. Any changes, addition, or deletion are reported, so the proper action can be taken.
INTRODUCTION
Tripwire is a system integrity checker, a utility that compares properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted, with optional email reporting. Additionally , support files (database , reports etc.) are cryptographically signed.
Tripwire for Servers is a software that is exclusively used by servers. This software can be installed on any servers that needs to be monitored for any changes. Typical servers include mail servers, web servers, firewalls, transaction server, development server etc. Any server where it imperative to identity if and when a file system change has occurred should be monitored with tripwire for servers.
The tripwire for Servers software conducts subsequent file checks, automatically comparing the state of the system with the baseline database. Any inconsistencies are reported to the Tripwire Manager and to the host system log file. Reports can also be emailed to an administrator. If a violation is an authorized change, a user can update the database so changes so longer show up as violations.
A tripwire is a passive triggering mechanism, usually/originally employed for military purposes, although its principle has been used since prehistory for methods of trapping game .
BACKGROUND
Dr.Eugene Spafford and Gene Kim created the initial Academic Source Release of Tripwire software in 1992 while at Purdue University. In 1997, Kim founded Tripwire, Inc. to bring Tripwire for servers, an enhanced commercial version of the software, to market. In 2000, to meet the needs for a robust file integrity tool that could be compiled on to a wide variety of POSIX- compatible operating systems, Tripwire contributed Open Source Tripwire, Linux Edition, to the Open Source Project (under the GNU General Public License) Since that time, Tripwire for servers continued development has resulted in improved security, better reporting, easier reconciliation, broader platform support, and, with the optional Tripwire Manager component, centralized reporting and a GUI. With the introduction of tripwire Enterprise in 2005, the Software completed its evolution from a file integrity tool to a comprehensive solution for configuration auditing across Linux/UNIX/Windows servers, databases, networks devices, desktops, and directory servers.
Tripwire Enterprise : Configuration Audit and Control for IT
Tripwire enterprise is the recognized leader of configuration audit and control solutions that assures continuous operational, regulatory and security compliance across the datacenter. Tripwire Enter 7 helps nearly 5,700 customers worldwide achieve & maintain a known, trusted and compliant state. By pro activity assessing configuration settings against internal policies and external industry benchmarks, Tripwire Enter generates an enterprise-wide risk profile to identity & remedies weak links. Once a known & trusted state is achieved, Tripwire Enterprise detects change in real-time across the IT infrastructure to help maintain the known good state. Tripwire supports a broad range of devices including servers, database, network, virtual environments, desktops, directory servers and more. Tripwire Enterprise also delivers actionable information though reporting, reconciliation and remediation capabilities. As the trusted leader in configuration audit and control, Tripwire Enterprise delivers continuous compliance throughout the datacenter to reduce risks, increase operational efficiencies, enforce internal & external policies, automate compliance and deliver better service to the business.
Major features in Tripwire Enterprise include :-
• Policy compliance configuration assessment
• Real- time, tunable change detection
• Centralized management console with web interface
• Centralized database that stores historical change
• Tailorable reports and dashboards
• Customizable roles and permissions to ensure a secure audit trail
• Easy to use GUI
• Integration with change management systems, providing automated change reconciliation
For medium- size to the largest installations, Tripwire Enterprise offers IT organizations a comprehensive configuration audit and control solution that provides enhanced security, increased availability, and demonstrable compliance to governmental and industry regulations.
BASIC PURPOSE OF TRIPWIRE
Almost the same principle is used in computers. If any change is met upon while comparing the old values to the new ones, or if any data is being manipulated on the spot, the logs are checked for intrusion and then detected, after which all the changes can be undone.
Tripwire is a free and open-source software tool. It functions as a host-based intrusion detection system. It does not concern itself directly with detecting intrusion attempts in real time at the periphery of a computing system (as in network intrusion detection systems), but rather looks for and reports on the resultant changes of state in the computing system under observation . Intruders usually leave traces of their activities (changes in the system state). Tripwire looks for these by monitoring key attributes of files that should not change—including binary signatures, size, expected changes in size, etc.—and reporting its findings
While useful for detecting intrusions after the event, it can also serve many other purposes, such as integrity assurance, change management, policy compliance, and more.
A Host-based Intrusion Detection System (HIDS), as a special category of an Intrusion-Detection System, focuses its monitoring and analysis on the internals of a computing system rather than on its external interfaces (as a Network Intrusion Detection System (NIDS) would do)
TRIPWIRE FOR SERVERS
Tripwire for Servers is a software that is exclusively used by servers. This software can be installed on any server that needs to be monitored for any changes. Typical servers include mail servers, web servers, firewalls, transaction server, development server etc, Any server where it is imperative to identity if and when a file system change has occurred should be monitored with tripwire for servers. For the tripwire for servers software to work two important things should be present – the policy file and the database.