Партнёры:
Хостинг:
NAME
tripwire - a file integrity checker for UNIX systems
SYNOPSIS
tripwire [ options ... ]
DESCRIPTION
Tripwire is a file integrity checker - a utility that
compares a designated set of files and directories against
information stored in a previously generated database.
Added or deleted files are flagged and reported, as are any
files that have changed from their previously recorded state
in the database. When run on a regular basis, Tripwire is a
useful tool for maintaining the integrity of system files.
If unauthorized changes are discovered, Tripwire can quickly
determine the extent of the problem, allowing system
administrators to enact damage control measures.
Using Tripwire, system administrators can conclude with an
extremely high degree of certainty that a given set of files
and directories have not been modified, provided the
tripwire program and database are appropriately protected
(e.g., stored on read-only media). Tripwire uses message-
digest algorithms (one-way hash functions) to detect changes
in a hard-to-spoof manner. These algorithms are designed to
detect even the smallest changes to files, including changes
caused by insertion of backdoors or viruses. Tripwire can
be configured to monitor changes to file permissions,
modification times, and other significant inode changes on a
per-file/directory basis. Changes are reported relative to
the last Tripwire database installation or update.
Tripwire runs in one of four modes: Database Generation,
Integrity Checking, Database Update, or Interactive Update
mode. In Database Generation mode, Tripwire initializes the
database based on the entries enumerated in the tw.config
file. The Integrity Checking mode compares all of the files
described by the tw.config file against the files residing
on the filesystem to generate a list of added, deleted, or
changed files. Database Update mode allows the user to
update individual file or directory entries in the database,
rather than regenerating the entire database every time a
file or set of files change. The Interactive Update mode
combines the functions of the Integrity Checking and
Database Update modes. Interactive Update mode reports
added, deleted, and changed files and gives the user the
option to update each affected database entry individually.
Interactive Update provides a simple and thorough method for
system administrators to keep Tripwire databases ``in sync''
with changing filesystems.
OPTIONS
When run without any arguments, tripwire runs in Integrity
Checking mode.
-initialize, --init, --initialize
Database Generation mode. Creates the
database which is used for all
subsequent Integrity Checking runs.
-update [[pathname|entry] ...], --
update [[pathname|entry] ...]
Database Update mode. This mode updates
the specified pathname or entry in the
database. If the argument provided is a
file, only that file is updated. If the
argument is a directory, that directory
and all of its children are updated. If
the argument is an entry in the
tw.config file, the entire entry in the
database is updated.
-interactive, --interactive
Interactive Update mode. Tripwire first
reports all added, deleted, and changed
files, then allows the user to update
the entry in the database. Note that
Tripwire opens up /dev/tty instead of
using stdin. This prevents the
automation of interactive updates,
reducing the chance of system
administrators inadvertently updating
entries. Updating the database should
always be done with care and
deliberation.
-loosedir, --loose-directory-checking
Loosens checking criteria for
directories in Integrity Checking or
Interactive Update modes so changes in
size, nlink, modification and creation
times are no longer reported. This
significantly quiets Tripwire reports,
at the possible risk of missing
important changes.
-d dbasefile, --dbfile dbasefile
Reads the database information from the
specified dbasefile. stdin can be
specified using ``-d -'' or ``--dbfile
-''.
-c configfile, --cfgfile configfile
Read the configuration information from
the specified configfile. stdin can be
specified using ``-c -'' or ``--cfgfile
-''.
-cfd openfd Read the configuration information from
the open file descriptor openfd. This
option allows programs outside of
Tripwire to supply services such as
networking, compression, and encryption.
-dfd openfd Read the database file from the open
file descriptor openfd. This option
allows programs outside of Tripwire to
supply services such as networking,
compression, and encryption.
-Dvar=value Defines the tw.config variable var to
value, as if @@define were used.
-Uvar Undefine the tw.config variable var, as
if @@undef were used.
-i [#|all], --ignore [#|all]
Ignore the specified signature, and skip
it when comparing against database
entries. If all is specified, no
signatures are collected or compared.
-x, --print-hex Collect and display all signature values
in hexadecimal, rather than base64
notation.
-E, -preprocess Prints out preprocessed tw.config file
to stdout.
-q, --quiet, --silent
Quiet mode. In this mode, Tripwire
displays only one line of text for each
added, changed, or deleted file. Phase
5 of the Tripwire report, which prints
the pairs of expected and observed file
attribute values, is omitted.
-v, --verbose Verbose mode. Prints out filenames as
they are being scanned during signature
computation.
-help [inode], --help [inode]
Prints out usage information. If
"inode" is specified as an argument,
this command will instead print an inode
interpretation message (for parsing
messages when files have changed).
-version, --version Prints out version information.
DATABASE GENERATION MODE
In Database Generation mode, tripwire creates the database
file based on the entries in tw.config. The name of this
database file is defined at compile-time in config.h - the
default name is tw.db_[hostname]. The generated database is
placed in the ./databases directory, and must be moved to
the target directory manually.
Note that you must manually move this file to the directory
specified in config.h because the default database directory
should be a read-only file system.
INTEGRITY CHECKING MODE
In Integrity Checking mode, tripwire reads in the tw.config
file and builds a new database to reflect the state of
current files. Tripwire then compares the new database with
the existing database and reports added, deleted, or changed
files.
The tw.config file enumerates the files and directories that
Tripwire watches, with select-flags for each listing the
attributes for that file that should and should not change.
Tripwire applies these rules to determine which changes
should be reported after an integrity check.
Tripwire detects all changes to entries in the tw.config
file, but only those changes specified by the select-flags
for that entry are displayed after an integrity check. For
each of these changes, the expected value (from the
database) and the actual information (observed in the file)
are printed. For example:
2:30am (mentor) 985 % tripwire
### Phase 1: Reading configuration file
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Phase 4: Searching for inconsistencies
###
### Total files scanned: 82
### Files added: 0
### Files deleted: 0
### Files changed: 80
###
### After applying rules:
### Changes discarded: 79
### Changes remaining: 1
###
changed: -rw------- 4433 Oct 13 02:30:34 1992 /tmp/config.h
### Phase 5: Generating observed/expected pairs for changed files
###
### Attr Observed (what it is) Expected (what it should be)
### =========== ============================= =============================
/tmp/config.h
st_size: 4441 4433
md5 (sig1): 0aqL1O06C3Fj1YBXz3.CPdcb 0cPX1H.DYS.s1vZdKD.ELMDR
snefru (sig2): 0PcgcK/MZvEm.8pIWe.Gbnn/ /8VoJv1JcoUA0NvoGN.k3P6E
crc32 (sig3): .EHA6x /OuGNV
crc16 (sig4): ...9/q ...6yu
md4 (sig5): /hQ0sU.UEbJo.UR4VZ/mNG/h .UR4VZ/mNG/h/VSG/W/Z643k
md2 (sig6): .hLwjb.VRA0O.Z72y90xTYqA 1LR0Gg1l.vqB0.1g330Pi8/p
DATABASE UPDATE MODE
In Database Update mode, tripwire updates database
information for specified files, directories, or tw.config
entries. This mode allows the user to update a Tripwire
database to reflect filesystem changes, rather than
regenerating the entire database every time a file or set of
files change.
The new, updated database is written to the ./databases
directory. The old database is also saved in the ./databases
directory, with the .old suffix added. As in the Database
Generation mode, the new database must be manually moved to
the Tripwire database directory.
The tripwire Database Update mode requires at least one
argument, specifying the file or directory to be updated. If
the argument is a filename, only that file is updated in the
database. If the argument is a directory name, the directory
and its children are updated. If the argument is also an
entry in the tw.config file, the entire entry is updated.
INTERACTIVE UPDATE MODE
tripwire Interactive Update mode produces output that is
very similar to the output from Integrity Checking mode (see
example, above). However, for each addition, deletion, or
change detected during an integrity check, the user is given
the option to update the database information for the
corresponding file or directory.
Possible responses are ``y'', ``n'', ``Y'', or ``N''. The
first two responses are simply ``yes, update the specified
file or directory'' and ``no, don't update the file or
directory'', respectively. Answering ``Y'' updates the
specified file or directory and all other files or
directories that share the same entry in the tw.config file.
For example, if ``Y'' were answered for /etc, then all the
files generated by the /etc entry will also be updated.
Answering ``N'' will suppress updating for all files and
directories corresponding to the specified entry.
A Tripwire session running in Interactive Update mode might
look like:
3:34pm (flounder) tw/src 5 %%% tripwire -interactive
### Phase 1: Reading configuration file
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Phase 4: Searching for inconsistencies
###
### Total files scanned: 49
### Files added: 0
### Files deleted: 0
### Files changed: 49
###
### After applying rules:
### Changes discarded: 48
### Changes remaining: 1
###
changed: -rw------- 7893 May 5 15:30:37 1993
/homes/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old
### Phase 5: Generating observed/expected pairs for changed files
###
### Attr Observed (what it is) Expected (what it should be)
### =========== ============================= =============================
/homes/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old
st_mtime: Wed May 5 15:30:37 1993 Wed May 5 15:24:09 1993
st_ctime: Wed May 5 15:30:37 1993 Wed May 5 15:24:09 1993
---> File: '/homes/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old'
---> Update entry? [YN(y)nh?] y
### Updating database...
###
### Phase 1: Reading configuration file
### Phase 2: Generating file list
### Phase 3: Updating file information database
### Phase 3: Updating file information database
###
### Old database file will be moved to `tw.db_barnum.cs.purdue.edu.old'
### in ./databases.
###
### Updated database will be stored in './databases/tw.db_barnum.cs.purdue.edu'
### (Tripwire expects it to be moved to '/tmp/'.)
###
3:34pm (flounder) tw/src 6 %%%
DIAGNOSTICS
Tripwire exit status is 1 for any error condition.
Otherwise, the exit status is the logical OR'ing of the
following: 2 for files added, 4 for files deleted, and 8
for files changed. For instance, if Tripwire exits with
status code 10, then files were added and changed (8 + 2 =
10).
ENVIRONMENT
None.
BUGS
This manual page is not self-contained - users are referred
to the Tripwire design document designdoc.ps for more
information on the issues of integrity checking.
SEE ALSO
tw.config(5)
The Design and Implementation of Tripwire: A UNIX File
Integrity Checker by Gene Kim and Eugene Spafford. Purdue
Technical Report CSD-TR-93-071.
AUTHORS
Gene Kim
Tripwire Security Systems, Inc.
genek@tripwiresecurity.com
Eugene Spafford
Purdue University
spaf@cs.purdue.edu
|
Закладки на сайте Проследить за страницей |
Created 1996-2025 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |