SUBMITTED BY: -
Sanjeev kumar yadav

---

[attachment=12351]
ABSTRACT
Tripwire is an intrusion detection system. It is a software tool that checks to see what has changed on your system. The program monitors the key attributes of files that should not change, including the size, binary signature, expected change of size, and other related important data’s. Tripwire is an open source program created to monitor changes in a key subset of files identified by the user and report on any changes in any of those files. When changes are detected the system Administrator can determine whether those changes occurred due to normal, permitted activity, or whether they were caused by a break-in. If the former, the administrator can update the system baseline to the new files. If the latter, then repair and recovery activity begins. Tripwire’s principle is simple enough. The system administrator identifies key files and causes Tripwire to record checksum for those files. Administrator also puts a cron job to scan those files at intervals (daily or more frequently), comparing to the original checksum. Any changes, addition, or deletion are reported, so the proper action can be taken.
INTRODUCTION
Tripwire is a reliable intrusion detection system. It is a software tool that checks to see what has changed in your system. It mainly monitors the key attribute of your files, by key attribute we mean the binary signature, size and other related data. Security and operational stability must go hand in hand, if the user does not have control over the various operations taking place then naturally the security of the system is also compromised. Tripwire has a powerful feature which pinpoints the changes that has taken place, notifies the administrator of these changes, determines the nature of the changes and provide you with information you need for deciding how to manage the change.
Tripwire Integrity management solutions monitor changes to vital system and configuration files. Any changes that occur are compared to a snapshot of the established good baseline. The software detects the changes, notifies the staff and enables rapid recovery and remedy for changes. All Tripwire installation can be centrally managed. Tripwire software’s cross platform functionality enables you to manage thousands of devices across your infrastructure.
Security not only means protecting your system against various attacks but also means taking quick and decisive actions when your system is attacked. First of all we must find out whether our system is attacked or not, earlier system logs were certainly handy. You can see evidences of password guessing and other suspicious activities. Logs are ideal for tracing steps of the cracker as he tries to penetrate into the system. But who has the time and the patience to examine the logs on a daily basis?
Penetration usually involves a change of some kind, like a new port has been opened or a new service. The most common change you can see is that a file has changed. If you can identify the key subsets of these files and monitor them on a daily basis, then we will be able to detect whether any intrusion took place. Tripwire is an open source program created to monitor the changes in a key subset of files identified by the user and report on any changes in any of those files. When changes made are detected, the system administrator is informed. Tripwire ‘s principle is very simple, the system administrator identifies key files and causes tripwire to record checksum for those files. He also puts in place a cron job, whose job is to scan those files at regular intervals (daily or more frequently), comparing to the original checksum. Any changes, addition or deletion, are reported to the administrator. The administrator will be able to determine whether the changes were permitted or unauthorized changes. If it was the earlier case the n the database will be updated so that in future the same violation wouldn’t be repeated. In the latter case then proper recovery action would be taken immediately.
Motivation
A cautionary tale
Ellen runs a network of 50 networked Unix computers representing nearly a dozen vendors – from PCs running Xenix to a Cray running Unicos. This morning, when she logged in to her workstation, Ellen was a bit surprised when the “lastlog” message indicated that “root” had logged into the system at 3 am. Ellen thought she was the only one with the root password. Needless to say, this was not something Ellen was happy to see. A bit more investigation revealed that someone – certainly not Ellen – had logged on as "root," not only on her machine but also on several other machines in her company. Unfortunately, the intruder deleted all the accounting and audit files just before logging out of each machine. Ellen suspects that the intruder (or intruders) ran the compiler and editor on several of the machines. Being concerned about security, Ellen is worried that the intruder may have thus changed one or more system files, thus enabling future unauthorized access as well as compromising sensitive information. How can she tell which files have been altered without restoring each system from backups? Poor Ellen is faced with one of the most tedious and frustrating jobs a system administrator can have – determining which, if any, files and programs have been altered without authorization. File modifications may occur in a number of ways: an intruder, an authorized user violating local policy or controls, or even the rare piece of malicious code altering system executables as others are run. It might even be the case that some system hardware or software is silently corrupting vital system data.
In each of these situations, the problem is not so much knowing that things might have been changed; rather, the problem is verifying exactly which files – out of tens of thousands of files in dozens of gigabytes of disk on dozens of different architectures – might have been changed. Not only is it necessary to examine every one of these files, but it is also necessary to examine directory information as well. Ellen will need to check for deleted or added files, too. With so many different systems and files, how is Ellen going to manage the situation? This scenario could prove tedious and labor intensive for even the most well-prepared system administrator (yes, even Ellen). Consider the problems with simple check listing schemes: