topic Re: Open Source Tripwire now available on HPUX Internet Express 7.0 in Operating System - HP-UX

Open Source Tripwire now available on HPUX Internet Express 7.0

Pierre Pasturel — Thu, 06 Jul 2006 14:43:03 GMT

Read Before Installing (RBI)
http://docs.hp.com/en/internet.html#Internet%20Express

11iv
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111

11iv2
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123

The RBI mentions you must install PHSS_28871 in order for tripwire to work.

We would like to gauge customer demand for an HP fully supported file integrity checker.

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

Steven E. Protter — Thu, 06 Jul 2006 15:54:24 GMT

Pierre,

If I had anything to say about it, I'd put in every machine. It is a great tool.

Customer demand will be high. Lots of people try to get it to work.

SEP

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

Rick Garland — Thu, 06 Jul 2006 16:10:54 GMT

Lots of questions in these forums about how to do something like tripwire.

A very worthwhile tool!

Everybody, this is a "gotta have it" utility.

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

A. Clay Stephenson — Thu, 06 Jul 2006 17:13:08 GMT

Excellent! This will save me the trouble of having to do the builds from source.

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

paolo barila — Fri, 10 Nov 2006 12:14:56 GMT

Hi,
anybody has a sample policy file for hp-ux 11.11 to share?

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

Victor BERRIDGE — Fri, 10 Nov 2006 12:21:00 GMT

Really Good news!!
Many thanks

All the best
Victor

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

Geoff Wild — Fri, 10 Nov 2006 13:30:04 GMT

That is great - that means I don't have to buy anymore licenses for the commercial version.

Question thogh - what is different between the commercial and open source one?

Rgds...Geoff

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

Bill Hassell — Fri, 10 Nov 2006 18:43:04 GMT

There is one tool that has been conspicuously absent from Internet Express:

lsof

Since fuser is hopelessly broken, it seems like a very useful candidate for this package. For example:

fuser /opt
lsof /opt

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

Alzhy — Fri, 10 Nov 2006 21:49:56 GMT

What does Tripwire do?

Planning very soon to use HIDS... essentially to monitor changes to configuration files and direcotories. Is Tripwire better than HIDS or are they vastly different?

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

Pierre Pasturel — Mon, 13 Nov 2006 15:03:48 GMT

Hi Nelson -

File integrity checkers (like tripwire), HIDS, NIDS. HIPS, and NIPS and other security solutions all complement each other. You can find some useful definitions at: http://www.networkintrusion.co.uk/ids.htm

I think Tripwire's CTO's posting that you can find at http://archives.neohapsis.com/archives/sf/ids/2000-q4/0071.html provides a good summary of what file integrity checkers like tripwire and host intrusion detection systems like HIDS can do:

"To roll up in one sentence, I view IDS as early warning detection, and integrity as damage assessment and recovery. I use both, because both are essential."

As a simplification, within host intrusion detection, there are two main classes of HIDS (anomaly detection & misuse detection). The problem is that those words can mean different things to different people. Our
HPUX HIDS could be seen as doing both anomaly detection (we can flag things that don't normally happen) and misuse detection (we detect things like unauthorized file modifications or unauthorized access
attempts, such as repeated failed logins/su attempts to become a privileged user). But we don't do system or application profiling, so we can't call ourselves a true anomaly detector.

We take the approach of monitoring for attempts to exploit certain Unix vulnerabilities. See http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS#threats_monitored for the list.

Here is how I would break them down:

Tripwire
- Runs in batch mode (e.g., typically daily runs, more frequently for small set of critical files)
- Establishes a known "good" state (requires persistent database)
- Discovers state changes (changes in file contents and in file attributes)
- Rollback feature: provides mechanism to either manually or automatically recover from undesired file changes and restore files back to known "good" state.
- Open source version (but no rollback feature, no central management, basic reporting)
- Commercial version (Server/Enterprise Tripwire) (has central management,
rollback/change control, GUI, Enterprise version supports network devices). See http://www.tripwire.com/products/enterprise/ost/

HPUX Host IDS
- Real-time detection, not batch mode
- Detects the exploitation of certain vulnerabilities, not just file modification
- Unauthorized File Modification (critical files, log files, non-owned files)
- Creation of privileged files (setuid and privileged world-writable files)
- Poorly written privileged programs (buffer overflow, race condition)
- Weak password and/or unauthorized access (logins/logouts)
- Password Guessing (failed logins, failed su attempts)
- Does not perform real-time file integrity checks due to performance impact of frequently calculating file content signatures on either a large number of files and/or large-sized files. Does detect file creations, deletions and truncations in real-time.
- Complements Tripwire by providing early detection/warning
- Can detect signs of attack as the attack is unfolding (e.g., detects when critical file opened for modification before file is modified)
- OpenView Operations (OVO) integration by providing HIDS SPI from free download gallery.
- Supports response framework for customized responses to alerts (e.g., forward alerts by email, kill offending process, restore file to good state, integration with other management solutions)
- Comes with preconfigured surveillance schedules for out-of-the-box detection
- Supported by HP
- Free download

Pierre

Re: Open Source Tripwire now available on HPUX Internet Express 7.0

paolo barila — Tue, 14 Nov 2006 04:11:48 GMT

Hi pierre,
do you have a TRIPWIRE sample policy file for hp-ux 11.11 to share with us?