Updated: August 14th, 2000: I got some feedback, and this called for an update. First, some of the questions raised in the first versions have been answered by InstallWatch's author Gavin Stark, and I modified the chapters accordingly, either by putting a note or by removing the questions because they were irrelevant to this paper. I also added 2 appendices. Appendice A is more information about InstallWatch as I got it from Gavin Stark/Epsilon Software. Appendice B is about Harlan Carvey' Perl Page, in which we can find, amongst other things, a Tripwire implementation in Perl.
You can distribute this document freely, as long as no changes are made to the file, or as long as someone else does not pretend credit for it. All comments and suggestions about the material presented here should be directed at [email protected]. If future versions of this document include add-ons coming from other people than me, then proper credit to the various authors will be clearly identified. All version updates of this document are to be released by me.
You can find it online at http://www.geocities.com/floydian_99/
The goal of this paper is to present a simple and low-cost way to implement Tripwire-like capabilities on a Microsoft Windows 95/98/NT/2000/* machine.
Preface
In my quest for better knowledge in the computer security field, I came across a paper discussing the software Tripwire, then for Unix only but now available for NT as well. For those who have never heard of Tripwire, it is a system integrity checker, i.e. it checks if your system had been compromised, by comparing the current information state of your machine to a "snapshot" previously done that was made from when the system was considered as 100% not-compromised machine (preferably at installation time, before the machine is put on the network). If something's changed, chances are that some cracker/script kiddie has compromised your system, and what you see is the backdoors and other things like that they left for themselves. People who have read my previous paper "Virus protection in a Microsoft Windows network, or How to stand a chance" know my love for batch files. It quickly came to my mind that I could probably do something similar with some kind of batch files, and have it for free too! But then again, I also stumbled on another piece of software (freeware) that would spare me the trouble and have a GUI too, all at the same price.
Disclaimer
I have never used any Tripwire software on any platform. I gathered my knowledge on Tripwire through reading documentation found on Internet. I am stating this for two things: 1) Tripwire could have some features that I have not heard about and that could be not covered in this paper; 2) I have no idea of the Tripwire interface and/or command line options, and the solution covered in this paper may (or may not) be quite different from the actual Tripwire interface.
This document is presented to anyone who has interests in computer security, network administration, intrusion detection and computing in general.