Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
GNU is Not Unix

Tripwire Going GPL 52

Johnath writes: "Maybe it's a little early to break out the party hats, but after noticing that a new version of Tripwire had been released, I checked up on their site and noticed they are going to open source it. Supposed to open it up this fall, and under the GPL no less." There are a lot of people who swear by Tripwire, it'll be nice to see this come to fruition. One thing that's odd - This only applies to Tripwire for Linux.
This discussion has been archived. No new comments can be posted.

Tripwire Going GPL

Comments Filter:
  • A few points:
    • There are already free tools like aide [cs.tut.fi] that do the same job tripwire does. I don't have personal experience with any of them, so I cannot vouch for their quality, but I've heard good things about aide.
    • Tripwire cannot be open source for linux alone. Either it is open source, in which case it follows the rules of the open source definition [opensource.org], including rule 8, "License Must Not Be Specific to a Product." or, it is not open source at all. Of course, they are welcome to release a version of tripwire that only works in linux, and license it under the GPL -- but then any hacker may go make it work on another OS without violating that copyright.

  • ...that if they GPL it, it will be ported to everything from palm-pilot to PDP11, and every OS from VMS to EPOC?
  • Merci, j'ai eu faime.
  • I don't know if you remember but there had been a security competition between Linux and Windows 2000.

    I think you are referring to the old ZDNet test. I cannot find references to the article, but ZDNet admitted themselves that the test was unfair.

    I think the main complaint was an absence of parity between the two platforms. On one hand, NT had the five service packs applied, which are IMHO fraught with more difficulties to install than rpm'ing 21 patches. MS's service packs are renown for breaking other things from previous packs, and are usually released a long time after the bugs they fix are identified.

    I really wouldn't have a problem with this at all, if ZDNet hadn't made the blanket conclusion that NT was easier to secure. That's an overwhelmingly ignorant statement to make.
  • <sarcasm>Hey, what can I say... when you're good, you're good!</sarcasm>

  • Apparently tripwire can be defeated by a cleverly coded kernel module. What'd really be handy would be if tripwire would write its data to a bootable CD filesystem. You'd have to reboot your PC to check for intrusions, but I'd think that'd be much harder to defeat.
  • As for the dual-platform thing, I don't think it's possible (and certainly thing it *shouldn't* be possible) to call it open-source if you're discriminating against users of a particular platform. It is possible to "discriminate" and still be open source. You just have to be specific. In this particular case, Tripwire is not open source. Tripwire for Linux is open source. There's a difference that needs to be specified, so that users know which one is open. As far as the "shouldn't be called open source," I would have to respectfully disagree with you. As long as you make it clear that you are referring to the Linux version, it is open source software. The GPL makes provisions, too, for a vendor/author to publish his software under more than one license. Those other licenses don't necessarily have to be open-source licenses, and in fact they can be as non-open-source as any other commercial license out there. As long as the Linux and non-Linux versions are kept separate once it goes open source, there's nothing legally, morally, or ethically requiring them to restrict their licensing to a single, open source license.
  • Of course, on your major servers, you *do* disable kernel modules, right?

    There's no need to have loadable modules on a server with sensitive information.
  • One of two things is going to happen here: Either they are not actually going to use the GPL, or they're going to find people creating derivative works of the Linux version to make GPL'd versions for Solaris, BSD, Windows...
    Christopher A. Bohn
  • Funny thing is that I reported this to Slashdot back when it was annouced (June 26th).
    Why was it that my post never made it through the garbage disposal unit we prefer to call Slashdot Editors?
  • What stops Dick from sharing his BSDL buddhafoo with Tom and Harry?
  • That having been said, these sorts of tools have quite commonly become *much* better by being open source utilities

    I don't mean to say that OSS is bad or anything, but I don't think your statement is necessarily substantiated.

    I went to a talk given by the Tripwire author, and half the talk was about his thoughts on how tripwire relates to open source. He made a couple points (I don't remember his whole talk, sorry, it was a very good one)...

    His first point was that, basically, they hadn't gotten a lot of help from the open source community (on the non-commercial version). There was one programmer who regularly sent in updates, and there were maybe 20-30 people who contributed from time to time, and then a few odd updates from other people. This was a very small percentage of the open source user base. He showed how much the opportunity cost was for openning the source. He then compared that to the price of paying his own programmers to fix bugs. He found (in his case, so this doesn't necessarily apply to anything else) that it was cheaper to keep it closed, and more bugs were found by the paid programmers. And it wasn't for lack of an audience, OSS tripwire is pretty dang popular. His opinion was that OSS lets more eyes see it, but those eyes weren't very productive, even given that not every OSS tripwire user is a coder.

    Secondly, he didn't wanna piss the linux people off.

    Guess which point won out?

  • "One thing that's odd - This only applies to Tripwire for Linux."

    That's kinda pointless, once you release the source (w/ GPL) it will only be hours, maybe days until it's ported to all popular platforms.
  • (plug)
    try sentinel..i released it a while back and its got an rpm based install. http://zurk.sourceforge.net or freshmeat.
  • I believe that it's tripWire.org [tripwire.org], I get a "No DNS Entry" error for tripFire.


    Louis Wu

    Thinking is one of hardest types of work.

  • Minitel had some interesting features, but it was never as good as the Internet

    Comparing Minitel to the Internet is like comparing "apples" to "oranges". Minitel is an integrated services network, whereas Internet is a simple computer network.

    That's why I was specific in my comparison: it is Minitel Vs the WWW. And the WWW is much newer thing than Minitel.

    As for the rest of your nonsense with regards to France, I wonder how someone who reads /. and considers himself an intellectual can be so close-mined: you have read history and you know that Empires have risen and fallen and then risen again etc. And yet you do not have even the slightest doubt that France's time is over? Your short sightedness is incredible.

    Let me assure you that France is on the rise. Europe is on the rise with France in its heart. My intergalactic masters have spoken and their message is clear: prepare to be assimilated.
  • chroot - run command or interactive shell with special root directory
    At least according to man chroot.
    Chroot lets you change the apparent root directory. Suppose you boot your system from a floppy disk. Your hard drive is mounted at /mnt/hd or something like that.
    In order to work with your hard drive mounted on / (to fix LILO or something like that), you'd type:

    chroot /mnt/hd /bin/bash

    I hope this helps!

  • I agree with you that this was a violation. But they are not the only company to have ended up in a situation like this. And in the past, the FSF and co. have allowed companies to "make good" in some way rather than attacking them. Tripwire is going to "make good" by releasing the source, after having made an effort to do this other ways (by not statically linking anymore) and failing.

    I am willing to accept this as an overture of goodwill and further accept their explanation as completely plausible and most probable. Besides, now that they are releasing the Linux version under the GPL, as other posters pointed out, their livelihood is threatened, and they probably will make much less money on their product since the GPL'd version will find its way onto the platforms they have been charging money. So your little high school with Solaris can download from freshmeat and not worry anymore about licensing. Yeah.

    It is exactly this kind of attitude that holds Open Source and Linux back. Someone makes a program and releases it for Linux and are attacked for doing it. Then they release the license under Open Source (or in this case Free Software, I mean for crying out loud it is the GPL!) and the cry goes out "They suck! don't use their product!" and they get attacked for either a) using the wrong license b) releasing too late c) because someone feels like it.

    Is someone gong to be applauded for releasing Linux software soon, or for releasing their Intellectual Property (code) because if not I am starting to get sick, and certainly companies are going to start feeling that this Open Source thing was a Bad Plan, and a Fad, and stay far away from all the insanity and zealotry, safely esconsced in their closed-source, PHB-buys-us-anyway, corporate world while the Open Source/ Free Software community is left to code for itself, attack itself bitterly, and write their resumes on vi on Gnu Hurd.

  • Yeah, make the CD bootable and cold boot to it. That would be extremely difficult to defeat, though it would require a reboot to run the check, which you don't want to do often on a production server. As someone else pointed out, disabling kernel modules on a production server is also an excellent idea.
  • The fact that they are using ColdFusion to sell a SECURITY AND INTEGRITY software package does not ease my mind. ;-)

    More seriously, what is this going to do for me that I can't do with ipchains, tcpdump, and chmod o-w? Do it for me? That would be nice, especially if it's going to be free. However, it has been my experience in the past that adding yet another factor (software suite/daemon) to the security equation is the last thing you want to do.

    IMHO a system will never be truly safe unless it's unplugged from the wall. Even then you need at least one inept guard at the front door to watch over the physical hardware. I think the reason companies hire network and systems administrators is to make sure offsite backups happen every four hours, and that the permissions are set properly, and there are no security holes in the system software, etc.

    But again, on the other hand, if I'm running a network of servers that spans the country, or even the world, it would be nice to have a summary screen saying "Tom Cruise just stole the corporate NOC list. Please attend immediately." At that point, however, I think it would be reasonable for my parent company to spot me a grand or ten to purchase said software suite. No need for open source here.

    *sigh* Is it just me or do people not make sense sometimes? :-)

    (disclaimer: yes, I realize it's probably just me)


  • It's plain silly for them only to release a Linux version, ESPECIALLY if it's under the GPL. In 6 months there will be a port for Tripwire for every platform under the sun....
  • RMS is quoted on http://www.gnu.org/server/whatsnew.html [gnu.org] saying that Tripwire infringes the GPL:
    While it is a great day for the GNU project and hackers everwhere when such an excellent piece of security software has finally made the leap of faith to the free software family, I have certain reservations about the company behind it. They have been statically linking our binary sources with non-GPL source binaries proprietory.

    Abashed the Devil stood,
    And felt how awful goodness is
  • Tripwire is a security tool. That having been said, these sorts of tools have quite commonly become *much* better by being open source utilities, since there are definitely a lot of people running around on lists like Bugtraq who go into a positive frenzy over making security related patches. Tripwire is also one of the few integrity checkers that many people are familiar with using, and while a skilled system administrator who can code in C could probably come up with something very similar in a few weeks, it's not really all that feasible. Anywhere where this sort of integrity checking would be _demanded_ to ensure certain policy requirements, the system administrators are likely to not have the time necessary to develop such a tool (at least in most companies, time for R&D is pretty limited). GPL or no, it's these same companies that are most likely to be looking for a support contract for such a tool, because places that have policies requiring this level of attention to detail are also quite likely to have made it standard operation procedure to get support contracts for every possible piece of software they use, no matter how small. (This all falls under "assurance" guidelines by my book)

    GPLing this code will make it more friendly to the freelance security consultants, as well as those who aren't so freelance because now they'll have a chance to exercise their paranoia and examine the code themselves to see for sure that it's good and solid.

    ...not to mention that Tripwire has recieved a great deal of help from the hacking community in the way of pointing out potentially weak implementation methods, and generally just making things tidier.

    So I don't see making the code GPL making any serious dent in the company's profit model, especially with more companies starting to get used to being able to obtain support contracts for software they didn't have to actually pay anything for. It's only recently that you could even think of being able to obtain support contracts for software that wasn't backed by a company whose profit model was based on the sale of the software, which makes the whole trick of making certain there are experts that can be called on in a flash to help solve problems when something goes wrong highly improbable, if not impossible.

    I know it might sound silly trying to obtain a support contract for Tripwire, but at the last company I worked for, such a thing would not only be desired, but not too terribly hard to get upper management to sign off on. (For some reason the bigger a company gets, the less likely they are to want to trust the word of their own employees alone... but then again, that quickly falls under the umbrella of assurance in a good set of security policies.)
  • by Effugas ( 2378 ) on Saturday July 01, 2000 @05:16AM (#964552) Homepage
    Lemme tell you something.

    I'm really, really, really starting to like the concept of, at minimum, setuid binaries failing to execute unless they pass an MD5 test executed by the kernel before an execve().

    Microsoft is already working with signed drivers and signed packages, and SecureBSD(a new *BSD variant) is advertising binary hashing out-of-the-box. I'm curious what the rest of you think about the kernel attempting to rely on the trust imbued in the first version installed to authenticate future executions of that version.

    Best problem I can come up with is that a successful setuid hack could allow the root to reconfigure the kernel to ignore a specific file's changes...at that point, I'm thinking of some form of shared "setuid compile" secret that gets appended to the application for hash purposes...then, all apps get hashed as if they had the secret appended...come in as root and attempt to compile something such that it'll setuid, attempt to install into the kernel DB...and poof. You fail, because you're not consistent with the kernel hash secret.


    Yours Truly,

    Dan Kaminsky
    DoxPara Research
  • "MySQL, for example, is open-sourced under *nix, but is shareware under Windows."

    Impossible, out of date, and wrong. There never was an open-source MySQL apart from the one older GPL'd one-off, until a few days ago when the whole thing went GPL (quite sensibly). As for the dual-platform thing, I don't think it's possible (and certainly thing it *shouldn't* be possible) to call it open-source if you're discriminating against users of a particular platform.

    Me, I just installed and configured aide from source over the last couple of days - can't see what tripwire would give me over and above it, and I can actually go round sticking it on whatever machinery I want (because not only do I run linux, I run linux*PPC* as well...), without having to think about it.
    Of course, we wish tripwire well, but it's dubious whether they can pull off a 'market coup' (!) after the delay..
    .|` Clouds cross the black moonlight,

  • As for the dual-platform thing, I don't think it's possible (and certainly thing it *shouldn't* be possible) to call it open-source if you're discriminating against users of a particular platform.

    There's two issues here. The first is that is is certainly possible, legal, and very common to license the very same product (code, prose, movies, etc) under two or more differing licenses. The licensee is bound by whatever terms they agreed to, and not to the terms someone else may have agreed to. If I license buddhafoo_1.1 to Tom under the GPL, and to Dick under the BSDL, then Tom's use of buddhafoo_1.1 is bound by the GPL, and Dick's use is bound by the BSDL. Absolutely no conflict there.

    The second issue is basically aesthetic. Both the GPL and BSDL are considered open source licenses. But if I then license buddhafoo_1.1 to Harry under a proprietary license, do you still call buddhafoo an "open source" project? Tom and Dick still have open source licenses for buddhafoo_1.1, nothing has changed for them. Some would say "yes", others like you would say "no".

    The lesson here is that any project can have both open source and closed source incarnations.
  • by QuMa ( 19440 ) on Saturday July 01, 2000 @05:27AM (#964555)
    Why? If someone can replace your suids, they're root already. (righ? RIGHT???). And if for some re ason they felt the need to replace your suids, they could just replace your kernel image and reboot (ok, a bit tricky to do unnoticed), or start poking around in /dev/kmem etc. Or just load modules. Yes, all these things can be eliminated so that you need to reboot if you want to do anything (with securelevels or the current linux CAP-based equivalent), but still, what have you gained? Someone can't replace your suids when they're root. Big deal. Have a look at some of the linux-kernel@vger archives for more on this.
  • Here's a better translation:

    Other GPLed utilities such as AIDE do just as good of a job as Tripwire, and we're losing mindshare. This is just a pathetic attempt to stay relevant while our a$$ is getting kicked. Since nobody in their right mind would pay us when they can accomplish the same thing with GPL software, we have no other choice.

  • I've never understood what it is about Francophones. Everywhere they go they seem to think that they are the bee's knees--c.f. Quebec, France, Louisiana and a thousand former French protectorates. Must be something about the language:-)

    Minitel had some interesting features, but it was never as good as the Internet, which predated Minitel by over a decade. And I hate to say it, but London and New York will remain the financial centres of the world, with Silicon Valley and Germany doing just fine, thank you, in the technology end of things. France has a nice position in the world, but it will never be the `technological and financial centre.' It has its time: the entire Mediæval, Rennaisance and Early Modern periods. The mantle has passed.

  • by mr ( 88570 )
    And, if I have read the GPL correctly, you can not release a 'GPL Version for this platform only'

    Because, if you CAN restrict the GPL-ism to one platform only, then the source 'isn't free'.

    If they want to make the "linux" version free for "linux only" then they need their own licence.
  • Tripwire is used to defend from anything which can change files. chmod o-w does not work, because one can do a chmod o+w. Ipchains and tcpdump do no good because one can still sit in front of the machine. No system is secure; tripwire is used to detect when security has been breached.

    Do you know what it does? It calculates checksums for all files. These sums can then be stored on read-only media, such as a CD. Then a simple check is all that is nec. to detect modifications to system files.

  • Yes, I'd agree there's potential for the whole thing to be under a choice of licenses - but do you regard "Tripwire for Linux" as a separate *product* from "Tripwire"?

    /me doesn't like confusion.....
    .|` Clouds cross the black moonlight,
  • I know it might sound silly trying to obtain a support contract for Tripwire, but at the last company I worked for, such a thing would not only be desired, but not too terribly hard to get upper management to sign off on.

    Many times the IT department or its outsourced equivalent has Service Level Agreements; I know we do. They're 24/7, so we buy 24/7 support for everything we have. As networking and systems continue to rise in importance, I expect that we will really see a boom in the support market. OS/FS are poised to really take advantage of this.

  • One thing that's odd - This only applies to Tripwire for Linux.

    I don't understand that... the code is either GPLed or it isn't. If they GPL the source of the linux version, whtat's to stop anyone from porting & compling on another platform? Open source is not platform dependant...

    I was searching around on their site, and found something here [tripwire.org]:

    This license only applies to the currently distributed version of Linux 2.2.1 available from www.tripwire.com. It is offered here as a service to the Linux community, who may already be using Tripwire for Linux. This does not apply to the upcoming Open Source release which will use the GPL

    So, they just changed the current license on the downloadable linux version (not open source). That's the only thing I can find that only pertains only to linux. Does anyone see it explicitly mentioned on the site that the open source release is going to be "linux only" somehow?

  • I think what they are trying to do (as someone mentioned above) is consider tripwire for Linux a seperate product from the tripwire for other OS'ii. If this is the case, they only have to release the source for the "Linux Version" - but not from the "Other versions".

    Everyone agrees that they cannot restrict the use of the "Linux version source" that they release - it will be ported to everything under the sun, no doubt. BUT, they can chose NOT to release the source for the "other versions". Deal?

  • Look folks, Gene Kim, the primary author of the original version of TW is friend of mine. The other author, Gene Spafford, is my Ph.D. advisor. I've also met the CEO of Tripwire, the company. The reason that they were violating the LGPL was that they were having difficulty supporting all of the various libc versions found on Linux platforms.

    I think it took them quite a while to decide to just give away the Linux codebase via GPL, solving the problem this way. They knew they were hag problems with the GPL and they fixed it.

    This is why they are initially only GPL'ing the Linux codebase. It fixes their licensing problems. The upshot is that now we're free to port the Linux version back to all the other Unices.
  • Oh come on. If we keep on like that there is little reason for us to expect developers of commercial products to come to the Linux platform. Apparently the violation was in not allowing people to link tripwire to disparate versions, tripwire says they didn't let it happen because it didn't work. This means they were stealing code?

    Now they are releasing it under the GPL, and if you want it to work with your library version, your happy ass can hack away at the problem. These guys are developing a product and trying to make money for their efforts. The linux version has been beer free forever, anyway. So you expected them to continue to pour money into a product they can't make money on? Sheesh!

    Yeah, THEY'RE the evil ones....

  • Here's how it works. They have a number of versions of Tripwire, one for each OS. These versions are essentially separate products. They are releasing the Linux version with GPL so if you port it to Solaris, you don't have the Solaris version of Tripwire, you have the Linux version of Tripwire ported to Solaris. The GPL is still for the Linux version, just you mucked around with it so that it can also work on other OSes.
  • There have been many promises about this product and patches submitted and ideas submitted and although the product is a good one, I've heard people complain that they make lots of promises and don't keep them. I wouldn't hold my breath on this issue and I'll "believe it when I see it".

    - Serge Wroclawski
  • Here is an excellent article [unixtools.com] about computer security, and about UNIX systems in particular.

    This is a very complete list of security software [nih.gov] for UNIX machines.

    I was wondering about the changes to Tripwire, so I scrubbed the FAQ and found the following gem:

    Will the open source version of Linux Tripwire be as secure as other versions of Tripwire? Explain the risks and advantages for an open source security solution.

    An open source solution provides the user and the systems administrator the instructions that allow them to examine it for security holes, Trojan horses and trap doors. It provides an enhanced sense of security for those who would like to have the source code to examine.

    Corporate IT managers and security administrators use good judgment everyday by deploying best-of-breed security products. Good security policy dictates that one purchases software or downloads software from the actual security vendor's site and not from "spurious sites" on the Internet. By taking the appropriate steps to create a solid security framework, the security community and the users of Tripwire vastly reduce any risks of the code being modified intentionally for wrongdoing.


  • Okay... this is yet more support for Open Source that makes sense. Actually the only reason I say that is because people need to see what's going on in the code when they are using a package that is going to deal "sensitive" data or server monitoring. Good Choice...

    kicking some CAD is a good thing [cadfu.com]
    now palm-ready [cadfu.com]
  • From the tripwire site:
    Tripwire 2.2.1 for Linux ... In support of the open source community, Tripwire plans to release an open source version of this product this fall.

    We're a bunch of Linux geeks who don't like commercial software, and we know nobody we care about really gives a damn about our other products, so we're going to open source the important one. However, we like to buy toys and people who aren't running linux will still pay for our products, so this is the only thing we're releasing.
  • Sounds interesting. I have always had problems installing tripwire and getting it running. I'm sure if I just spent a little longer going through the docs I wouldn't have as bad a time, but they seem more onerous than many other programs (again, maybe I am crazy here, but this is as far as I recall anyway, it HAS been a few months since I've installed it on any boxen).

    The part where it's only becoming OSS for linux is sort of odd. What happens if somene contributes something really great for the linux version that can also be reused for another version and they want to use it? Would their hands be tied without making the new one OSS, or I guess they could ask the author if they could include the code without making it GPL?

  • by Effugas ( 2378 ) on Friday June 30, 2000 @11:18PM (#964572) Homepage
    Corporate IT managers and security administrators use good judgment everyday by deploying best-of-breed security products. Good security policy dictates that one purchases software or downloads software from the actual security vendor's site and not from "spurious sites" on the Internet.

    Actually, this isn't technically correct.

    They're essentially arguing that a "single point of failure increases security". In some practical senses, it does, because then attacks are always detected and have own group that owns stopping them. When the job is distributed, no single group can track the attacks.

    But ahhhh, no single group can independantly attack either. Consider the situation where you have ten previous versions "out there". Distributing the load of archiving old versions means that you can't infect old versions yourself, and that (assuming the source and two mirrors) any attack that hit only one site would be detected and "outvoted" by the other two--for past, present, and future revisions. Total control in the hands of the original authors does imply a single point of attack, trojanization, and hash coverup.

    Of course, the tools aren't available to cross check hashes against multiple sites...I'd love to see install-ssh retrieve ssh from one of ten sites, and then download hashes from two others. This changes the attack profile to within my perimeter(can spoof the content of all hosts) instead of from the central server's perimeter(which I have no control of.)

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
  • Actually, no -- both of those were already in my bookmarks. I just dusted them off because I felt they were relevant to this discussion.

  • Tripwire was originally released under what they referred to an Academic Source liscense. They have a history of providing source code to people using the products, so this isn't a suprising announcement.

    Of course there have been a number of significant improvements [tripwire.com] since they started selling a closed source version, and I'm glad they ditched that path in favor of a true OS release. Probably the most welcome addition from the version I currently use is the ability to customize object blocks for directory recursion and improved email reporting

    BTW, if you're interested in the Academic release it can still be downloaded here [tripwire.com], but now that 2.2.1 is available for Linux (Intel only) I really don't see the point unless you're on one of those other platforms ;)

  • Forget the money thing, it's irrelevant here, open sourcing this makes sense because of the quality boost that should be added to the product.

    This is exactly the kind of software that smart security-conscious people WILL audit and improve if it's OSS, so this has far more implications than "oh now your company doesn't have to pay for it"

  • First of all, I am a heavy tripwire user and have found it to be one of the best linux products there are on the market. But you have to understand what it does before you jump to conclusions. It doesnt stop intrusions, or even effect the intrusion. What it does is detect the intrusion and allow you (as the system administrator) to track and account for what has been done on the system since the last database update. Better yet, it works on multiple operating systems. Tripwire has alot of history with linux and that is probably the reason that it has remained "Free" (as in beer) over the years. They have added support for many OS's like Windows NT and Digital 64 as well. Of these, none of them are free except the linux version. Recently they introduced the "Management Console" which allows a tripwire system to be setup to manage multiple tripwire systems from one console. Thus you wont have the need to login to each system and take hours updating the tripwire database just to get information on your servers. This product is NOT FREE and costs about $7,000 US to buy it. Furthermore, the tripwire that they are allowing you to download does not support a TCP connection from another host to update its database. IE: you cannot use the management console with the free linux version. However, for around $250 (US) you can buy a TCP/IP enabled tripwire for linux that works very well with the console. Most likely the open source version of tripwire will be one down from the current version (which is what it is now from my understanding). Yes this sounds expensive especially when you are dealing with many servers, but when you have one of your customers/clients calling you and telling you theyre going to sue you because they dont feel you have been doing well on security, its worth it. BTW, no I dont work for tripwire, but I wish I did. heh
  • why not use already GPLed alternatives?
    these are completely free and GPLed:

    Fcheck [netscape.net] FCheck is an open source PERL script providing intrusion detection and policy enforcement of Windows 95/98/NT/3.x and Unix server administration through the use of comparative system snapshots.
    Aide [cs.tut.fi] AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.

  • Well, it's a frequently-followed path, and a wise one IMHO, to distribute the products under the same license as the OS they're written for.

    MySQL [mysql.com], for example, is open-sourced under *nix, but is shareware under Windows.

    While I agree that a lot of companies are certainly jumping on the "open-source bandwagon" and are only doing it for publicity and stock spikes, I don't think that this is one of them.


  • if you've gotta do it, at least do it right!!

    it's h8, not h8t,

    and I h8 anonymous morons.

    kicking some CAD is a good thing [cadfu.com]
    now palm-ready [cadfu.com]
  • by Anonymous Coward
    Tripwire security has been distributing Tripwire 2.2.1 *statically linked* with glibc for over 6 months now. As part of the LGPL requirements, the glibc section must remain modifiable. Tripwire has decided that this requirement should be "temporarily" wave-able and has not at any time honored requests for the object files to perform relinking against modified copies of the glibc. They *may* now accomplish a Q3 release which *might* be provided under the terms of the GPL. Regardless, I don't think anything can make up for the mockery of LGPL requirement enforcement over the majority of this year.

    Advanced Intrusion Detection Enviroment (AIDE) [cs.tut.fi] has been GPL from the beginning, provides most of the features in Tripwire with all of the features being planned for future versions. The AIDE team has never violated the GPL or LGPL and as such has never declaired that sections of the LGPL should be temporarily suspendable.

    The supposed Tripwire open source release announcement would be a big deal if Tripwire Security was honorable people. But the fact of the matter is these people don't have the slightest clue when they are informed that the GPL and LGPL are a list of *requirements*. They have spent the last 6 months going out of their way to *demostrate* on their website that they don't understand what the GPL or LGPL actually *is*. Hence, they may declair it is GPL'd and then make a legal brew-ha-ha over rights that they supposably provided.

    Be VERY careful when dealing with a company that has a 6 month history of violating the LGPL! Unless you have a *really* good lawyer, a company that decides to pick and choose what GPL or LGPL requirements actually apply can really screw you over bad. I would like to see a summery of the GPL and LGPL in Tripwire's own words to get a feel for how they interpret these licenses before I ever get daring enough to contribute.

    The AIDE team WILL NOT screw you over. They do not have the history of screwing over the glibc development team by ignoring redistribution licensing conditions. I'm not sure Tripwire is worth providing them a free peer review. AIDE is worth reviewing and contributing too.

Receiving a million dollars tax free will make you feel better than being flat broke and having a stomach ache. -- Dolph Sharp, "I'm O.K., You're Not So Hot"