The open source tool called Tripwire is a host-based intrusion detection system. It is not so much concerned with detecting intrusion attempts at the periphery of a computing system (as in Network intrusion detection systems), but rather looks for and reports on the resultant changes of state in the computing system under observation.

Intruders usually leave traces of their activities (change system state). Tripwire looks for these by monitoring key attributes of files that should not change, including binary signature, size, expected change of size, etc. - and reporting its findings. While useful for intrusion detection it can also be used for many other purposes such as integrity assurance, change management, policy compliance, and more.

Many techniques used for host-based intrusion detection were entirely or in part pioneered by Tripwire. In many senses recent efforts at managing security on computers, such as the Trusted Computing Group Trusted Platform Module are extensions of these ideas and techniques wrapped up in a piece of silicon that runs external to the CPU and is thus harder to crack.

Radmind goes beyond the general Tripwire by allowing you to reverse changes instead of only notifying the administrator. To fail tripwire means that something changed without the administrator's knowledge.

NAME

      ktcheck - verify and download command file and transcripts

SYNOPSIS

      ktcheck  [-inrV]  [  -q | -v  ]  [  -c checksum ] [ -K command-file ] [
      -h host ] [ -p port ] [ -w auth-level ] [ -x ca-pem-file ]  [  -y cert-
      pem-file ] [ -z private-key-file ]

DESCRIPTION

      ktcheck  verifies a client's command file with the radmind server host.
      The command file is downloaded from host if it is missing  or  has  the
      wrong  size.   With  the  -c  option, checksums are also used to verify
      files.

      Reading the command file line-by-line, ktcheck  verifies  each  command
      file  and  transcript listed, downloading it from host if it is missing
      or out of date.  ktcheck ignores blank lines and comments ( lines start-
      ing with '#' ).  Included command files are read are verified using the
      same method.

      Each special file listed in the command file is converted into a  tran-
      script  line  in special.T with information provided by host.  See rad-
      mind(8) for details of the STAT command.

      If checksumming is turned on, the special transcript is  verified  using
      the  checksum  and  file  size.  If either are wrong, the special tran-
      script is updated.  If checksumming is turned  off,  the  special  tran-
      script is always updated.

      Files  updated  by ktcheck must be regular files and the user must have
      access to modify them.

      When run with the -n option, ktcheck verifies but never  downloads  the
      command files or transcripts.  A tempory special.T is created for veri-
      fication and is removed on exit.

OPTIONS

      -c checksum        enables checksumming.

      -i                 force output line buffering.

      -h host            specifies the radmind server, by default radmind.

      -K command         specifies  a  command  file,  by  default  /var/rad-
                         mind/client/command.K.

      -n                 no files modified.

      -p port            specifies a port, by default 6662.

      -q                 suppress all messages.

      -r                 use  random  seed file $RANDFILE if that environment
                         variable  is   set,   $HOME/.rnd   otherwise.    See
                         RAND_load_file(3o).

      -V                 displays  the  version  of  ktcheck, a list  of sup-
                         ported checksumming algorithms in  descending  order
                         of preference and then exits.

      -v                 displays communication with the radmind server.

      -w auth-level      TLS  authorization level, by default 0.  0 = no TLS,
                         1 = server verification, 2 = server and client veri-
                         fication.

      -x ca-pem-file     Certificate   authority's   public  certificate,  by
                         default /var/radmind/cert/ca.pem.

      -y cert-pem-file   Client's public certificate,  by  default  /var/rad-
                         mind/cert/cert.pem.

      -z private-key-file
                         Client's   private   key,   by   default   /var/rad-
                         mind/cert/cert.pem.

FILES

      /var/radmind/client/command.K
                         name of the default command file.

      special.T          name of the special transcript.

EXIT STATUS

      The following exit values are returned:

      0    No differences were found.

      1    Differences were found.

      >1   An error occurred.

SEE ALSO

      fsdiff(1),  lapply(1),  lcksum(1),  lcreate(1),  lfdiff(1),  lmerge(1),
      twhich(1), radmind(8), RAND_load_file(3o).

The Radmind Assistant is a GUI app for Mac OS X.

As of Sept. 2, 2005, here is what is required to get the standard scripts installed with the Radmind Assistant 0.9.6 running under 10.4.x with iHook installed;

1. Issue the command;

sudo defaults write com.apple.loginwindow LogoutHook /etc/logout.hook

to create a link to the iHook logout hook - and if you want login by a 'radmind' local user to trigger a full RADMIND issue the command;

sudo defaults write com.apple.loginwindow LoginHook /etc/login.hook

to create the required links to the iHook login hook.

2. The /etc/radmind.defaults file currently supplied with Radmind Assistant 0.9.6 has 3 bugs...

a) Delete the last line that reads;

'exit 0'

b) Remove the 'switches' from the variables TLSLEVEL and SERVER;

To do this, go to the section labelled "radmind-specific defaults" in /etc/radmind.defaults

Edit the file at this point to read as follows for the first two variables;

TLSLEVEL="`defaults read $ra_domain tlslevel 2>/dev/null || echo ${TLSLEVEL} | awk '{ print $2 }'`"

previously;

TLSLEVEL="-w `defaults read $ra_domain tlslevel 2>/dev/null || echo ${TLSLEVEL} | awk '{ print $2 }'`"

and;

SERVER="`defaults read $ra_domain radmindhost 2>/dev/null || echo ${SERVER} | awk '{ print $2 }'`"

previously;

SERVER="-h `defaults read $ra_domain radmindhost 2>/dev/null || echo ${SERVER} | awk '{ print $2 }'`"

Several users have been confused by the comments at the head of the radmind.defaults file that refers to the fact that any edits to this file don't work if you are using the Radmind Assistant unless some 'defaults' setting is changed'. I don't think there has been full information provided on exactly what this means, especially as it doesn't seem to preclude things working.

Also - I originally tried getting things to work by changing the other references at the head of the file from AUTHLEVEL to TLSLEVEL, but in the end I changed them back again and it still worked.