----------------------------------------------------------------------------
                    Tripwire 2.2.1 for Unix Release Notes
                              January 2000
----------------------------------------------------------------------------

Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc.  
Tripwire (R) is a registered trademark of the Purdue Research Foundation and 
is licensed exclusively to Tripwire (R) Security Systems, Inc.

CONTENTS:

- Introduction
- Where to look for help
- Contacting Tripwire
- Known issues
- Differences from Tripwire ASR 1.3


Introduction
------------------------------------------------------------------------------

Welcome to Tripwire 2.2.1 for Unix, supporting Hewlett-Packard HP-UX 10.2 and 
11.0, IBM AIX 4.2 and 4.3 for RS/6000, Sun Solaris (Sparc and Intel) 2.6 and 
7.0, SGI Irix 6.5, Compaq Tru64 4.0, and Linux.  This document contains 
up-to-the-last-minute information on the known issues and behaviors of this 
release of Tripwire.  Please read this document carefully before installing 
Tripwire or reporting any bugs.

Additionally, we have included contact information for your benefit.  Please 
tell us about any bugs you find and also how you feel about our product.


Where to look for help
------------------------------------------------------------------------------

We recommended that you refer to the Policy File and Operations and Command 
Reference chapters of the User's Guide, as they can be especially helpful.  
Additionally, the Tripwire website may contain post-release information for 
this software.  The website is located at http://www.tripwiresecurity.com/.


Contacting Tripwire
------------------------------------------------------------------------------

If you wish to contact Tripwire Security Systems to report bugs or make
feature suggestions, we can be reached through one of the following methods:

EMail:   support@tripwiresecurity.com
Support Website:  http://www.tripwiresecurity.com/supintro.html

You are also encouraged to use the Tripwire mailing discussion groups.
Information on these groups may be found at:

http://www.tripwiresecurity.com/support/dgroups.html


Known Issues
------------------------------------------------------------------------------
- Linux is officially supported on RedHat 5.2 and 6.0.  Other distributions or
  versions of Linux are not officially supported, but basic funtionality has
  been verified on RedHat 6.1, and various distributions of Debian, Caldera, 
  Open Linux, and SuSE systems using Linux kernel 2.0.36 or higher.

- Making modifications to an existing policy file requires the use of the 
  --update-policy mode of Tripwire.  This mode ensures that the database on 
  disk is internally consistent with the policy file.  Otherwise, to ensure 
  that no changes have been made to the filesystem between the last integrity 
  check and the policy file modification requires several steps.  These 
  include disconnecting the machine from the network, running an integrity 
  check, updating the policy file and reinitializing the database.  This 
  mode allows the same functionality and security in one step.  See the 
  Tripwire section of the Command Reference in the User Manual for further 
  information.

- Using 'twadmin --create-polfile' to update an existing policy file will 
  cause errors on the next integrity check if the database is not regenerated
  from scratch.  Errors will be generated for rules that have been added or
  modified from the policy file used to create the database.  However, rules
  that were removed from the policy file will generate no errors or warnings.
  Therefore, using '--secure-mode high' on an integrity check command line
  will not catch this inconsistency.  It is STRONGLY recommended that you use 
  'tripwire --update-policy' to keep the Tripwire database and policy file 
  in sync.  See the Tripwire section of the Command Reference in the User 
  Manual for further information.

- The CLOBBER setting in install.cfg applies to everything except 
  configuration and policy files.  These files, if present, will always be 
  backed up and recreated, to avoid the potential of leaving Tripwire in 
  a state where it cannot run.  If you have installed Tripwire over an 
  existing installation, and wish to keep your old policy and 
  configuration files, they can be recovered.  Use the twadmin command to
  print the old configuration and policy files (tw.cfg.bak and tw.pol.bak) 
  as text files and then re-encrypt them with the Tripwire 2.2.1 site key. 

- On AIX 4.2, man pages may be formatted incorrectly.  This is due to 
  incorrect behavior in handling the backspacing required by bold, underline 
  and similar nroff formatting commands, on the part of the "more" utility.  
  To correct this problem, try one of the following:

    man -M ../man tripwire | col -b | more

  or

    PAGER=/usr/bin/pg
    export PAGER

  (assumes Bourne shell or bash).

- Specifying a rule that includes both a hash attribute (C, M, S, or H) AND 
  the access timestamp attribute (a) is not recommended.  This will cause 
  every file that was scanned using the rule to show up as having changed 
  between scans.  This is because Tripwire currently does not reset the 
  access time attribute after accessing the file to obtain a hash value.  
  Thus the next scan shows every hashed file as having been accessed (by 
  Tripwire).

- Specifying a rule that monitors the access timestamp (a) will cause every
  directory recursed while scanning that rule to show up as having changed
  between scans.  This is because Tripwire does not reset the access time 
  attribute after enumerating the directory contents.  To avoid this 
  behavior, change the LOOSEDIRECTORYCHECKING value in the Tripwire 
  configuration file to true.  There are potential security implications of
  doing this, however [see the Configuration Reference section of the User
  Manual for more information].

- In the event that the umask is set such that files are created non-writeable
  by default, the editor launched in interactive integrity check and database
  update modes may be unable to save changes made to the report. If the editor
  is closed without saving the changes, Tripwire assumes that all items in the
  report should be updated, potentially including compromised data in the
  database. To exploit this vulnerability, an intruder would require a
  previously compromised account with write access to either the Tripwire
  administrator's account or the Tripwire binaries. To work around this issue,
  launch a shell from the editor (":shell" in vi), add user-write (chmod u+w
  <filename>) permissions to the temp file open in the editor, exit the shell
  and force a write to the file (":w!" in vi). To avoid this issue, make 
  certain that the umask does not contain the user-write bit (0200).

- CAUTION: Tripwire keyfiles are inextricably linked to their associated
  signed files.  Consequently, if you create a new keyfile and overwrite the
  pre-existing keyfile, all files signed with the original key become 
  unusable.

- When a folder or registry key is specified on the command line during a 
  Tripwire integrity check, Tripwire will *only* scan the specified object. It
  will not be recursed.  To scan and recurse through a specified object, that
  object must be a start point for a rule, and may be specified on the command
  line with the '--rule-name' parameter.  

- Tripwire has not been thoroughly tested on any 64-bit HP-UX platform.
  Although full binary compatibility is expected, the stability of the
  product is unknown, and cannot be guaranteed.

- When specifying filenames in the policy file, the inclusion of multiple 
  adjacent path delimiters in the filename may result in Tripwire being unable
  to locate or examine the file.  To avoid this issue, ensure that paths are
  specified using standard naming conventions, and that variables used as part
  of a path do not include a trailing or preceeding path delimiter if one
  already exists adjacent to the variable.

- The default policy file contains a rule to verify the integrity of critical
  Tripwire components.  Because this includes the database, which must be 
  generated after the policy file, the first integrity check run after a
  default installation will report a violation that describes the database as
  "added".  This behavior is normal and benign, although somewhat unexpected.
  This issue can be avoided by initializing the database twice after 
  installation, or by creating a zero-length file with the same path and
  filename as the database before running Tripwire in database initialization
  mode.

- Due to limitations of the operating system, Tripwire is unable to scan files
  larger than 2 GB on the Unix platforms.  A non-fatal error will be
  generated upon attempts to access such files and Tripwire will be unable to
  retrieve some properties of these files, but operation will otherwise
  continue normally.

- For performance and security reasons, Tripwire now requires that the
  libCrun.so.1 from patches 106328-05 or later (Solaris 7.0), or 104678-04 or
  later (Solaris 2.6) be installed on Solaris Intel systems to remedy several
  issues with locale changes. These patches can be downloaded from
  http://www.rge.com/pub/systems/sun/patches/sunsolve/

- If the site keyfile specified in the config file differs from the key used 
  to create a report or database,twprint will be unable to print either of 
  these files since twprint does not support the "-S" argument with the 
  capacity to override the default site keyfile.  Twprint uses this argument
  strictly for validation of the data in the config file.

- It is strongly recommended that the /proc directory not be scanned with any
  Tripwire product.  Because /proc is a virtual filesystem, the files 
  contained therein may exhibit non-standard or unexpected behavior leading
  to conditions ranging from unclear error messages to a failure of the 
  Tripwire scan.

- On AIX systems, the manual page 'man' system may incorrectly interpret the
  date in post-2000 date circumstances leading to the date being incorrectly 
  displayed as year 100 in the page footer of man pages.

- Email reports containing high-ascii or multi-byte characters are now MIME
  encoded if either the SMTP or Sendmail email reporting methods are specified
  in the configuration file.

- On HP-UX systems, the tar command may silently fail to create files using
  the permissions in the tar file.  This can lead to keyfiles being writable
  by the owner instead of read-only as intended.

- If a filename is present that includes character 0x5C, the filesystem may
  fail to pass the filename to tripwire correctly, causing tripwire to falsely
  see the file as having been removed.  If the filename is passed on the
  command line, tripwire will be able to correctly interpret the filename.

Differences from Tripwire ASR 1.3
------------------------------------------------------------------------------

Tripwire 2.2.1 is the latest commercial release of Tripwire, and is a complete
rewrite of the source code from the Academic Source Release (ASR) versions.
Furthermore, there are several significant enhancements to the original
features and functionality. These include but are not limited to:

- There is now a configuration file for storing run-time global Tripwire 
  variables.  This avoids reliance on some environment variables which 
  are easily compromised.

- Slight change in terminology:
    - Tripwire policy file replaces "tw.config".
    - Tripwire configuration file replaces compile-time options.

- More integrity checking options.
    - E-mail reporting.
    - Running rules based on severity levels or name.

- More secure file handling:
    - Cryptographically signed configuration, policy, and database files.
      These effectively eliminate the need for removable or read-only media
      to store these files and allows for automated, unattended use.  Please
      note, however, that these files are still susceptible to deletion and
      need to be backed up.
    - Optionally signed reports.

- Addition of twadmin and twprint commands provide interface to Tripwire
  data files to handle updating, encryption management, and printing.

- The policy language has been altered and greatly enhanced.  It is
  recommended that ASR policy files be reviewed according to the new
  specifications and altered accordingly.  ASR policies and rules will 
  not function correctly under Tripwire 2.2.1 without modification.
    - Any rule now has a set of attributes that can be associated with it.
      For example, rule names, severity levels, e-mail reporting recipients,
      recursion behavior, etc.
    - Generalized grammar to handle future object monitoring.

- Tripwire 2.2.1 uses a different Base64 (RFC 2045) alphabet than Tripwire 1.3.
  As a result, signature values will appear to be different for the same file.
  For CRC32 hashes, Tripwire 2.2.1 fixes an error in the calculation of this
  value, and results will differ by their 'one's complement'.  Tripwire 2.2.1 
  now returns the same CRC32 value as the cksum utility.  However, all other 
  hash values are actually identical, but expressed differently.  Generating 
  signatures with hexadecimal (siggen -h) output will show the correct 
  identical values.

- Tripwire is Year 2000 (Y2K) compliant.

Signatures for Tripwire 2.2.1 binaries
------------------------------------------------------------------------------

The following table lists siggen signature values for the Tripwire 2.2.1
executable files:

Hewlett-Packard HP-UX:
==============
--------------------------------------------------------------------------------
Signatures for file: siggen

CRC32               fe0308c8
MD5                 2a58a4912309048deab8510257098fea
SHA                 9d8decfeef1c138376567ff1e54694a70d061ccb
HAVAL               10299633c6c7d2e023b215548e3df21f
--------------------------------------------------------------------------------
Signatures for file: tripwire

CRC32               c43f1916
MD5                 ae86655a076f29c2af1239b70a1e0fc4
SHA                 71e23a65a3a810b251de8eab27d709086d2fe42b
HAVAL               4dce5017559943414264b4053270a0f0
--------------------------------------------------------------------------------
Signatures for file: twadmin

CRC32               87c93bec
MD5                 f411a4daafc323099f7a5670a5bf60bf
SHA                 e2cda5e5a3a236b0750e7bf9de7426fffef0a1b4
HAVAL               1af7729dd3119a81c8d150c323410e6c
--------------------------------------------------------------------------------
Signatures for file: twprint

CRC32               1ae8aed1
MD5                 966748b73c470bb430d94e35f18611e9
SHA                 90043c31b3161301d4b0e8d5f334aaaa0a948d17
HAVAL               7f52894332c112eea846462dde19a18a
--------------------------------------------------------------------------------

IBM AIX:
==============
--------------------------------------------------------------------------------
Signatures for file: siggen

CRC32               24c79096
MD5                 ce80c17c440559ea9f6f92e3885457a0
SHA                 7b334b2fe84098cb322da6c1cbc1617ee3626ff2
HAVAL               ac127766599af030be41bbacb6cb5a6a
--------------------------------------------------------------------------------
Signatures for file: tripwire

CRC32               df9bd5cf
MD5                 8498d2fa62e965cf762fd9877a7a2a75
SHA                 3b468abcf890f26e1510d469c72e95c7b7c09310
HAVAL               f634a1c37746a0791ec0d0a72508cdfe
--------------------------------------------------------------------------------
Signatures for file: twadmin

CRC32               2706857a
MD5                 9893de6c5c6bb15f50cb5feedf046af0
SHA                 7e102f544d9ac8ed109b2251f50524e0417688ce
HAVAL               2ea5032f21a3fbdb697dc04c0139e315
--------------------------------------------------------------------------------
Signatures for file: twprint

CRC32               48959f7f
MD5                 2d9f407ed53ac8ebdf2d476990057d45
SHA                 59156000488ad918cc38ef762b81057b15dc3c33
HAVAL               62b09c285349e60028a4817660db437d
--------------------------------------------------------------------------------

SGI Irix:
==============
--------------------------------------------------------------------------------
Signatures for file: siggen

CRC32               fc34c51c
MD5                 bf90f10c71d1d47a3af31b6b0e283f6f
SHA                 3ef6bdc3b3a285405ca7a1de95f43c79f9df0e32
HAVAL               df5ecc7eb1de4787cccb131168a44271
--------------------------------------------------------------------------------
Signatures for file: tripwire

CRC32               439018a5
MD5                 666e5594a5544294d1c50df7ce4ad038
SHA                 948c02e42cf4ca5d1067b4e697e32d7226341aec
HAVAL               f0db28bfdd3071a35953c3aa1ddf4078
--------------------------------------------------------------------------------
Signatures for file: twadmin

CRC32               3439e759
MD5                 40dd960fe8ccaa39dd1827dc412694f6
SHA                 f9513ee882664c7ca3abce4f3e8702106cb419cf
HAVAL               c72e041a1e7696ea3963383d7bb6f033
--------------------------------------------------------------------------------
Signatures for file: twprint

CRC32               993df1ad
MD5                 b3c05e0719e0d8470d77007d9ea25ee2
SHA                 1f7107fc8f134b370b9c14220a5ea1f0ef51e565
HAVAL               6cdad56389be2b0048f6c985bb74152a
--------------------------------------------------------------------------------

Linux:
==============
--------------------------------------------------------------------------------
Signatures for file: siggen

CRC32               d180dde5
MD5                 eb5802d41989bf96784d0d0ea7769e3f
SHA                 8c8bd34ea15991f90c90e06fc3c760ed43833379
HAVAL               7e18c6dc854af96fbd2ede2d542d6bcd
--------------------------------------------------------------------------------
Signatures for file: tripwire

CRC32               2f07342
MD5                 b92b4ab4a11d1724395348d4f1cb5a6d
SHA                 68a3cce6b58fdf45dad5b8bc273218776aef7278
HAVAL               bfba9ace2ba033630734c94e3b45727e
--------------------------------------------------------------------------------
Signatures for file: twadmin

CRC32               b73d653
MD5                 92ac1c6f8f86cb351db392c38cc13b93
SHA                 3326b1198d2e4c432c7353b5bc248dddc0e2a255
HAVAL               41662f9ba5043fb611fa7b255390d622
--------------------------------------------------------------------------------
Signatures for file: twprint

CRC32               753e98bd
MD5                 d6119ae56adaec2eecc97c44d895bc28
SHA                 3d9c13bb6902c9234ef2e86d345e8712dfd32a3f
HAVAL               8bf4bb5b0779f5f32c7c2a352440e4f4
--------------------------------------------------------------------------------

Sun Intel:
==============
--------------------------------------------------------------------------------
Signatures for file: siggen

CRC32               c564d862
MD5                 e0d419a8f357a736706e38c50c0d8252
SHA                 3dea8072cd247e7abaa5b38f32e2271ea082f148
HAVAL               93054a86d5fc17787ab94f97473a7889
--------------------------------------------------------------------------------
Signatures for file: tripwire

CRC32               b07d9256
MD5                 e961fcf7554c5d75a8910ed9b18cbac0
SHA                 a24e0a9eda1bc0f2229a7ed440f06683db9485d4
HAVAL               1940925664622eee6c1ae34d23d1082c
--------------------------------------------------------------------------------
Signatures for file: twadmin

CRC32               d1500594
MD5                 c90a4903239f8c138be596ee383c92ae
SHA                 c53d9430f5a2ffb2fe4b6b867b4c68dc3611987f
HAVAL               70298b27e1e29e30275126038cd92292
--------------------------------------------------------------------------------
Signatures for file: twprint

CRC32               15f5bb72
MD5                 33d51025782c2679871a61954bfb1647
SHA                 99cb77a7c6e3b7f9c969ff17487553ff47809f93
HAVAL               ecef33e7e924d4240e7536da01c77db0
--------------------------------------------------------------------------------

Sun Sparc:
==============
--------------------------------------------------------------------------------
Signatures for file: siggen

CRC32               f5b2dc5d
MD5                 c4b4042a57e0beae74b27e700b18af6b
SHA                 1c273b9ce2c8cd0d8b3456b16935ed699484a5c4
HAVAL               36afefb42cad2ce5fe1df6c68b44168c
--------------------------------------------------------------------------------
Signatures for file: tripwire

CRC32               75aff993
MD5                 a39f5aaea3e61f12a8de72e503cd90a7
SHA                 94f3bb0b6212d447dd5616ebfb3d14893b41ad86
HAVAL               2aedac3889ccaad8b5efd281628a6575
--------------------------------------------------------------------------------
Signatures for file: twadmin

CRC32               9d76eabe
MD5                 0d337386f06a6733fb27aaddd7cfa9ba
SHA                 8fc2e75ff506a5f076919449393b59eacd373f6a
HAVAL               fce28ddf1d25f9357f888f141f3c3741
--------------------------------------------------------------------------------
Signatures for file: twprint

CRC32               6b5b4d12
MD5                 133a2168771e1548df192799eda3cd9f
SHA                 54c7b31a7323824b128ff08693bdd75db4556579
HAVAL               91d636aa76bdfb0f0cbb4e1ef87a234d
--------------------------------------------------------------------------------

Compaq Tru64:
==============
--------------------------------------------------------------------------------
Signatures for file: siggen

CRC32               643af637
MD5                 478e7bf9d4f736a1120752e03086b9fc
SHA                 ba637f274149e00e4b1c39b355d03a434cc705c9
HAVAL               d9ce07df9918caae83df2b8dbc09d990
--------------------------------------------------------------------------------
Signatures for file: tripwire

CRC32               be5bf675
MD5                 e4566f3b99f00c45515a29bdddd06578
SHA                 e4b6cf6ab3ade9604a003ed3bb0b94d89bd3e6dc
HAVAL               816a54bf3ecbb54328a8f2bcbe69f24d
--------------------------------------------------------------------------------
Signatures for file: twadmin

CRC32               a936eeae
MD5                 b0eb4dcc539b7f07df19072f3aa4375a
SHA                 9b3ef197db4870c826e919dc13e8774104583a38
HAVAL               75c3de01f82685469eb049d7c5badba7
--------------------------------------------------------------------------------
Signatures for file: twprint

CRC32               b4d40f08
MD5                 d3ce13e9bacabf33000950da256c67de
SHA                 12688ccdb571d8f5fdcd70685dce524482973633
HAVAL               4f4d1f8b8a6e0d1a1d65ce3506c70b85
--------------------------------------------------------------------------------



