Experience with Tripwire:
Using Integrity Checkers for
Intrusion Detection
by Gene H. Kim and Eugene H. Spafford
10/06
Presentation Outline




10/06
Motivation for Tripwire
Tripwire design
Experiences
Conclusion
Motivation - A Scary Story




Ellen is system admin for large network
Ellen realizes someone has logged on as
root on several machines
Sneaky intruder deleted all accounting &
auditing files before logging out
Ellen’s concern:
– Did intruder leave a backdoor (for re-entry)?
– Was sensitive information compromised?
10/06
Security Policy - Integrity of Data
10/06

Assure that file data (in permanent
storage) are not altered except by those
authorized to do so

More precisely, assure that if a file is
altered improperly, that the alteration can
be detected
Tripwire


Gives system admins ability to monitor
for added, deleted & modified files
Checks for changes in file attributes, e.g.:
– size,
– access & modification timestamps,
– permissions,
– inode number
– signature (more on signature later)
10/06
Ellen’s Challenge



10/06
How does Ellen determine which (if any!)
files have been altered w/o authorization?
Tens of thousands of files in dozens of
gigabytes of disk on dozens of different
architectures
Ellen needs to examine every file as well
as check for deleted or added files
Checking Techniques




10/06
Established techniques: maintaining
checklists, comparison copies, checksum
records or backup tapes
These methods are costly, prone to error
and susceptible to easy spoofing
Intruders w/ root privileges can alter
checklists or compromise utilities (eg “ls”
Changes to a file can be made w/out
changing its length or checksum!
Define Integrity of File Data




10/06
Can we define a notion of the integrity of
both data and the file structure (including
directories) in which that data is stored?
Define it as a set of characteristics
Monitor change of those characteristics
Tripwire system is said to “enforce the
integrity of file system” if unauthorized
change to characteristics is detected
The Ideal Integrity Checker ...




10/06
High level of automation
Simple description of attributes of the
file system that are monitored/checked
Easy way to update database used to
control monitoring - small changes
shouldn’t require massive regeneration
Automate regular checks (use UNIX
scheduler, cron); allow manual checks
Ideal Integrity Checker cont.



10/06
Generate output that’s easy to scan
Allow specification of file system
“exceptions” that are NOT reported
Allow reuse and sharing of configuration
files (for networks of lots of machines
that differ only slightly)
Tripwire Program Inputs

Configuration file (tw.config)
– list of files & directories to be monitored
– their associated selection mask (list
attributes that can safely be ignored)

Database file --describes each “file” –
automatically generated
– set of file names, inode attribute values,
signature info., associated tw.config entry
10/06
Selection Mask
Example:
+pinugsm12-a
permission and modes
number of links
user id
size of the file
signature 1
inode number
group id
modification timestamp
signature 2
access timestamp
Flag for each distinct field in an inode
+  report change
10/06
-
 ignore the field
Tripwire Component Overview
generate
newly
generated
database
compare
tw.config
file
old
database
Files residing on system
10/06
apply
ignore-masks
Tripwire
report
Database Initialization Mode


Tripwire generates baseline database file
based on tw.config
tw.config indicates
– files to monitor
– files to ignore (e.g. no recursion below
directory with name “DDD”)
– whether to ignore file size change (e.g.
ignore increase in log files, but report
decrease!!!)
10/06
Integrity Checking Mode




10/06
Generate new database
Compare new database with baseline db
Produce report of added & deleted files
Apply selection mask to modified files
Signature Support



For each file – up to 10 signatures
What’s a signature?
Any pattern that “represents” the file
– By default, MD5 and Snefru signatures are
recorded and checked for each file
10/06
Supported Platforms








10/06
Windows NT, version 4.0
Solaris (SPARC), versions 2.6, 7.0
Solaris (Intel), version 2.6, 7.0
HP-UX, versions 10.20, 11.00
IBM AIX, versions 4.2, 4.3
SGI Irix, version 6.5
Compaq TRU64 UNIX, version 4.0
Linux
Sample Ouput
: ### Phase 1:
: ### Phase 2:
: ### Phase 3:
: ### Phase 4:
: ###
: ###
: ###
: ###
: ###
: ###
: ###
10/06
Reading configuration file
Generating file list
Creating file information database
Searching for inconsistencies
Total files scanned:
Files added:
Files deleted:
Files changed:
5143
0
0
5
Total file violations:
5
Sample Output Cont.
changed: -rw-r--r-- root
3384 Jan 12 14:39:27 2000
/etc/dfs/dfstab
Phase 5: Generating observed/expected pairs for changed files
Attr
Observed (what it is)
Expected (what it should be)
/etc/dfs/dfstab
st_size:
3384
3623
st_mtime: Wed Jan 12 14:39:27 2004
Tue Dec 14 12:22:20 2003
st_ctime: Wed Jan 12 14:39:27 2004
Tue Dec 14 12:22:20 2003
md5 (sig1): 3TZThlJJb5piwca4EHUnRy
2nGPSAY1loE5vlS.D1qhHL
snefru (sig2): 1uKAb7andEuQOzAyXnFcfR
0hl1UxAEzEILB8jXtDsx4G
10/06
Conclusion





10/06
Portable
Self-contained
Adaptable to large and small sites
Very restricted in what it sees -- only OS
attribute changes of files
It has no clue as to what users are
actually doing!
The End
10/06
Templates
– read-only files: Only the access timestamp
is ignored.
– log files: Changes to the file size, access
and modification timestamp, and
signatures are ignored.
– growing log files: Same flags as log files
except increasing files sizes are ignored.
– ignore nothing
– ignore everything
10/06
Example tr.config
# file/dir
selection-mask
/etc
R
# all files under /etc
@@ifhost solaria.cs.purdue.edu
!/etc/lp
# except for SVR4 printer logs
@@endif
/etc/passwd R+12 # you can’t be too careful
/etc/mtab
L
#dynamic files
/etc/motd
L
/etc/utmp
L
=/var/tmp
R
# only the directory, not its contents
10/06
You use Tripwire for what?


10/06
Many system admin. use Tripwire as a
tool to enforce local policy - changes by
one system admin. is noticed quickly by
others
Tripwire helps salvage file systems not
completely repaired by fsck - program
that ensures consistency between file
data and their inodes
– a file can be rebound to its original name by
searching the database for a matching
signature
Stealth-Tripwire


10/06
Several system admins. have tried very
hard to conceal their use of Tripwire and
don’t run it through programs like cron
Authors disagree - advertising the use
of Tripwire (even if not true) could help
avert attacks
Paranoia



10/06
Tripwire is designed to run on a regular
basis, such as daily
Two reported cases of Tripwire being
run hourly - not a good idea
Good paranoia - “plant” files on the
system, such as master-passwords prime targets for intruders
Portability




10/06
Tripwire reported to be running on 28
different UNIX platforms
Only 8 example tw.config files
necessary
Authors receive requests to help system
admins. compile Tripwire on machines
they have never heard of - such as one
only sold in Australia that came with
incorrect system libraries
Often, a group of system admins. with
similarly “orphaned” machines will put
You Added WHAT to Tripwire?

10/06
Authors received a report from a user
who is adding support for Intel
machines running UNIX to allow
Tripwire to check mounted MSDOS file
systems
Mega & Micro - Tripwire


10/06
Many system administrators of large
sites create one configuration file to be
shared by all machines, using the
@@ifhost directive to segregate noncommon file groups
A configuration file consisting solely of
“/” has proved adequate for some
system administrators of smaller sites
CS Dept. & Tripwire




10/06
Tripwire runs on all essential servers
every night
Scripts were written to run Tripwire on
all the various servers, gather the
results, and send them by email to the
system admins.
Very usable out-of-the-box, took a staff
member only 10 hours to set up
Installed for 9 months - haven’t seen
anything suspicious, Paco occasionally
Interactive Database Update


10/06
Tripwire generates list of all changes
(ala integrity checking mode)
Tripwire asks system admin. to specify
which entries to update in the database
file
Database Update Mode


10/06
Tripwire regenerates database entries
for a list of files or configuration entries
given on the command line
Tripwire instructs system admin to move
new database to secure media
Configurability Aids

Preprocessor support allows system
admin. to write configuration files that
support numerous configurations of
machines
– Note: Machines that share a configuration
file still generate their own database files

10/06
Prefixes to the tw.config allow for
pruning - a directory and/or its contents
can be excluded from monitoring
Configurability Aids (Cont.)

Example selection mask: +pinugsm12-a
– “Report changes in permission and modes,
inode number, number of links, user id,
group id, size of the file, modification
timestamp, and signatures 1 and 2.
Disregard changes to access timestamp.”

10/06
Templates allow system admin. to
quickly classify files into categories that
use common sets of flags
Good News



10/06
Seven reported cases of Tripwire
alerting system administrators to
intruders
Dozens of cases of Tripwire being used
as a system admin. enforcement tool
One reported case of Tripwire detecting
a failing disk
Where are the Bad Guys?

Out of thousands of machines running
Tripwire, why only 7 Tripwire-discovered
breakins in two years?
– Intruders have given up? Don’t you wish!
– Sites running Tripwire aren’t interesting?
Nope
– Site admins aren’t telling? Maybe
– Tripwire sites are more security-conscious?
Maybe
10/06
Bad Guys (Cont.)

Sites have already been attacked
– maybe baseline databases are being
generated on machines that have already
been compromised

Intruders have completely subverted
integrity checking schemes
– it would be very hard for an intruder to
alter a file in a way that it preserves its
original signature
10/06