Experience with Tripwire:Using Integrity Checkers for Intrusion Detection

by Gene H. Kim and Eugene H. Spafford

Presentation OutlineMotivation for TripwireTripwire designExperiencesConclusion

Motivation - A Scary StoryEllen is system admin for large networkEllen realizes someone has logged on as root on several machinesSneaky intruder deleted all accounting & auditing files before logging outEllens concern: Did intruder leave a backdoor (for re-entry)?Was sensitive information compromised?

Security Policy - Integrity of DataAssure that file data (in permanent storage) are not altered except by those authorized to do so

More precisely, assure that if a file is altered improperly, that the alteration can be detected

TripwireGives system admins ability to monitor for added, deleted & modified filesChecks for changes in file attributes, e.g.:size, access & modification timestamps,permissions, inode numbersignature (more on signature later)

Ellens ChallengeHow does Ellen determine which (if any!) files have been altered w/o authorization?Tens of thousands of files in dozens of gigabytes of disk on dozens of different architecturesEllen needs to examine every file as well as check for deleted or added files

Checking TechniquesEstablished techniques: maintaining checklists, comparison copies, checksum records or backup tapesThese methods are costly, prone to error and susceptible to easy spoofingIntruders w/ root privileges can alter checklists or compromise utilities (eg lsChanges to a file can be made w/out changing its length or checksum!

Define Integrity of File DataCan we define a notion of the integrity of both data and the file structure (including directories) in which that data is stored?Define it as a set of characteristicsMonitor change of those characteristicsTripwire system is said to enforce the integrity of file system if unauthorized change to characteristics is detected

The Ideal Integrity Checker ...High level of automationSimple description of attributes of the file system that are monitored/checkedEasy way to update database used to control monitoring - small changes shouldnt require massive regenerationAutomate regular checks (use UNIX scheduler, cron); allow manual checks

Ideal Integrity Checker cont.Generate output thats easy to scanAllow specification of file system exceptions that are NOT reportedAllow reuse and sharing of configuration files (for networks of lots of machines that differ only slightly)

Tripwire Program InputsConfiguration file (tw.config)list of files & directories to be monitoredtheir associated selection mask (list attributes that can safely be ignored)Database file --describes each file automatically generatedset of file names, inode attribute values, signature info., associated tw.config entry

Selection Mask permission and modes inode number

number of links user id group id size of the file modification timestamp

signature 1 signature 2 access timestamp

Flag for each distinct field in an inode + report change - ignore the field

Example: +pinugsm12-a

Tripwire Component Overviewgeneratenewly generateddatabasetw.config fileolddatabasecompareapplyignore-masksTripwire reportFiles residing on system

Database Initialization ModeTripwire generates baseline database file based on tw.configtw.config indicates files to monitor files to ignore (e.g. no recursion below directory with name DDD)whether to ignore file size change (e.g. ignore increase in log files, but report decrease!!!)

Integrity Checking ModeGenerate new databaseCompare new database with baseline dbProduce report of added & deleted filesApply selection mask to modified files

Signature SupportFor each file up to 10 signaturesWhats a signature?Any pattern that represents the fileBy default, MD5 and Snefru signatures are recorded and checked for each file

Supported PlatformsWindows NT, version 4.0 Solaris (SPARC), versions 2.6, 7.0 Solaris (Intel), version 2.6, 7.0 HP-UX, versions 10.20, 11.00 IBM AIX, versions 4.2, 4.3 SGI Irix, version 6.5 Compaq TRU64 UNIX, version 4.0 Linux

Sample Ouput: ### Phase 1: Reading configuration file: ### Phase 2: Generating file list: ### Phase 3: Creating file information database: ### Phase 4: Searching for inconsistencies: ###: ### Total files scanned: 5143: ### Files added: 0: ### Files deleted: 0: ### Files changed: 5: ###: ### Total file violations: 5

Sample Output Cont.changed: -rw-r--r-- root 3384 Jan 12 14:39:27 2000 /etc/dfs/dfstabPhase 5: Generating observed/expected pairs for changed filesAttr Observed (what it is) Expected (what it should be)/etc/dfs/dfstabst_size: 3384 3623st_mtime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003st_ctime: Wed Jan 12 14:39:27 2004 Tue Dec 14 12:22:20 2003md5 (sig1): 3TZThlJJb5piwca4EHUnRy 2nGPSAY1loE5vlS.D1qhHLsnefru (sig2): 1uKAb7andEuQOzAyXnFcfR 0hl1UxAEzEILB8jXtDsx4G

ConclusionPortableSelf-contained Adaptable to large and small sitesVery restricted in what it sees -- only OS attribute changes of filesIt has no clue as to what users are actually doing!

The End

Templates

read-only files: Only the access timestamp is ignored.log files: Changes to the file size, access and modification timestamp, and signatures are ignored.growing log files: Same flags as log files except increasing files sizes are ignored.ignore nothingignore everything

Example tr.config# file/dirselection-mask/etcR# all files under /etc@@ifhost solaria.cs.purdue.edu !/etc/lp# except for SVR4 printer logs@@endif/etc/passwdR+12 # you cant be too careful/etc/mtabL#dynamic files/etc/motdL/etc/utmpL=/var/tmpR# only the directory, not its contents

You use Tripwire for what?Many system admin. use Tripwire as a tool to enforce local policy - changes by one system admin. is noticed quickly by othersTripwire helps salvage file systems not completely repaired by fsck - program that ensures consistency between file data and their inodesa file can be rebound to its original name by searching the database for a matching signature

Stealth-TripwireSeveral system admins. have tried very hard to conceal their use of Tripwire and dont run it through programs like cron Authors disagree - advertising the use of Tripwire (even if not true) could help avert attacks

ParanoiaTripwire is designed to run on a regular basis, such as dailyTwo reported cases of Tripwire being run hourly - not a good ideaGood paranoia - plant files on the system, such as master-passwords - prime targets for intruders

PortabilityTripwire reported to be running on 28 different UNIX platformsOnly 8 example tw.config files necessaryAuthors receive requests to help system admins. compile Tripwire on machines they have never heard of - such as one only sold in Australia that came with incorrect system libraries Often, a group of system admins. with similarly orphaned machines will put together a patch

You Added WHAT to Tripwire?Authors received a report from a user who is adding support for Intel machines running UNIX to allow Tripwire to check mounted MSDOS file systems

Mega & Micro - TripwireMany system administrators of large sites create one configuration file to be shared by all machines, using the @@ifhost directive to segregate non-common file groupsA configuration file consisting solely of / has proved adequate for some system administrators of smaller sites

CS Dept. & TripwireTripwire runs on all essential servers every nightScripts were written to run Tripwire on all the various servers, gather the results, and send them by email to the system admins.Very usable out-of-the-box, took a staff member only 10 hours to set up Installed for 9 months - havent seen anything suspicious, Paco occasionally checks to make sure it still runs at night

Interactive Database Update Tripwire generates list of all changes (ala integrity checking mode)Tripwire asks system admin. to specify which entries to update in the database file

Database Update ModeTripwire regenerates database entries for a list of files or configuration entries given on the command lineTripwire instructs system admin to move new database to secure media

Configurability AidsPreprocessor support allows system admin. to write configuration files that support numerous configurations of machinesNote: Machines that share a configuration file still generate their own database filesPrefixes to the tw.config allow for pruning - a directory and/or its contents can be excluded from monitoring

Configurability Aids (Cont.)Example selection mask: +pinugsm12-aReport changes in permission and modes, inode number, number of links, user id, group id, size of the file, modification timestamp, and signatures 1 and 2. Disregard changes to access timestamp.Templates allow system admin. to quickly classify files into categories that use common sets of flags

Good NewsSeven reported cases of Tripwire alerting system administrators to intrudersDozens of cases of Tripwire being used as a system admin. enforcement tool One reported case of Tripwire detecting a failing disk

Where are the Bad Guys?Out of thousands of machines running Tripwire, why only 7 Tripwire-discovered breakins in two years?Intruders have given up? Dont you wish!Sites running Tripwire arent interesting? NopeSite admins arent telling? MaybeTripwire sites are more security-conscious? Maybe

Bad Guys (Cont.)Sites have already been attacked maybe baseline databases are being generated on machines that have already been compromisedIntruders have completely subverted integrity checking schemesit would be very hard for an intruder to alter a file in a way that it preserves its original signature

Note that the selection mask in the database is the same as in tw.config. In integrity check mode the database version is used because it is assume that the database has been on secure storage so that is a safer copy of the mask to use.